Bug 761650

Summary: Corrections to Kerberized NFS setup
Product: Red Hat Enterprise Linux 6 Reporter: Deon Ballard <dlackey>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: jskeoch, rcritten, ssorce, steved
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-21 23:17:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
kerberized NFS none

Description Deon Ballard 2011-12-08 19:18:35 UTC 
Created attachment 542705 [details]
kerberized NFS

A request came in to add info on setting up Kerberized NFS, based on the procedures in this blog post:
http://bre.klaki.net/blog/2011/08/26/

These procedures need to be edited.

Related:
Bug 734111
Comment 2 Steve Dickson 2011-12-08 20:17:21 UTC 
here are the correction for the two chapters:

Chapter 9.3. Setting up a Kerberized NFS Server
 - I removed the 'v4'  

6. Install the NFS package. For example:
    yum install nfs-utils

7. Add the NFS probe modules. 
  - Not needed

9. Edit the NFS server configuration to use NFSv4 security. 
   vi /etc/sysconfig/nfs
   uncomment SECURE_NFS="yes"

10. Edit the NFS common configuration to enable the domain and UID/GID mapping.
    - Not needed.
11. Configure the NFS domain
    - is only needed if clients and servers are in different DNS domains

15. Restart the NFS server.

Changes for: 9.3.2. Setting up a Kerberized NFS Client

5. Edit the NFS common configuration to enable the domain and UID/GID mapping
   - Not needed
6. Edit the NFS common configuration to enable the domain and UID/GID mapping.
   - Definitely not needed.. ;-)

7. Configure the NFS domain. The idmapd.conf must be the same on the NFS client
as it is on the NFS server.
   - again only needed if clients and the server are in different DNS domains

8. Start the GSS and name mapping daemons. 
   - only the rpcgssd daemon has to be started.
     service rpcgssd start
Comment 3 Steve Dickson 2011-12-08 20:18:16 UTC 
*** Bug 761685 has been marked as a duplicate of this bug. ***
Comment 5 Deon Ballard 2011-12-08 22:00:36 UTC 
This is the final corrected version from Simo and Steve:

 9.3. Setting up a Kerberized NFS Server

  Identity Management can be used to set up a Kerberized NFS server.
  NOTE The NFS server does not need to be running on Red Hat Enterprise Linux.

9.3.1. Setting up a Kerberized NFS Server
 If the NFS host machine has not  been added as a client to the IPA domain, then create the host  entry. See Section 6.2, “Adding Host Entries”.
 Create the NFS service entry in the IPA domain. See Section 6.5.1, “Adding and Editing Service Entries and Keytabs”.

Generate the NFS service keytab for the NFS server.

If you are operating on the nfs server then let the ipa-getkeytab tool save keys directly in your host default keytab.
  # KEYS_DEST=/etc/krb5.keytab
Otherwise put the keys in a temporary (but safe, 0700 permissions) file:
  # KEYS_DEST=/root/nfs-server.keytab

* NOTE: If you have any RHEL5 or older client you can only use DES keys.
Int his case make sure to sdd the -e des-cbc-crc switch to the following command.
If all your clients support stronger algorithms (REHL6, Solaris, Fedora, ...) then you should not force the use of DES keys.

# ipa-getkeytab  -k $KEYS_DEST -s server.example.com -p nfs/nfs-server.example.com  

NOTE: If you were forced to use DES keys you also need to edit the krb5.conf file to allow weak crypto. This is required for every NFS client if any client in the domain will use older encryption options like DES:
  # vim /etc/krb5.conf
  allow_weak_crypto = true


If you ran ipa-getkeytab on an admin workstation then you need to copy the /root/nfs-server.keytab file to the actual nfs-server

On the NFS server, add the service keys to the keytab file.

  # (  echo rkt /tmp/nfs.keytab; echo wkt /etc/krb5.keytab) |ktutil

Install the NFS packages. For example:

# yum install nfs-utils


Edit the NFS server configuration to enable server-side secure NFS.

# vim /etc/sysconf/nfs

SECURE_NFS="yes"

Edit the /etc/exports file and add the Kerberos information:

/export  *(rw,sec=sys:krb5:krb5i:krb5p)

Restart the NFS server.

# service nfs restart

NOTE: you need to configure the nfs-server as a client as well using the following instructions

9.3.2. Setting up a Kerberized NFS Client
 As with the NFS server, if the NFS client machine has not been added as a client to the IPA domain, then create the host entry. See Section 6.2, “Adding Host Entries”.

NOTE: this is needed ONLY if the client is not enrolled in IPA, otherwise the client already has a host key.

Generate host keytab for the NFS client.

If you are operating on the nfs client then let the ipa-getkeytab tool save keys directly in your host default keytab.
# KEYS_DEST=/etc/krb5.keytab
Otherwise put the keys in a temporary (but safe, 0700 permissions) file:
# KEYS_DEST=/root/nfs-client.keytab

# ipa-getkeytab -k $KEYS_DEST -p host/nfs-client-server.example.com

If you ran ipa-getkeytab on an admin workstation then you need to copy the /root/nfs-client.keytab file to the actual NFS client
On the NFS client, add the host key to the default keytab file.

  # ( echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab) |ktutil

NOTE:  If you were forced to use DES keys you also need to edit the krb5.conf  file to allow weak crypto. This is required for every NFS client if any client in the domain will use older encryption options like DES:
  # vim /etc/krb5.conf
  allow_weak_crypto = true


Edit the NFS common configuration to enable client side secure NFS

# vim /etc/sysconf/nfs

SECURE_NFS="yes"

Start the client side GSS daemon

# service rpc.gssd start

Mount the directory.

# echo "$NFSSERVER:/this /mnt/this nfs4 sec=krb5i,rw,proto=tcp,port=2049"  >>/etc/fstab
# mount -av
Comment 6 Deon Ballard 2012-04-18 17:33:37 UTC 
There may be some slight differences due to other bug fixes, but here is the link:
http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.html
Comment 8 Deon Ballard 2012-06-21 23:17:02 UTC 
Closing.