Authenticating NFS share users via Kerberos

User authentication via Kerberos includes these steps:

  1. Enabling Kerberos authentication in the admin panel.
  2. Creating principals with their key tables (keytabs) for the Kerberos client and for an NFS share on the Kerberos server.
  3. Setting up a Kerberos client on a host that the NFS share will be mounted to.
  4. Enabling user authentication for the NFS share.
  5. Mounting the NFS share to the host with the Kerberos client.

Prerequisites

  • NFS shares are created and stopped, as described in Creating NFS shares and Managing NFS shares.
  • The share’s IP address is assigned a forward and reverse resolvable FQDN (fully qualified domain name).

To enable Kerberos authentication

Admin panel

  1. Go to the Settings > Security > Kerberos tab.
  2. Specify the following Kerberos information:

    1. In Realm, specify your DNS name in uppercase letters.
    2. In KDC service, specify the DNS name or IP address of the host running the realm’s Key Distribution Center (KDC) service.
    3. In KDC administration service, specify the DNS name or IP address of the host running the realm’s KDC administration service.

      The KDC and its administration service usually run on the same host.

  3. Click Save to apply your changes.

Command-line interface

Use the following command:

vinfra service nfs kerberos settings set --realm <realm> --kdc-service <kdc-service>
                                         --kdc-admin-service <kdc-admin-service>
--realm <realm>
Realm name in uppercase letters
--kdc-service <kdc-service>
DNS name or IP address of the KDC service
--kdc-admin-service <kdc-admin-service>
DNS name or IP address of the KDC administration service

For example, to enable Kerberos authentication, run:

# vinfra service nfs kerberos settings set --realm EXAMPLE.COM --kdc-service 10.136.10.10 \
--kdc-admin-service 10.136.10.10

To create a keytab file for a principal

  1. On the Kerberos server, log in as administrator to the Kerberos database administration program.
  2. Add principals for the Kerberos client and for the NFS share by using the command addprinc -randkey nfs/<FQDN>@<realm>. For example, if the client's domain name is krb-client.example.com and the share's domain name share1.example.com, run:

    # addprinc -randkey nfs/krb-client.example.com@EXAMPLE.COM
    # addprinc -randkey nfs/share1.example.com@EXAMPLE.COM
  3. Generate keytabs for the created principals and save them to a directory you can upload from. For example:

    # ktadd -k /tmp/krb-client.keytab nfs/krb-client.example.com@EXAMPLE.COM
    # ktadd -k /tmp/share.keytab nfs/share1.example.com@EXAMPLE.COM
    

    Each share and client must have their own principal and keytab.

To set up the Kerberos client

  1. On a host that an NFS share will be mounted to, install the required packages. For example, on a CentOS server, run:

    # yum install krb5-workstation krb5-libs –y
  2. Configure firewalld and selinux, if needed. For details, refer to your OS manual, such as Securing services in the Red Hat Enterprise Linux Security Guide.

  3. Copy the krb5.conf configuration file and the krb-client.keytab keytab file from the Kerberos server to the client host.
  4. Ensure that the client host can reach the Kerberos server and NFS share via their domain names. Also, the client host must have the domain name specified during the principal configuration on the Kerberos server.
  5. Start the client service:

    # systemctl start nfs-client

To enable user authentication for an NFS share

Admin panel

  1. Go to the Storage services > NFS > Share tab, and then select a share.
  2. If the share is running, stop it by clicking Stop.
  3. Click Authentication.
  4. On the Authentication pane, turn on user authentication, upload the keytab file, and then click Save.

Command-line interface

Use the following command:

vinfra service nfs share set [--krb-keytab <krb-keytab>] [--krb-auth <krb-auth>] <name>
--krb-keytab <krb-keytab>
Kerberos keytab file
--krb-auth <krb-auth>
Whether or not Kerberos authentication is enabled (true or false)
<name>
NFS share name

For example, to enable authentication for the share share1 with the keytab file /tmp/krb5.keytab, run:

# vinfra service nfs share set share1 --krb-auth true --krb-keytab share1.keytab

To mount an NFS share with enabled Kerberos authentication

Specify the sec=krb5 option with the mount command. For example, to mount share1 with the share1.example.com domain name, run:

# mkdir /mnt/share
# mount -t nfs4 -o sec=krb5 share1.example.com:/share1 /mnt/share/