Skip to content

NFS Kerberized Server

Setting up Kerberized NFS Server on CentOS 7.X

This documentation outlines only basic setup process of a Kerberized NFS Server.

Software installation

On both NFS server and clients run as root:

# yum install  nfs-utils

Configuration

NFS Server

Server should already have its host kerberos principal in /etc/krb5.keytab, if not run as root:

# cern-get-keytab (--force)
In addition acquire NFS service kerberos principal:
# cern-get-keytab --service nfs (--force)
Edit /etc/sysconfig/nfs and add line:
SECURE_NFS=yes
Create NFS export:
# mkdir -m 0755 /nfstest
# chown nfsnobody:nfsnobody /nfstest
# semanage fcontext -a -t nfs_t "/nfstest(/.*)?"
Edit /etc/exports and add line:
/nfstest nfs-test-client.cern.ch(rw,sec=krb5:krb5i:krb5p)
Enable and start services:
# systemctl enable nfs; systemctl start nfs
# systemctl enable nfs-server; systemctl start nfs-server
# systemctl enable nfs-secure; systemctl start nfs-secure
# systemctl enable nfs-secure-server; systemctl start nfs-secure-server
Check NFS exports:
# exportfs -av
exporting nfs-test-client.cern.ch:/nfstest
Reconfigure the firewall:
# firewall-cmd --permanent --add-service nfs
# firewall-cmd --reload
If in addition to NFS version 4 server is supposed to export using NFS version 3 protocol, also run:
# firewall-cmd --permanent --add-service={mountd,rpc-bind}
# firewall-cmd --reload

NFS Client

Client system should already have its kerberos principal defined in /etc/krb5.keytab, if not run as root:

# cern-get-keytab (--force)

Enable and start services:

# systemctl enable rpc-gssd; systemctl start rpc-gssd
# systemctl enable rpcbind; systemctl start rpcbind
# systemctl enable nfs-idmapd; systemctl start nfs-idmapd

Create mountpoint:

# mkdir /mnt/nfstest
Mount server export. Edit /etc/fstab, add line:
nfs-test-server.cern.ch:/nfstest /mnt/nfstest nfs4 sec=krb5i,rw,proto=tcp,port=2049
and mount it:
# mount /mnt/nfstest

Test

On server create a subdirectory:

# mkdir /nfstest/userlogin
# chown userlogin:usergroup /nfstest/userlogin
On client login as userlogin
# touch /mnt/nfstest/userlogin/testfile
# ls -l /mnt/nfstest/userlogin/testfile
-rw-r--r--. 1 userlogin usergroup 0 May 19 08:22 testfile
Note: On both server and client userlogin and usergroup must be configured and authorized to login, this can be done running:
# addusercern userlogin
for CERN accounts, or adduser for local accounts. For more complex setups ldap/sssd authentication should be configured.