Configure nfsv4 service with Kerberos encryption

Introduction

Scenario

Server and Client

NTP

 # systemctl enable --now chronyd
#  chronyd -q 'server AD-ADDRESS iburst'

SAMBA

# cat > /etc/samba/smb.conf << EOF
[global]
workgroup = "Pre-2000 domain"
password server = "you domain DC"
server string = $ServerName
netbios name = $ServerName
security = ads
dedicated keytab file = /etc/krb5.keytab
kerberos method = system keytab
realm = "your.ad.realm"
passdb backend = tdbsam
EOF
# cat > /etc/krb5.conf << EOF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = KERBDOM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
default_tkt_enctypes = des-cbc-crc aes256-cts-hmac-sha1-96 arcfour-hmac
default_tgs_enctypes = des-cbc-crc aes256-cts-hmac-sha1-96 arcfour-hmac
allow_weak_crypto = 1

[realms]
KERBDOM.LOCAL = {
master_key_type = des-cbc-crc
kdc = dc-krb5.kerbdom.local
kdc = dc-krb5.kerbdom.local:88
kdc = dc2-krb5.kerbdom.local
kdc = dc2-krb5.kerbdom.local:88
default_domain = kerbdom.local
admin_server = dc-krb5.kerbdom.local
}

[domain_realm]
kerbdom.local = KERBDOM.LOCAL
.kerbdom.local = KERBDOM.LOCAL

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOF

Package installation

NFS Server

# yum install -y krb5-workstation samba samba-winbind sssd pam_krb5 nfs-utils cyrus-sasl-gssapi

Client Server

# yum install -y krb5-workstation samba samba-winbind sssd pam_krb5 nfs-utils cyrus-sasl-gssapi pam_krb5

Configuration

Server

# net ads join createupn=host/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'

# net ads join createupn=nfs/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'

# net ads join createupn=root/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'
# mkdir /export
# mkdir /export/vol1
# mkdir /export/vol2
# cat > /etc/exports << EOF
/export gss/krb5(insecure,sync,rw,fsid=0,no_root_squash,subtree_check)
/export/vol1 gss/krb5(insecure,sync,rw,no_root_squash,subtree_check)
/export/vol2 gss/krb5(insecure,sync,rw,no_root_squash,subtree_check)
EOF
# cat > /etc/idmapd.conf << EOF
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = example.com
EOF
# systemctl enable --now nfs-server rpcbind
# firewall-cmd --add-service=nfs --permanent
# firewall-cmd --add-service={nfs3,mountd,rpc-bind} --permanent
# firewall-cmd --reload
# setsebool -P nfs_export_all_rw 1

Client

# net ads join createupn=host/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'

# net ads join createupn=root/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'
# cat > /etc/idmapd.conf << EOF
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = example.com
EOF
# systemctl start rpmbind && systemctl enable rpcbind
# cat >> /etc/fstab << EOF
nfs4-srv.example.com:/ /mnt sec=krb5,rw,sync 0 0
EOF

Diagnostic Steps

# kdestroy
# kinit -k host/fqdn@REALM
# klist

--

--

Open Source contributer for the past 15 years

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store