Filesystem
NFS with KRB5
Setup KDC:
- Install the required packages for the KDC.
[root@kdc-server ~]# dnf install krb5-libs krb5-server krb5-workstation
- Edit the
/etc/krb5.conf.
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
- Create the database using the kdb5_util.
[root@kdc-server ~]# kdb5_util create -s
- Set ACL in the
/var/kerberos/krb5kdc/kadm5.acl. Bellow settings allows anyone with secodary admin principal to have full administrative access for example:user/admin@EXAMPLE.COM`
*/admin@EXAMPLE.COM *
- Create the first principal using kadmin.local at the KDC terminal:
[root@kdc-server ~]# kadmin.local -q "addprinc user/admin"
- Satrt krb5kdc and kadmin.
[root@kdc-server ~]# systemctl enable --now kadmin.service krb5kdc
NFS server configuration.
- Install packages for kerberos client and NFS server
[root@nfs-server ~]# dnf install krb5-workstation nfs-utils
- NFSv4 idmapping becomes much more important to have with Kerberos. Both the
server and the clients should have the same idmapping domain configured. In
the
/etc/idmapd.confset the domain to your kerberos realm.
[General]
Domain = example.com
- Each NFS server needs a Kerberos principal for
nfs/server.fqdnto be created on the KDC, and its keys added to the server’s /etc/krb5.keytab.
[root@nfs-server ~]# kadmin -p username/admin
Password for username/admin@EXAMPLE.COM: ***********
kadmin: addprinc -nokey nfs/nfs-server.example.com
kadmin: addprinc -nokey host/nfs-server.example.com
kadmin: ktadd nfs/nfs-server.example.com
kadmin: ktadd host/nfs-server.example.com
[root@nfs-server ~]# klist -ke
[root@nfs-server ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------------
1 host/nfs-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha384-192
1 host/nfs-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha256-128)
1 host/nfs-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 host/nfs-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 host/nfs-server.example.com@EXAMPLE.COM (camellia256-cts-cmac)
1 host/nfs-server.example.com@EXAMPLE.COM (camellia128-cts-cmac)
1 host/nfs-server.example.com@EXAMPLE.COM (DEPRECATED:arcfour-hmac)
1 nfs/nfs-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha384-192)
1 nfs/nfs-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha256-128)
1 nfs/nfs-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 nfs/nfs-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 nfs/nfs-server.example.com@EXAMPLE.COM (camellia256-cts-cmac)
1 nfs/nfs-server.example.com@EXAMPLE.COM (camellia128-cts-cmac)
1 nfs/nfs-server.example.com@EXAMPLE.COM (DEPRECATED:arcfour-hmac)
- Enable and start the gssproxy.service
[root@nfs-server ~]# systemctl enable --now gssproxy.service
NFS client configuration
-
Install the
nfs-utilsandkrb5-workstationas on the NFS server and create same configuration filekrb5.conf. -
Add nfs-client to the kerberos.
[root@nfs-server ~]# kadmin -p username/admin
Password for username/admin@EXAMPLE.COM: ***********
kadmin: addprinc -nokey host/nfs-client.example.com
kadmin: ktadd host/nfs-client.example.com
[root@nfs-server ~]# klist -ke