2.6. Configuring NFS v4 with Kerberos

2.6. Configuring NFS v4 with Kerberos

Procedure 2.5. To configure NFS on the Fedora IPA client:

  1. Obtain a Kerberos ticket for the admin user.

    # kinit admin

  2. Add an NFS service principal on the client.

    # ipa-addservice nfs/ipaclient.example.com

  3. Obtain a keytab for the NFS service principal. 

    # ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com \
	-k /etc/krb5.keytab

    Note

    The Linux NFS implementation still has limited encryption type support. If your NFS server is hosted on a Linux machine, you may need to use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs you want to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.

  4. Add the following line to the /etc/sysconfig/nfs file: 

    SECURE_NFS=yes

  5. Start the rpcgssd daemon.

    # service rpcgssd start

The IPA client should now be fully configured to mount NFS shares using Kerberos credentials. Use the following command to test the configuration:

# mount -v -t nfs4 -o sec=krb5 ipaserver.example.com:/ /mnt