1.2.6. Configuring NFS v4 with Kerberos

1.2.6. Configuring NFS v4 with Kerberos

Procedure 1.10. To configure NFS on the Red Hat Enterprise Linux 4 IPA client:

  1. Obtain a Kerberos ticket for the admin user.

    # kinit admin

  2. The ipa-admintools package is not available for Red Hat Enterprise Linux 4. Consequently, you need to perform the following steps on the IPA server.

    1. Add an NFS service principal for the client.

      # ipa-addservice nfs/ipaclient.example.com

    2. Retrieve the NFS keytab. 

      # ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com \
	-k /tmp/krb5.keytab
# klist -ket /tmp/krb5.keytab (to verify)

      Note

      The Linux NFS implementation still has limited encryption type support. If your NFS server is hosted on a Linux machine, you may need to use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs you want to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.

    3. Copy the keytab from the server to the client.

      # scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytab

  3. On the IPA client, use the ktutil command to import the keytab. 

    # ktutil
ktutil: read_kt /tmp/krb5.keytab
ktutil: write_kt /etc/krb5/krb5.keytab
ktutil: q

  4. Add the following line to the /etc/sysconfig/nfs file: 

    SECURE_NFS=yes

  5. Start the rpcgssd daemon.

    # service rpcgssd start

The IPA client should now be fully configured to mount NFS shares using Kerberos credentials. Use the following command to test the configuration:

# mount -v -t nfs4 -o sec=krb5 ipaserver.example.com:/ /mnt