Friday, August 14, 2009

How to configure NFS4 with Kerberos using Windows AD + KDC?

Below are the steps which explain how to set this up in a simple environment.

This setup involves three systems.

1. Windows 2003 as KDC
2. NFS server
3. NFS client

Windows server is Windows 2003 R2 SP2. NFS server and NFS client are running RHEL-5.3

Pre-requisites

- Working DNS server
- Working NTP server so that time in all the machines are in sync.

These are requirements for Kerberos to work.

In Windows server create a user "nfsuser" with some password.

How to setup NFS server?

1.1- Run "authconfig-tui". In the "Authentication" section, select "Use Kerberos" -> Next -> Type in the realm name, IP of Windows AD for KDC and admin server.

1.2- Add a user named "nfsuser" with uid 2000 without setting up any password for that user.

# useradd -u 2000 nfsuser

1.3- Create 2 groups named "group1 and group2" with gid 3001-3002 on the system.

1.4- Add "nfsuser" as member of both the groups.

# usermod -G group1,group2 nfsuser

1.5- Create a directory to share using nfs.

# mkdir /nfs

Create 2 directories and each writable by one group.

# mkdir /nfs/group1
# chgrp group1 /nfs/group1
# chmod g+w /nfs/group1

# mkdir /nfs/group2
# chgrp group2 /nfs/group2
# chmod g+w /nfs/group2

1.6 - Edit /etc/sysconfig/nfs and un-comment the below line.

SECURE_NFS="yes"

1.7 - Edit /etc/exports and share /nfs as below.

/nfs gss/krb5p(rw,sync,fsid=0)

1.8- Now create the keytab on windows server in command prompt using the below coammnd.

ktpass -princ nfs/nfsserver.example.com@EXAMPLE.COM -mapuser nfsuser -pass **** -out nfsrv.keytab /crytp rc4-hmac-nt /ptype KRB5_NT_PRINCIPAL

* Please note that I have used "rc4-hmac-nt" crypto.

RC4-HMAC-NT is the default and employs 128-bit encryption.

You can find more details about ktpass and types of crypto here

1.9- Copy nfsrv.keytab on NFS server as /etc/krb5.keytab
1.10- Verify with klist -ke

# klist -ke /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nfs/nfsserver.example.com@EXAMPLE.COM (ArcFour with HMAC/md5)

1.11- Start nfs server service and rpcidmapd.

# service nfs start
# service rpcidmapd restart

How to configure NFS client?

2.1 - Repeat step 1.1
2.2 - Repeat step 1.2
2.3 - Repeat step 1.3
2.4 - Repeat step 1.4

2.5- Edit /etc/sysconfig/nfs and un-comment the below line.

SECURE_NFS="yes"

2.6- Create the keytab on windows server

ktpass -princ nfs/nfsclient.example.com@EXAMPLE.COM -mapuser nfsuser -pass **** -out nfscli.keytab /crytp rc4-hmac-nt /ptype KRB5_NT_PRINCIPAL

2.7- Copy nfscli.keytab on NFS client as /etc/krb5.keytab

2.8- Verify with klist -ke

# klist -ke /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nfs/nfsclient.example.com@EXAMPLE.COM (ArcFour with HMAC/md5)


2.9- Start "rpcgssd" and "rpcidmapd".

# service rpcgssd start
# service rpcidmapd restart

2.10 - Mount the share as below.

# mount -t nfs4 nfsserver.example.com:/ -o sec=krb5p

# mount | grep nfs4
nfsserver.example.com:/ on /mnt type nfs4 (rw,sec=krb5p,addr=10.65.209.189)

# ls /mnt
group1 group2