Configure nfsv4 service with Kerberos encryption

Introduction

Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting ticket (TGT).

Additional software applications requiring authentication, such as email clients, wikis, and revision-control systems, use the ticket-granting ticket to acquire service tickets, proving the user’s identity to the mailserver / wiki server / etc. without prompting the user to re-enter credentials.

Unix/Linux environment — Log in via Kerberos PAM modules fetches TGT. Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so the user is not prompted to re-authenticate.

This document is going to explain how to configure an NFS service with Kerberos authentication for as a full Single sign on service.

Scenario

  1. Kerberos Server — AD

Server and Client

The Kerberos authentication method relays on time sync between all server so make sure your time is sync on all servers

NTP

Make sure the ntpd service is running

 # systemctl enable --now chronyd

Sync time with the AD

#  chronyd -q 'server AD-ADDRESS iburst'

SAMBA

if you are using the AD as the Kerberos server then make sure the smb.conf file looks like this :

# cat > /etc/samba/smb.conf << EOF
[global]
workgroup = "Pre-2000 domain"
password server = "you domain DC"
server string = $ServerName
netbios name = $ServerName
security = ads
dedicated keytab file = /etc/krb5.keytab
kerberos method = system keytab
realm = "your.ad.realm"
passdb backend = tdbsam
EOF

Now let’s do the same with the krb5.conf file :

# cat > /etc/krb5.conf << EOF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = KERBDOM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
default_tkt_enctypes = des-cbc-crc aes256-cts-hmac-sha1-96 arcfour-hmac
default_tgs_enctypes = des-cbc-crc aes256-cts-hmac-sha1-96 arcfour-hmac
allow_weak_crypto = 1

[realms]
KERBDOM.LOCAL = {
master_key_type = des-cbc-crc
kdc = dc-krb5.kerbdom.local
kdc = dc-krb5.kerbdom.local:88
kdc = dc2-krb5.kerbdom.local
kdc = dc2-krb5.kerbdom.local:88
default_domain = kerbdom.local
admin_server = dc-krb5.kerbdom.local
}

[domain_realm]
kerbdom.local = KERBDOM.LOCAL
.kerbdom.local = KERBDOM.LOCAL

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOF

Package installation

NFS Server

for the NFS server make sure the package is installed :

# yum install -y krb5-workstation samba samba-winbind sssd pam_krb5 nfs-utils cyrus-sasl-gssapi

Client Server

for the NFS Client make sure the package is installed :

# yum install -y krb5-workstation samba samba-winbind sssd pam_krb5 nfs-utils cyrus-sasl-gssapi pam_krb5

Configuration

Server

secure connection
Ensure that ‘SECURE_NFS=“yes”’ is configured in file ‘/etc/sysconfig/nfs’, then configure the exports:

Kerberos principals
the must important issue with the kerberos principals is the order you generate the principals. it is very important the last principal will be the root principal :

# net ads join createupn=host/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'

# net ads join createupn=nfs/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'

# net ads join createupn=root/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'

directories and the /etc/exposts file

# mkdir /export
# mkdir /export/vol1
# mkdir /export/vol2

update the /etc/exports file to public the new directories:

# cat > /etc/exports << EOF
/export gss/krb5(insecure,sync,rw,fsid=0,no_root_squash,subtree_check)
/export/vol1 gss/krb5(insecure,sync,rw,no_root_squash,subtree_check)
/export/vol2 gss/krb5(insecure,sync,rw,no_root_squash,subtree_check)
EOF

idmapd.conf file
just modify the Domain option to your AD domain :

# cat > /etc/idmapd.conf << EOF
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = example.com
EOF

Start the services :

# systemctl enable --now nfs-server rpcbind

Enable to firewall ports :

# firewall-cmd --add-service=nfs --permanent
# firewall-cmd --add-service={nfs3,mountd,rpc-bind} --permanent
# firewall-cmd --reload

and SElinux

# setsebool -P nfs_export_all_rw 1

Client

secure connection
Ensure that ‘SECURE_NFS=“yes”’ is configured in file ‘/etc/sysconfig/nfs’, then configure the exports:

Kerberos principals
the must important issue with the kerberos principals is the order you generate the principals. it is very important the last principal will be the root principal :

# net ads join createupn=host/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'

# net ads join createupn=root/nfs4-cl.example.com@EXAMPLE.COM -U Administrator
Enter Administrator's password:
Using short domain name -- DC-KRB5
Joined 'NFS4-SRV' to realm 'example.com'

The idmapd.conf file:

just modify the Domain option to your AD domain :

# cat > /etc/idmapd.conf << EOF
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = example.com
EOF

Now we need to make sure the NFS service are running and make sure they will run at boot time :

# systemctl start rpmbind && systemctl enable rpcbind

Mount the NFS directory by -Edit the ‘/etc/fstab’ file, add the nfs mount options to use nfs4 and kerberos. krb5, krb5i or krb5p can be used as required, refer to ‘man exports’ for more details:

# cat >> /etc/fstab << EOF
nfs4-srv.example.com:/ /mnt sec=krb5,rw,sync 0 0
EOF

Diagnostic Steps

To verify if the host ticket can be aquired the following commands can be used:

# kdestroy
# kinit -k host/fqdn@REALM
# klist

That is it !!!

If you have any question feel free to responed/ leave a comment.
You can find on linkedin at : https://www.linkedin.com/in/orenoichman
Or twitter at : https://twitter.com/ooichman

Open Source contributer for the past 15 years