NFS – Use Kerberos to control NFS access on CentOS/RHEL 7

The NFS setups we’ve covered so far didn’t have any authentication or encryption setup. To some extent that wasn’t needed since NFS only works inside internal networks. However it is possible to setup authentication+encryption using Kerberos. Here’s an example setup that we’ll be working through:

                   +------------------------------+
                   |                              |
                   |        Kerberos-Server       |
                   |          kdc.cb.net          |
                   |        (IP: 10.0.9.11)       |
                   |                              |
                   |                              |
                   |                              |
                   |                              |
                   +------------------------------+
                       ^                       ^
                       |                       |
                       |                       |
                       |                       |
                       v                       v
+----------------------------+              +-----------------------------+
|                            |              |                             |
|       nfs-storage          |              |         nfs-client          |
|    nfs-storage.cb.net      |              |      nfs-client.cb.net      |    
|     (IP: 10.0.9.12)        |              |       (IP: 10.0.9.13)       |
|                            |              |                             |
|                            |              |                             |
|                            |              |                             |
|   +-----------------+      |   kerberos   |     +---------------+       |
|   | /nfs/export_rw  |<---  ---------------|---->| /mnt/backups  |       |
|   +-----------------+      | auth+encrypt |     +---------------+       |
|                            |              |                             |
|                            |              |                             |
+----------------------------+              +-----------------------------+

You can follow along this example using our CentOS 7 NFS-Kerberos vagrant project.

here, we have one kerberos server (Kerberos-Server) and 2 kerberos clients (nfs-storage and nfs-client). The nfs-storage is also going to be our NFS server and nfs-client is going to an nfs client. So to set up this example, we need to do some preliminary tasks.

1. Setup Kerberos-Server to be our Kerberos Server – However we don’t need to do any ssh related changes or create the krbtest user.
2. Setup nfs-storage and nfs-client to both be Kerberos Clients – again, we don’t need to do any ssh stuff or create krbtest user
3. Setup nfs-storage to be our NFS server – We’ll just create one folder /nfs/export_rw
4. Setup up nfs-client to be our nfs client

Once all the above is done a few more extra steps are needed to setup the NFS+Kerberos integration on the Server and Client.

Setup Kerberos+NFS integration on the NFS Server

On the NFS server, we need to register the NFS service as a principal on Kerberos, using the kadmin command:

$ kadmin

We enter the root kerberos password when prompted, then within the kerberos interactive shell, we run the following commands:

addprinc -randkey nfs/nfs-storage.cb.net
ktadd nfs/nfs-storage.cb.net
quit

Next we add the kerberos setting in the /etc/exports file,

$ cat /etc/exports
/nfs/export_rw  *(rw,no_root_squash,sec=krb5)

Next you need to apply the new settings, by running the following 2 commands:

$ systemctl restart nfs-server

You can check whether krb-nfs encryption has been enabled by going to:

cat /var/lib/nfs/etab
/nfs/export_rw	*(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=krb5,secure,no_root_squash,no_all_squash)

Setup Kerberos+NFS integration on the NFS Client

On the client side, you need to register the NFS service as a principal on Kerberos, using the kadmin command (pretty much the same thing as done on the nfs server):

$ kadmin -p root/admin@CB.NET

Note, we explicitly specified the root principle. That’s because for some reason it kept trying to use ‘host/admin@CB.NET’.

We enter the root kerberos password when prompted, then within the kerberos interactive shell, we run the following commands:

addprinc -randkey nfs/nfs-client.cb.net
ktadd nfs/nfs-client.cb.net
quit

Next you need to activate the following target:

$ systemctl enable nfs-client.target
$ systemctl restart nfs-client.target

Next you are ready to attempt the mounting, first you can test the mounting non-persistantly by running:

$ mount -t nfs -o sec=krb5,rw nfs-storage.cb.net:/nfs/export_rw /mnt/backups 

The key part is the (sec)urity setting. Then test if this has worked by running commands like df -h or mount. If it has been successful, then you need to make it persistant by adding the following entry to the /etc/fstab file:

nfs-storage.cb.net:/nfs/export_rw   /mnt/backups    nfs    soft,timeo=100,_netdev,rw,sec=krb5   0   0

[post-content post_name=rhsca-quiz]

The following questions relates to making changes to the nfs server:

The following questions relates to doing tasks on the nfs client, called nfs/nfs-client.cb.net: