In part one I was writing how to set up an IPA server for basic user authentication.
One reason NFSv4 is not that widespreaded yet, is it needs Kerberos for proper operation. Of course this is now much easier thanks to IPA.
Goal for the part of the guide
- Configure IPA to serve the NFS principle
- Configure NFS to use IPA
- Configure some IPA clients to use Kerberos for the NFS service
- A runing IPA service like discussed in Part I of this guide.
- A NFS server based on RHEL6.2
- One or more IPA-Client
First you need to add the NFS server and its service principal to the IPA server. On ipa1.example.com run:
[root@ipa1 ~]# ipa host-add nfs.example.com [root@ipa1 ~]# ipa service-add nfs/nfs.example.com
Next, log on to you NFS server, lets call it nfs.example.com and install the needed additional software packages:
[root@nfs ~]# yum -y install ipa-client nfs-utils
You need to enroll you NFS-server on the IPA domain. Run the following on nfs.example.com:
[root@nfs ~]# ipa-client-install -p admin
The next step is to get a Kerberos ticket and fetch the entries needed to be added in the krb5.keytab
[root@nfs ~]# kinit admin [root@nfs ~]# ipa-getkeytab -s ipa1.example.com -p nfs/nfs.example.com -k /etc/krb5.keytab
Before you proceed to your clients, you need to enable secure NFS, create an export and restart NFS:
[root@nfs ~]# perl -npe 's/#SECURE_NFS="yes"/SECURE_NFS="yes"/g' -i /etc/sysconfig/nfs [root@nfs ~]# echo "/home *(rw,sec=sys:krb5:krb5i:krb5p)" >> /etc/exports [root@nfs ~]# mkdir /home/tester1 && cp /etc/skel/.bash* /home/tester && chmod 700 /home/tester1 && chown -R tester1:ipausers /home/tester1 [root@nfs ~]# service nfs restart
Assuming you already have set up one or more IPA-client(s), it is stright forward to enable kerberized NFS on your systems. Log in to a client and run the following:
[root@ipaclient1 ~]# yum -y install nfs-utils [root@ipaclient1 ~]# perl -npe 's/#SECURE_NFS="yes"/SECURE_NFS="yes"/g' -i /etc/sysconfig/nfs [root@ipaclient1 ~]#
Lets have a look if you have been successful. First look up the users UID.
[root@ipaclient1 ~]# getent passwd tester1 tester1:*:1037700500:1037700500:Hans Tester:/home/tester1:/bin/bash [root@ipaclient1 ~]#
Lets mount that users home directory manually on a client:
mount -t nfs4 nfs.exmaple.com:/home/tester1 /home/tester1
To check if is working as expected, issue
[root@ipaclient1 ~]# su - tester1
Fire ls -lan and see if the UID matches the UID you got from getent. If you see UID 4294967294, then something went wrong, this is the UID for the user “nobody” when using NFSv4 on 64 bit machines.
You will figure out when I post part III of this guide