NFS – Use Kerberos to control NFS access on CentOS/RHEL 7

The NFS setups we’ve covered so far didn’t have any authentication or encryption setup. To some extent that wasn’t needed since NFS only works inside internal networks. However it is possible to setup authentication+encryption using Kerberos. Here’s an example setup that we’ll be working through:

                   +------------------------------+
                   |                              |
                   |        Kerberos-Server       |
                   |          kdc.cb.net          |
                   |        (IP: 10.0.9.11)       |
                   |                              |
                   |                              |
                   |                              |
                   |                              |
                   +------------------------------+
                       ^                       ^
                       |                       |
                       |                       |
                       |                       |
                       v                       v
+----------------------------+              +-----------------------------+
|                            |              |                             |
|       nfs-storage          |              |         nfs-client          |
|    nfs-storage.cb.net      |              |      nfs-client.cb.net      |    
|     (IP: 10.0.9.12)        |              |       (IP: 10.0.9.13)       |
|                            |              |                             |
|                            |              |                             |
|                            |              |                             |
|   +-----------------+      |   kerberos   |     +---------------+       |
|   | /nfs/export_rw  |<---  ---------------|---->| /mnt/backups  |       |
|   +-----------------+      | auth+encrypt |     +---------------+       |
|                            |              |                             |
|                            |              |                             |
+----------------------------+              +-----------------------------+

You can follow along this example using our CentOS 7 NFS-Kerberos vagrant project.

here, we have one kerberos server (Kerberos-Server) and 2 kerberos clients (nfs-storage and nfs-client). The nfs-storage is also going to be our NFS server and nfs-client is going to an nfs client. So to set up this example, we need to do some preliminary tasks.

  1. Setup Kerberos-Server to be our Kerberos Server – However we don’t need to do any ssh related changes or create the krbtest user.
  2. Setup nfs-storage and nfs-client to both be Kerberos Clients – again, we don’t need to do any ssh stuff or create krbtest user
  3. Setup nfs-storage to be our NFS server – We’ll just create one folder /nfs/export_rw
  4. Setup up nfs-client to be our nfs client

Once all the above is done a few more extra steps are needed to setup the NFS+Kerberos integration on the Server and Client.

Setup Kerberos+NFS integration on the NFS Server

On the NFS server, we need to register the NFS service as a principal on Kerberos, using the kadmin command:

$ kadmin

We enter the root kerberos password when prompted, then within the kerberos interactive shell, we run the following commands:

addprinc -randkey nfs/nfs-storage.cb.net
ktadd nfs/nfs-storage.cb.net
quit

Next we add the kerberos setting in the /etc/exports file,

$ cat /etc/exports
/nfs/export_rw  *(rw,no_root_squash,sec=krb5)

Next you need to apply the new settings, by running the following 2 commands:

$ systemctl restart nfs-server

You can check whether krb-nfs encryption has been enabled by going to:

cat /var/lib/nfs/etab
/nfs/export_rw	*(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=krb5,secure,no_root_squash,no_all_squash)

Setup Kerberos+NFS integration on the NFS Client

On the client side, you need to register the NFS service as a principal on Kerberos, using the kadmin command (pretty much the same thing as done on the nfs server):

$ kadmin -p root/admin@CB.NET

Note, we explicitly specified the root principle. That’s because for some reason it kept trying to use ‘host/admin@CB.NET’.

We enter the root kerberos password when prompted, then within the kerberos interactive shell, we run the following commands:

addprinc -randkey nfs/nfs-client.cb.net
ktadd nfs/nfs-client.cb.net
quit

Next you need to activate the following target:

$ systemctl enable nfs-client.target
$ systemctl restart nfs-client.target

Next you are ready to attempt the mounting, first you can test the mounting non-persistantly by running:

$ mount -t nfs -o sec=krb5,rw nfs-storage.cb.net:/nfs/export_rw /mnt/backups 

The key part is the (sec)urity setting. Then test if this has worked by running commands like df -h or mount. If it has been successful, then you need to make it persistant by adding the following entry to the /etc/fstab file:

nfs-storage.cb.net:/nfs/export_rw   /mnt/backups    nfs    soft,timeo=100,_netdev,rw,sec=krb5   0   0

Take the RHCSA Quiz

This article is part of our RHCSA Study guide (click on the yellow tab on the far left). By the end of this article you should be able to answer the following questions:

The following questions relates to making changes to the nfs server:


What additional tasks needs to be done on the NFS server?

– add nfs principal for the host
– update /etc/exports file with kerberos option
– restart nfs daemon

What is the command to add the nfs principal for nfs server, nfs-storage.cb.net?

addprinc -randkey nfs/nfs-storage.cb.net
ktadd nfs/nfs-storage.cb.net
quit

What changes needs to be added to /etc/exports?

add ‘sec=krb5’ as another option inside the round brackets

what is the command to restart the nfs server daemon?

$ systemctl restart nfs-server

Where can you check whether the krb feature has been enabled in nfs-server?

$ cat /var/lib/nfs/etab

The following questions relates to doing tasks on the nfs client, called nfs/nfs-client.cb.net:


What tasks needs to be performed on the nfs client?

– add principals for nfs
– restart+enable the nfs client target
– Do a manual mount using mount command – this is done for testing purposes
– add entry to fstab file

What are the kadmin commands for adding nfs principle

addprinc -randkey nfs/nfs-client.cb.net
ktadd nfs/nfs-client.cb.net
quit

What is the command to restart+enable the nfs client target?

$ systemctl restart nfs-client.target
$ systemctl enable nfs-client.target

What is the command to check if nfs mounting has been successful?

$ df -h

question?

answer