[Freeipa-users] Kerberized NFS and automount

Thu Sep 18 13:39:54 UTC 2014

On 09/18/2014 02:03 AM, Johan Petersson wrote:
> I do not know what OS you are using but if it is RHEL 6 or CentOS 6 you would need to do the following:
>
> In /etc/idmapd.conf:
>
> Domain = your.domain
>
> Add this to /etc/sysconfig/nfs
>
> SECURE_NFS="yes"
>
> In /etc/exports:
>
> /home/repo *(rw,sync,sec=krb5p)
>
> Make sure that you use NTP for every server/client and that the time is synced.
>
> Add the server to the IPA Domain
>
> Create a NFS Service for the server in IPA:
>
> ipa service-add nfs/your.server.name
>
> Generate a key using ipa-getkeytab -s ipa.server -p nfs/your.nfs.server -k /tmp/nfsserver.keytab  # Do this on the nfs server and you can add the key directly to /etc/krb5.keytab.
>
> Add a firewall rule for tcp 2049.
>
> iptables -I INPUT 5 -p tcp -m state --state NEW,ESTABLISHED --dport 2049 -j ACCEPT
>
> Save and restart firewall + the other services and it should work.
>
> For RHEL 7 or Fedora it is essentially the same except that you do not add the line to /etc/sysconfig/nfs.
>
> Instead you need to enable and start nfs-server and nfs-secure-server using systemctl.
>
> For autofs you just need to add a proper direct or indirect map in IPA and on the IPA client run ipa-client-automount.
>
> Make sure that the nfs 4 kerberos share is working first before starting with autofs config.
>
> mount -t nfs4 -v -o sec=krb5p nfs.server:/home/repo /mnt
>
> Hope this could help you get it working. :-)
>
> Regards,
> Johan
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dan Mossor [danofsatx at gmail.com]
> Sent: Thursday, September 18, 2014 06:57
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] Kerberized NFS and automount
>
> I have been fighting with getting my NFS servers kerberized since I
> first installed FreeIPA back in April - I still cannot create a secured
> NFS mount, and have exhausted all my resources in troublshooting, so I
> am reaching out to the list since I see many of you have it working.
>
> The next step in the puzzle will be to make this work with automount -
> which again, I can't get this working either. I am missing one key step
> here, but I can't find it. The documentation for both issues is
> confusing, especially to someone new to FreeIPA.
>
> So first, let's tackle the Kerberized NFS mounts. On the server doing
> the exporting, here are the pertinent files.
> /etc/sysconfig/nfs:
> RPCNFSDARGS=""
> RPCNFSDCOUNT=8
> RPCMOUNTDOPTS="--debug all"
> STATDARG=""
> RPCIDMAPDARGS=""
> RPCGSSDARGS="--debug all"
> GSS_USE_PROXY="no"
> RPCSVCGSSDARGS=""
>
> My last attempt at an /etc/exports file before I gave up:
> /home/repo gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
>
> What other information do y'all need to help me get this working?
> --
> Dan Mossor
> Systems Engineer at Large
> Fedora QA Team | Fedora KDE SIG | Fedora Server SIG
> Fedora Infrastructure Apprentice
> FAS: dmossor IRC: danofsatx
> San Antonio, Texas, USA
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
> This e-mail is private and confidential between the sender and the addressee.
> In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection.
>
>
There are also couple resources on the wiki: 
http://www.freeipa.org/page/HowTos

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.