Since the invention of NFSv4, automount NFS home directories is secure. Since the invention of IPA, its easier to set up and maintain. This article guides you trough the steps needed to set it up. The procedures have been tested on RHEL7.1 for the IPA servers, RHEL6.6 and 7.1 as clients but should work on Fedora and CentOS. Unfortunately it seems not to work (yet) for Debian Sid and Ununtu. [Update] Works in Ubuntu 14.04[/Update]
Assumptions
- Your Domain is example.com
- Your Kerberos Realm is EXAMPLE.COM
- The NFS server is nfs.example.com
- The exported home directories are on /exports/home
- The client is ipaclient1.example.com
- krb5 means that the server and client authenticate each other, traffic can be intercepted.
- krb5i the same as krb5 but providing integrity. It verifies that the data has not been tampered with, but traffic still can be intercepted.
- krb5p like the two above, plus privacy protection, all traffic is encrypted.
A few words about security and kerbrized NFS
There are basically three different modes: krb5, krb5i and krb5p.
Depending on the sensitivity of the data to be transferred krb5i or krb5p should be used. Also keep in mind that the higher the security the lower the throughput is.
Work to do on one of the IPA replicas
Add the NFS service principal for the server and client to Kerberos.
[root@ipa1 ~]# ipa service-add nfs/nfs.example.com [root@ipa1 ~]# ipa service-add nfs/ipaclient1.example.com
Assume you are only using one location, you can use the default one.
Add the auto.home map
[root@ipa1 ~]# ipa automountmap-add default auto.home ------------------------------- Added automount map "auto.home" ------------------------------- Map: auto.home [root@ipa1 ~]#
And add the auto.home map to auto.master
[root@ipa1 ~]# ipa automountkey-add default --key "/home" --info auto.home auto.master --------------------------- Added automount key "/home" --------------------------- Key: /home Mount information: auto.home [root@ipa1 ~]#
Finally add the key to the auto.home map
[root@ipa1 ~]# ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 nfs.example.com:/exports/home/&" auto.home ----------------------- Added automount key "*" ----------------------- Key: * Mount information: -fstype=nfs4,rw,sec=krb5i,soft,rsize=8192,wsize=8192 nfs.example.com:/exports/home/& [root@ipa1 ~]#
Configure the NFS server
Create a Kerberos Keytab for your NFS server
[root@nfs ~]# kinit admin [root@nfs ~]# ipa-getkeytab -s ipa1.example.com -p nfs/nfs.example.com -k /etc/krb5.keytab
Tell your NFS service to use NFSv4
[root@nfs ~]# perl -npe 's/#SECURE_NFS="yes"/SECURE_NFS="yes"/g' -i /etc/sysconfig/nfs
Create your NFS share and start the NFS server
[root@nfs ~]# mkdir /exports/home [root@nfs ~]# echo "/exports/home *(rw,sec=sys:krb5:krb5i:krb5p)" >> /etc/exports [root@nfs ~]# service nfs start [root@nfs ~]# chkconfig nfs on
Configure your clients
Get the Kerberos keytab
[root@ipaclient1 ~]# ipa-getkeytab -s ipa1.example.com -p nfs/ipaclient1.example.com -k /etc/krb5.keytab
Finally you need to configure your client systems to map use of the automount maps provided by IPA
[root@login ~]# ipa-client-automount --location=default Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: yes Configured /etc/nsswitch.conf Configured /etc/sysconfig/nfs Configured /etc/idmapd.conf Started rpcidmapd Started rpcgssd Restarting sssd, waiting for it to become available. Started autofs [root@login ~]#
Strange problems you can run into
If you run into troubles, enable debugging in the related daemons. In /etc/sysconfig/autofs, add a line LOGGING=debug.
Add debug_level = 9 in the [autofs] stanza.
If you have something like this in /var/log/messages
lookup(file): failed to read included master map auto.master
Then probably your nsswitch.conf does not point to sss. Ensure you have
automount: files sss
In your nsswitch.conf. This should actually be configured by ipa-client-automount but it seems that it is not 100% reliable to do so.
If you have something like this in /var/log/messages:
Mar 14 20:02:37 ipaclient nfsidmap[3039]: nss_getpwnam: name 'root@example.com' does not map into domain 'localdomain'
Then check your /etc/hosts file if all is correct. Also ensure that the short hostname is not in front of the FQHN. Another mistake can trigger the same error: DNS. Ensure you have a working DNS setup for both A (and/or AAAA) and PTR records.
Read further
There are plenty of docs available, there is a choice
Have fun! 🙂
Have you done this for VNX?
like the NetApp howto??
http://www.freeipa.org/page/HowTos#Storage
Thanks a lot for this very helpful page.
Very useful tutorial, really help me a lot! thanks!
It works like a charm!
However, I found if a public key is used to ssh into the client, I won’t get a correct permission, unless a “kinit” command is used.
Any idea?
Hi,
If you are using public key authentication, then your user is not authenticated against the Kerberos server. Kerberos can also be a replacement for public key authentication when the machine where you are logging in from is also kerberized and in the same Kerberos realm.
HTH
Luc