[Freeipa-users] Kerberized NFS and automount

Thu Sep 18 06:03:41 UTC 2014

I do not know what OS you are using but if it is RHEL 6 or CentOS 6 you would need to do the following:

In /etc/idmapd.conf:

Domain = your.domain

Add this to /etc/sysconfig/nfs

SECURE_NFS="yes"

In /etc/exports:

/home/repo *(rw,sync,sec=krb5p) 

Make sure that you use NTP for every server/client and that the time is synced.

Add the server to the IPA Domain

Create a NFS Service for the server in IPA:

ipa service-add nfs/your.server.name 

Generate a key using ipa-getkeytab -s ipa.server -p nfs/your.nfs.server -k /tmp/nfsserver.keytab  # Do this on the nfs server and you can add the key directly to /etc/krb5.keytab.

Add a firewall rule for tcp 2049.

iptables -I INPUT 5 -p tcp -m state --state NEW,ESTABLISHED --dport 2049 -j ACCEPT

Save and restart firewall + the other services and it should work.

For RHEL 7 or Fedora it is essentially the same except that you do not add the line to /etc/sysconfig/nfs.

Instead you need to enable and start nfs-server and nfs-secure-server using systemctl.

For autofs you just need to add a proper direct or indirect map in IPA and on the IPA client run ipa-client-automount.

Make sure that the nfs 4 kerberos share is working first before starting with autofs config.

mount -t nfs4 -v -o sec=krb5p nfs.server:/home/repo /mnt

Hope this could help you get it working. :-)

Regards,
Johan

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dan Mossor [danofsatx at gmail.com]
Sent: Thursday, September 18, 2014 06:57
To: freeipa-users at redhat.com
Subject: [Freeipa-users] Kerberized NFS and automount

I have been fighting with getting my NFS servers kerberized since I
first installed FreeIPA back in April - I still cannot create a secured
NFS mount, and have exhausted all my resources in troublshooting, so I
am reaching out to the list since I see many of you have it working.

The next step in the puzzle will be to make this work with automount -
which again, I can't get this working either. I am missing one key step
here, but I can't find it. The documentation for both issues is
confusing, especially to someone new to FreeIPA.

So first, let's tackle the Kerberized NFS mounts. On the server doing
the exporting, here are the pertinent files.
/etc/sysconfig/nfs:
RPCNFSDARGS=""
RPCNFSDCOUNT=8
RPCMOUNTDOPTS="--debug all"
STATDARG=""
RPCIDMAPDARGS=""
RPCGSSDARGS="--debug all"
GSS_USE_PROXY="no"
RPCSVCGSSDARGS=""

My last attempt at an /etc/exports file before I gave up:
/home/repo gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)

What other information do y'all need to help me get this working?
--
Dan Mossor
Systems Engineer at Large
Fedora QA Team | Fedora KDE SIG | Fedora Server SIG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection.