The NFS setups we’ve covered so far didn’t have any authentication or encryption setup. To some extent that wasn’t needed since NFS only works inside internal networks. However it is possible to setup authentication+encryption using Kerberos. Here’s an example setup that we’ll be working through:
Announcement
You can find all my latest posts on medium.+------------------------------+ | | | Kerberos-Server | | kdc.cb.net | | (IP: 10.0.9.11) | | | | | | | | | +------------------------------+ ^ ^ | | | | | | v v +----------------------------+ +-----------------------------+ | | | | | nfs-storage | | nfs-client | | nfs-storage.cb.net | | nfs-client.cb.net | | (IP: 10.0.9.12) | | (IP: 10.0.9.13) | | | | | | | | | | | | | | +-----------------+ | kerberos | +---------------+ | | | /nfs/export_rw |<--- ---------------|---->| /mnt/backups | | | +-----------------+ | auth+encrypt | +---------------+ | | | | | | | | | +----------------------------+ +-----------------------------+
You can follow along this example using our CentOS 7 NFS-Kerberos vagrant project.
here, we have one kerberos server (Kerberos-Server) and 2 kerberos clients (nfs-storage and nfs-client). The nfs-storage is also going to be our NFS server and nfs-client is going to an nfs client. So to set up this example, we need to do some preliminary tasks.
- Setup Kerberos-Server to be our Kerberos Server – However we don’t need to do any ssh related changes or create the krbtest user.
- Setup nfs-storage and nfs-client to both be Kerberos Clients – again, we don’t need to do any ssh stuff or create krbtest user
- Setup nfs-storage to be our NFS server – We’ll just create one folder /nfs/export_rw
- Setup up nfs-client to be our nfs client
Once all the above is done a few more extra steps are needed to setup the NFS+Kerberos integration on the Server and Client.
Setup Kerberos+NFS integration on the NFS Server
On the NFS server, we need to register the NFS service as a principal on Kerberos, using the kadmin command:
$ kadmin
We enter the root kerberos password when prompted, then within the kerberos interactive shell, we run the following commands:
addprinc -randkey nfs/nfs-storage.cb.net ktadd nfs/nfs-storage.cb.net quit
Next we add the kerberos setting in the /etc/exports
file,
$ cat /etc/exports /nfs/export_rw *(rw,no_root_squash,sec=krb5)
Next you need to apply the new settings, by running the following 2 commands:
$ systemctl restart nfs-server
You can check whether krb-nfs encryption has been enabled by going to:
cat /var/lib/nfs/etab /nfs/export_rw *(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=krb5,secure,no_root_squash,no_all_squash)
Setup Kerberos+NFS integration on the NFS Client
On the client side, you need to register the NFS service as a principal on Kerberos, using the kadmin command (pretty much the same thing as done on the nfs server):
$ kadmin -p root/admin@CB.NET
Note, we explicitly specified the root principle. That’s because for some reason it kept trying to use ‘host/admin@CB.NET’.
We enter the root kerberos password when prompted, then within the kerberos interactive shell, we run the following commands:
addprinc -randkey nfs/nfs-client.cb.net ktadd nfs/nfs-client.cb.net quit
Next you need to activate the following target:
$ systemctl enable nfs-client.target $ systemctl restart nfs-client.target
Next you are ready to attempt the mounting, first you can test the mounting non-persistantly by running:
$ mount -t nfs -o sec=krb5,rw nfs-storage.cb.net:/nfs/export_rw /mnt/backups
The key part is the (sec)urity setting. Then test if this has worked by running commands like df -h
or mount
. If it has been successful, then you need to make it persistant by adding the following entry to the /etc/fstab
file:
nfs-storage.cb.net:/nfs/export_rw /mnt/backups nfs soft,timeo=100,_netdev,rw,sec=krb5 0 0
[post-content post_name=rhsca-quiz]
The following questions relates to making changes to the nfs server:
– add nfs principal for the host
– update /etc/exports file with kerberos option
– restart nfs daemon
addprinc -randkey nfs/nfs-storage.cb.net
ktadd nfs/nfs-storage.cb.net
quit
add ‘sec=krb5’ as another option inside the round brackets
$ systemctl restart nfs-server
$ cat /var/lib/nfs/etab
The following questions relates to doing tasks on the nfs client, called nfs/nfs-client.cb.net:
– add principals for nfs
– restart+enable the nfs client target
– Do a manual mount using mount command – this is done for testing purposes
– add entry to fstab file
addprinc -randkey nfs/nfs-client.cb.net
ktadd nfs/nfs-client.cb.net
quit
$ systemctl restart nfs-client.target
$ systemctl enable nfs-client.target
$ df -h
answer