Setting Up NFS Server with Kerberos-based Authentication for Linux Clients – Part 7

In the last article of this series, we reviewed how to set up a Samba share over a network that may consist of multiple types of operating systems. Now, if you need to set up file sharing for a group of Unix-like clients you will automatically think of the Network File System, or NFS for short.

Setting Up NFS Server with Kerberos Authentication
RHCE Series: Setting Up NFS Server with Kerberos Authentication – Part 7

In this article we will walk you through the process of using Kerberos-based authentication for NFS shares. It is assumed that you already have set up a NFS server and a client. If not, please refer to install and configure NFS server – which will list the necessary packages that need to be installed and explain how to perform initial configurations on the server before proceeding further.

In addition, you will want to configure both SELinux and firewalld to allow for file sharing through NFS.

The following example assumes that your NFS share is located in /nfs in box2:

# semanage fcontext -a -t public_content_rw_t "/nfs(/.*)?"
# restorecon -R /nfs
# setsebool -P nfs_export_all_rw on
# setsebool -P nfs_export_all_ro on

(where the -P flag indicates persistence across reboots).

Finally, don’t forget to:

Create NFS Group and Configure NFS Share Directory

1. Create a group called nfs and add the nfsnobody user to it, then change the permissions of the /nfs directory to 0770 and its group owner to nfs. Thus, nfsnobody (which is mapped to the client requests) will have write permissions on the share) and you won’t need to use no_root_squash in the /etc/exports file.

# groupadd nfs
# usermod -a -G nfs nfsnobody
# chmod 0770 /nfs
# chgrp nfs /nfs

2. Modify the exports file (/etc/exports) as follows to only allow access from box1 using Kerberos security (sec=krb5).

Note: that the value of anongid has been set to the GID of the nfs group that we created previously:

exports – Add NFS Share
/nfs box1(rw,sec=krb5,anongid=1004)

3. Re-export (-r) all (-a) the NFS shares. Adding verbosity to the output (-v) is a good idea since it will provide helpful information to troubleshoot the server if something goes wrong:

# exportfs -arv

4. Restart and enable the NFS server and related services. Note that you don’t have to enable nfs-lock and nfs-idmapd because they will be automatically started by the other services on boot:

# systemctl restart rpcbind nfs-server nfs-lock nfs-idmap
# systemctl enable rpcbind nfs-server

Testing Environment and Other Prerequisites

In this guide we will use the following test environment:

  1. Client machine [box1: 192.168.0.18]
  2. NFS / Kerberos server [box2: 192.168.0.20] (also known as Key Distribution Center, or KDC for short).

Note: that Kerberos service is crucial to the authentication scheme.

As you can see, the NFS server and the KDC are hosted in the same machine for simplicity, although you can set them up in separate machines if you have more available. Both machines are members of the mydomain.com domain.

Last but not least, Kerberos requires at least a basic schema of name resolution and the Network Time Protocol service to be present in both client and server since the security of Kerberos authentication is in part based upon the timestamps of tickets.

To set up name resolution, we will use the /etc/hosts file in both client and server:

host file – Add DNS for Domain
192.168.0.18    box1.mydomain.com    box1
192.168.0.20    box2.mydomain.com    box2

In RHEL 7, chrony is the default software that is used for NTP synchronization:

# yum install chrony
# systemctl start chronyd
# systemctl enable chronyd

To make sure chrony is actually synchronizing your system’s time with time servers you may want to issue the following command two or three times and make sure the offset is getting nearer to zero:

# chronyc tracking
Synchronize Server Time with Chrony
Synchronize Server Time with Chrony

Installing and Configuring Kerberos

To set up the KDC, install the following packages on both server and client (omit the server package in the client):

# yum update && yum install krb5-server krb5-workstation pam_krb5

Once it is installed, edit the configuration files (/etc/krb5.conf and /var/kerberos/krb5kdc/kadm5.acl) and replace all instances of example.com (lowercase and uppercase) with mydomain.com as follows.

Now create the Kerberos database (please note that this may take a while as it requires a some level of entropy in your system. To speed things up, I opened another terminal and ran ping -f localhost for 30-45 seconds):

# kdb5_util create -s
Create Kerberos Database
Create Kerberos Database

Next, enable Kerberos through the firewall and start / enable the related services.

Important: nfs-secure must be started and enabled on the client as well:

# firewall-cmd --permanent --add-service=kerberos
# systemctl start krb5kdc kadmin nfs-secure   
# systemctl enable krb5kdc kadmin nfs-secure       

Next, using the kadmin.local tool, create an admin principal for root:

# kadmin.local
# addprinc root/admin

And add the Kerberos server to the database:

# addprinc -randkey host/box2.mydomain.com

Same with the NFS service for both client (box1) and server (box2). Please note that in the screenshot below I forgot to do it for box1 before quitting:

# addprinc -randkey nfs/box2.mydomain.com
# addprinc -randkey nfs/box1.mydomain.com

And exit by typing quit and pressing Enter:

Add Kerberos to NFS Server
Add Kerberos to NFS Server

Then obtain and cache Kerberos ticket-granting ticket for root/admin:

# kinit root/admin
# klist
Cache Kerberos
Cache Kerberos

The last step before actually using Kerberos is storing into a keytab file (in the server) the principals that are authorized to use Kerberos authentication:

# kadmin.local
# ktadd host/box2.mydomain.com
# ktadd nfs/box2.mydomain.com
# ktadd nfs/box1.mydomain.com

Finally, mount the share and perform a write test:

# mount -t nfs4 -o sec=krb5 box2:/nfs /mnt
# echo "Hello from Tecmint.com" > /mnt/greeting.txt
Mount NFS Share
Mount NFS Share

Let’s now unmount the share, rename the keytab file in the client (to simulate it’s not present) and try to mount the share again:

# umount /mnt
# mv /etc/krb5.keytab /etc/krb5.keytab.orig
Mount Unmount Kerberos NFS Share
Mount Unmount Kerberos NFS Share

Now you can use the NFS share with Kerberos-based authentication.

Summary

In this article we have explained how to set up NFS with Kerberos authentication. Since there is much more to the topic than we can cover in a single guide, feel free to check the online Kerberos documentation and since Kerberos is a bit tricky to say the least, don’t hesitate to drop us a note using the form below if you run into any issue or need help with your testing or implementation.

Gabriel Cánepa
Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

29 thoughts on “Setting Up NFS Server with Kerberos-based Authentication for Linux Clients – Part 7”

  1. In order to get this to work, I had to manually copy the keytab file from the server into the client and run “kinit -k -t /etc/krb5.keytab” in order to then be able to mount the directory. If not I got an “Operation Not Permitted“.

    Reply
  2. I am getting mount.nfs4: Operation not permitted error when trying to mount nfs filesystem on client. any suggestions?

    Reply
  3. Hi Gabriel,
    a typo at the last kerberos step
    kadmin.local rather than kdadmin
    great article, very useful thank you!

    Reply
  4. Instead of using the public_content_t SELinux context, you can use nfs_t, then you don’t need to enable the nfs_export_all_rw/nfs_export_all_ro booleans.

    Thanks for the kerberos info, it was good and I found some extra info that helped me get this set up with NFS here, hope it may help someone else too.

    Reply
  5. What version of RHEL/CentOS do you use here?

    On RHEL 7.1, the nfs-secure is a static service and cannot be enabled. It is started by the nfs-client.target service assuming the file /etc/krb5.keytab is present on the system.

    Reply
    • @Tomas,
      We used RHEL 7.0. Thank you for bringing this to our attention.
      @Ravi,
      Please add a clarification as per Tomas’ observation.

      Reply
      • @Tomas,

        Yes, as @Gabriel stated, we’ve used RHEL 7.0 for this setup and nfs-secure comes a service and can be started using systemctl as instructed in this guide, about RHEL 7.1 we’ve no idea about this….Have you tried starting nfs-secure service using systemctl in RHEL 7.1? what error you received? could you share it with us?

        Reply
        • RHCE exam is now based on RHEL 7.1, just so you know.

          To answer your question, I have tried starting the nfs-secure service on RHEL 7.1 and it works, however, being a static service, it cannot be enabled. If you restart the server, it won’t come up. Therefore you must enable the nfs-client.target service.

          Reply
          • @Tomas,

            Yes, we know that the RHCE exam now based on 7.1, but I really don’t think any major changes in exam objectives nor in distribution, may be some minor changes to some services or packages..nothing to worry….

          • You need to enable the nfs-client.target service on RHEL 7.1, otherwise you have no working NFS client configuration after system reboot. And you fail the exam, surely nothing to worry about.

  6. The big question in my mind is “why?”.
    What advantages does using kerberos for authentication give over the standard authentication?
    Does this stop an exploit whereby a user who has obtained root can su to another user and pilfer files over nfs under that users creds?

    Reply
    • @sloop Shortly, an NFS server does NOT require authentication and only enforces access restrictions that are based on IP addresses or host names of a client. Using the default security method, which is sec=sys, the NFS server trusts ANY UID that is sent by the client.

      Now using Kerberos, the client must prove identity first, and only then standard Linux file permissions apply. Kerberos can also ensure that all requests between the client and the server are encrypted.

      Reply
  7. Hello, when i try to mount the kerberized NFS it says “mount.nfs4: an incorrect mount option was specified”
    Whole error is:
    mount -t nfs4 -o sec=krb5 servername.tld:/home/share/ /mnt/
    mount.nfs4: timeout set for Sun Feb 28 02:43:49 2016
    mount.nfs4: trying text-based options ‘sec=krb5,addr=1.2.3.4,clientaddr-1.2.3.4’ – i have changed the real IP in this line
    mount.nfs4: mount(2): Invalid argument
    mount.nfs4: an incorrect mount options was specified

    Does anyone know what could be the problem?

    Reply
    • @Martin,
      Make sure you have started and enabled the nfs-secure and nfs-client services:
      systemctl start nfs-secure nfs-client && systemctl enable nfs-secure nfs-client
      Then try again and please get back to us.

      Reply
  8. Hello
    thanks a lot it’s really amazing article but this command # kdb5_util create -s must be execute before # systemctl start krb5kdc kadmin nfs-secure due to the second command raise up an error for missing of db directory

    Reply

Leave a Reply to Amit Bhatt Cancel reply

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.