Setting Up NFS Server with Kerberos-based Authentication for Linux Clients – Part 7

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Use our Linode referral link if you plan to buy VPS (it starts at only $10/month).
  4. Support us via PayPal donate - Make a Donation
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

16 Responses

  1. Lex says:

    Instead of using the public_content_t SELinux context, you can use nfs_t, then you don’t need to enable the nfs_export_all_rw/nfs_export_all_ro booleans.

    Thanks for the kerberos info, it was good and I found some extra info that helped me get this set up with NFS here, hope it may help someone else too.

  2. Tomas says:

    What version of RHEL/CentOS do you use here?

    On RHEL 7.1, the nfs-secure is a static service and cannot be enabled. It is started by the service assuming the file /etc/krb5.keytab is present on the system.

    • Gabriel A. Cánepa says:

      We used RHEL 7.0. Thank you for bringing this to our attention.
      Please add a clarification as per Tomas’ observation.

      • Ravi Saive says:


        Yes, as @Gabriel stated, we’ve used RHEL 7.0 for this setup and nfs-secure comes a service and can be started using systemctl as instructed in this guide, about RHEL 7.1 we’ve no idea about this….Have you tried starting nfs-secure service using systemctl in RHEL 7.1? what error you received? could you share it with us?

        • Tomas says:

          RHCE exam is now based on RHEL 7.1, just so you know.

          To answer your question, I have tried starting the nfs-secure service on RHEL 7.1 and it works, however, being a static service, it cannot be enabled. If you restart the server, it won’t come up. Therefore you must enable the service.

          • Ravi Saive says:


            Yes, we know that the RHCE exam now based on 7.1, but I really don’t think any major changes in exam objectives nor in distribution, may be some minor changes to some services or packages..nothing to worry….

          • Tomas says:

            You need to enable the service on RHEL 7.1, otherwise you have no working NFS client configuration after system reboot. And you fail the exam, surely nothing to worry about.

  3. sloop says:

    The big question in my mind is “why?”.
    What advantages does using kerberos for authentication give over the standard authentication?
    Does this stop an exploit whereby a user who has obtained root can su to another user and pilfer files over nfs under that users creds?

    • Gabriel A. Cánepa says:

      Perhaps you raised an important point in that no authentication method is 100% fool-proof. You may want to refer to this paper in the Kerberos website that explains in detail why you should consider using this method above others. Hope it helps:

    • Tomas says:

      @sloop Shortly, an NFS server does NOT require authentication and only enforces access restrictions that are based on IP addresses or host names of a client. Using the default security method, which is sec=sys, the NFS server trusts ANY UID that is sent by the client.

      Now using Kerberos, the client must prove identity first, and only then standard Linux file permissions apply. Kerberos can also ensure that all requests between the client and the server are encrypted.

  4. Martin says:

    Hello, when i try to mount the kerberized NFS it says “mount.nfs4: an incorrect mount option was specified”
    Whole error is:
    mount -t nfs4 -o sec=krb5 servername.tld:/home/share/ /mnt/
    mount.nfs4: timeout set for Sun Feb 28 02:43:49 2016
    mount.nfs4: trying text-based options ‘sec=krb5,addr=,clientaddr-’ – i have changed the real IP in this line
    mount.nfs4: mount(2): Invalid argument
    mount.nfs4: an incorrect mount options was specified

    Does anyone know what could be the problem?

    • @Martin,
      Make sure you have started and enabled the nfs-secure and nfs-client services:
      systemctl start nfs-secure nfs-client && systemctl enable nfs-secure nfs-client
      Then try again and please get back to us.

  5. Mozuffer Mohamed Hago says:

    thanks a lot it’s really amazing article but this command # kdb5_util create -s must be execute before # systemctl start krb5kdc kadmin nfs-secure due to the second command raise up an error for missing of db directory

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

Join Over 300K+ Linux Users
  1. 177,942
  2. 8,310
  3. 37,548

Are you subscribed?