How To Configure NFS Server and Client to use Kerberos

The Network File System abbreviated as NFS is a protocol used by computers to access files over the network. It is necessary where businesses are required to set up a distributed filesystem over their network. This allows one to access and share files from any remote device connected to the network. This protocol has been in active development since its first development by Sun Microsystems in 1984.

NFS offers a lot of amazing features such as:

• Kerberos support
• NFS Over TCP/UDP support
• WebNFS support
• NFS Version 2, NFS Version 3, and NFS Version 4 Protocols
• Large File support with the added ability to manipulate files larger than 2 Gbytes.
• Several extensions for NFS Mounting with the automountd command.
• NFS Server Logging – a record of file operations that have been performed on its file systems are kept.
• Security Negotiation for the WebNFS Service – The client is able to negotiate a security mechanism with an NFS server.
• Network Lock Manager and NFS

NFS works with the client/server model where the server stores the shared data and manages the authorization of the clients. Once authenticated, the client systems are able to access the files just as if they existed on the local system.

One of the amazing features associated with NFS is the Kerberos support. Kerberos is a computer network protocol used to authenticate service requests between two or more systems over an untrusted network. It works with secret-key cryptography as well as a trusted third party to authenticate the client-server applications and verify the identities of the users.

In this guide, we will see how we can configure the NFS client-server application to use Kerberos authentication.

Getting Started

In this guide, we will use two servers to set up the NFS client-server application as well as Kerberos. You can as well use 3 servers with each service running on a single server. Here, we will have one server running the NFS server and Kerberos and the other running the NFS client.

The servers will be configured as shown:

Set the hostnames on the systems:

##On Node1
sudo hostnamectl set-hostname node1.neveropen.co.za

##On Node2
sudo hostnamectl set-hostname node2.neveropen.co.za

On both nodes, edit the /etc/hosts file as shown:

$ sudo vim /etc/hosts
192.168.205.2  node1.neveropen.co.za node1
192.168.205.3  node2.neveropen.co.za node2

Switch to the root user on both nodes:

sudo su -

Step 1 – Configure Chrony NTP synchronization

Before we install and configured Kerberos, it is recommended that the Network Time Protocol service is present on both the server and client for timestamps of tickets generated by Kerberos.

On both nodes, install Chrony:

yum -y install chrony

Start and enable the service:

systemctl enable --now chronyd

Configure Chrony NTP:

timedatectl set-timezone Africa/Nairobi --adjust-system-clock
timedatectl set-ntp yes

Both servers should have synchronized time.

# timedatectl 
               Local time: Tue 2022-07-12 11:59:57 EAT
           Universal time: Tue 2022-07-12 08:59:57 UTC
                 RTC time: Tue 2022-07-12 08:59:57
                Time zone: Africa/Nairobi (EAT, +0300)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Step 2 – Install and Configure FreeIPA Server

We will use the FreeIPA server to provide the Kerberos services for NFS authentication. We will install and configure the FreeIPA Server & Client on Rhel-based systems i.e Rocky. Refer to the guides below for detailed how-to process.

• Install FreeIPA Server on Rocky Linux 9 / AlmaLinux 9
• Install and Configure FreeIPA Server on Rocky Linux 8
• Run FreeIPA Server in Docker / Podman Containers

Generate a Kerberos ticket

Generate a Kerberos ticket using the command:

# kinit admin
Password for [email protected]: 

Access FreeIPA Management Dashboard

The FreeIPA management console can be accessed using the URL https://domain_name

Login using the admin credentials created during the installation.

Step 3 – Joining NFS Server / Client to IPA domain

Once the server has been set up, we will join a client node to the domain. First install the IPA client packages:

### RHEL based systems ###
sudo yum install ipa-client -y

### Debian based systems ###
sudo apt update
sudo apt install freeipa-client

First, update the DNS on the IPA client.

sudo vim /etc/sysconfig/network-scripts/ifcfg-interface_name

Replace the interface_name with the appropriate interface on your system. In the opened file, edit the DNS1 by replacing it with the IP of the FreeIPA server:

DNS1=192.168.205.2

Restart the network service:

systemctl restart NetworkManager

Verify if the changes have been made:

$ cat /etc/resolv.conf
search neveropen.co.za
nameserver 192.168.205.2

Once installed, add the client to the server using the command:

sudo ipa-client-install

Proceed as shown.

This program will set up IPA client.
Version 4.9.8

Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: no
Client hostname: node2.neveropen.co.za
Realm: COMPUTINGFORGEEKS.COM
DNS Domain: neveropen.co.za
IPA Server: node1.neveropen.co.za
BaseDN: dc=neveropen,dc=com

Continue to configure the system with these values? [no]: yes
......
User authorized to enroll computers: admin
Password for [email protected]: provide admin password here
.....

Once complete, generate a Kerberos ticket on the client:

$ kinit admin
Password for [email protected]: 

Validate this using the command:

$ klist
Ticket cache: KCM:0
Default principal: [email protected]

Valid starting       Expires              Service principal
07/13/2022 16:04:55  07/14/2022 15:32:09  krbtgt/[email protected]

Also on the web UI, you should have the node added.

Step 4 – Setting up a Kerberized NFS Server

Still, on the web UI, navigate to the services tab and add a service.

Add the NFS service on the master/server node. For this guide it is node1.neveropen.co.za

Verify if the service has been added.

On the FreeIPA Server, generate the key for the NFS service:

[root@node1 ~]# ipa-getkeytab -p nfs/[email protected] -k /etc/krb5.keytab

Verify if the credentials have been added.

[root@node1 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]

Create the NFS Share.

The NFS server can be installed and configured on different Linux distributions. For example on RHEL/CentOS/Rocky Linux/Alma Linux, use the command:

sudo yum install nfs-utils

Once installed, make the required domain configurations to the /etc/idmapd.conf file. The idmapd daemon provides the NFSv4 kernel client and server functionality.

The command used has the syntax below:

sudo sed -i '/^#Domain/s/^#//;/Domain = /s/=.*/= neveropen.co.za/' /etc/idmapd.conf

Here, replace neveropen.co.za with your own domain name.

Define NFS Server Share Directories

Once installed, you need to define the file systems to be shared in the /etc/exports. We will create a directory to be shared as shown:

# On NFS Server
sudo  mkdir /var/nfs/share -p
sudo chmod 777  /var/nfs/share

On RHEL-based systems, you need to make SELinux configurations as shown:

sudo semanage fcontext -a -t public_content_rw_t "/var/nfs/share(/.*)?"
sudo restorecon -R /var/nfs/share
sudo setsebool -P nfs_export_all_rw on
sudo setsebool -P nfs_export_all_ro on

The -P flag is used for persistence after system reboots.

Now define the export in the /etc/exports file to be accessed by node2 or any other node using Kerberos security:

$ sudo vim /etc/exports
/var/nfs/share *(rw,sec=krb5:krb5i:krb5p)

Once exported, restart the NFS service:

systemctl restart rpcbind nfs-server
systemctl enable rpcbind nfs-server

If you have a firewall enabled, allow the services through it:

sudo firewall-cmd --add-service={nfs,nfs3,mountd,rpc-bind} --permanent
sudo firewall-cmd --reload

Step 5 – Setting up a Kerberized NFS Client

Once the server is configured, get back to the client node(For this case it is node2.neveropen.co.za) and generate the Kerberos token.

[root@node2 ~]# kinit admin
Password for [email protected]: 

Verify the credentials generated.

[root@node2 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/[email protected]
   1 host/[email protected]

Install the required NFS client packages:

sudo yum groups install -y "Network File System Client"

Once the installation is complete, create a mount point on the client

sudo mkdir /mnt/securenfs

Now mount the secure share on the client using the command:

sudo mount -t nfs  -o sec=krb5 node1.neveropen.co.za:/var/nfs/share /mnt/securenfs

Verify the mount:

df -h

Sample Output:

Try writing something to the share:

echo "Hello World!" | sudo tee /mnt/securenfs/greeting.txt

Verify the file was added:

[root@node2 ~]# ls -al /mnt/securenfs/
total 4
drwxrwxrwx. 2 root   root   26 Jul 13 16:15 .
drwxr-xr-x. 3 root   root   23 Jul 13 16:12 ..
-rw-r--r--. 1 nobody nobody 13 Jul 13 16:15 greeting.txt

Step 6 – Test the Kerberos NFS Authentication

To test if Kerberos authentication is working, we will rename the keytab file and reboot the system.

sudo mv /etc/krb5.keytab /etc/krb5.keytab.orig
sudo reboot

When the system boots, try mounting NFS share:

$ sudo mount -t nfs  -o sec=krb5 node1.neveropen.co.za:/var/nfs/share /mnt/securenfs
mount.nfs: an incorrect mount option was specified

To mount the FNS share, restore the keytab, restart the system and mount the share:

sudo mv /etc/krb5.keytab.orig /etc/krb5.keytab
sudo reboot
sudo mount -t nfs  -o sec=krb5 node1.neveropen.co.za:/var/nfs/share /mnt/securenfs

Mount the Share Permanently

To make the mount persistent, add the lines below to the /etc/fstab file

$ sudo vim /etc/fstab
node1.neveropen.co.za:/var/nfs/share /mnt/securenfs nfs sec=krb5i,rw,tcp 0 0

Closing Thoughts

That marks the end of this detailed guide on how to configure the NFS Server and Client to use Kerberos. We have walked through an action-packed setup of an IPA server and client and Kerberized NFS. I hope this was significant.

• Install and Configure FreeIPA Server on Rocky Linux 8
• Install and Configure FreeIPA Server on Ubuntu
• Create and Use Samba / NFS / WebDAV Shares on TrueNAS