User authentication via Kerberos includes these steps:
- Enabling Kerberos authentication in the admin panel.
- Creating principals with their key tables (keytabs) for the Kerberos client and for an NFS share on the Kerberos server.
- Setting up a Kerberos client on a host that the NFS share will be mounted to.
- Enabling user authentication for the NFS share.
- Mounting the NFS share to the host with the Kerberos client.
- NFS shares are created and stopped, as described in Creating NFS shares and Managing NFS shares.
- The share’s IP address is assigned a forward and reverse resolvable FQDN (fully qualified domain name).
To enable Kerberos authentication
- Go to the Settings > Security > Kerberos tab.
Specify the following Kerberos information:
- In Realm, specify your DNS name in uppercase letters.
- In KDC service, specify the DNS name or IP address of the host running the realm’s Key Distribution Center (KDC) service.
In KDC administration service, specify the DNS name or IP address of the host running the realm’s KDC administration service.
The KDC and its administration service usually run on the same host.
- Click Save to apply your changes.
Use the following command:
vinfra service nfs kerberos settings set --realm <realm> --kdc-service <kdc-service> --kdc-admin-service <kdc-admin-service>
- Realm name in uppercase letters
- DNS name or IP address of the KDC service
- DNS name or IP address of the KDC administration service
For example, to enable Kerberos authentication, run:
# vinfra service nfs kerberos settings set --realm EXAMPLE.COM --kdc-service 10.136.10.10 \ --kdc-admin-service 10.136.10.10
To create a keytab file for a principal
- On the Kerberos server, log in as administrator to the Kerberos database administration program.
Add principals for the Kerberos client and for the NFS share by using the command
addprinc -randkey nfs/<FQDN>@<realm>. For example, if the client's domain name is
krb-client.example.comand the share's domain name
# addprinc -randkey nfs/krb-client.example.com@EXAMPLE.COM # addprinc -randkey nfs/share1.example.com@EXAMPLE.COM
Generate keytabs for the created principals and save them to a directory you can upload from. For example:
# ktadd -k /tmp/krb-client.keytab nfs/krb-client.example.com@EXAMPLE.COM # ktadd -k /tmp/share.keytab nfs/share1.example.com@EXAMPLE.COM
Each share and client must have their own principal and keytab.
To set up the Kerberos client
On a host that an NFS share will be mounted to, install the required packages. For example, on a CentOS server, run:
# yum install krb5-workstation krb5-libs –y
selinux, if needed. For details, refer to your OS manual, such as Securing services in the Red Hat Enterprise Linux Security Guide.
- Copy the
krb5.confconfiguration file and the
krb-client.keytabkeytab file from the Kerberos server to the client host.
- Ensure that the client host can reach the Kerberos server and NFS share via their domain names. Also, the client host must have the domain name specified during the principal configuration on the Kerberos server.
Start the client service:
# systemctl start nfs-client
To enable user authentication for an NFS share
- Go to the Storage services > NFS > Share tab, and then select a share.
- If the share is running, stop it by clicking Stop.
- Click Authentication.
- On the Authentication pane, turn on user authentication, upload the keytab file, and then click Save.
Use the following command:
vinfra service nfs share set [--krb-keytab <krb-keytab>] [--krb-auth <krb-auth>] <name>
- Kerberos keytab file
- Whether or not Kerberos authentication is enabled (
- NFS share name
For example, to enable authentication for the share
share1 with the keytab file /tmp/krb5.keytab, run:
# vinfra service nfs share set share1 --krb-auth true --krb-keytab share1.keytab
To mount an NFS share with enabled Kerberos authentication
sec=krb5 option with the
mount command. For example, to mount
share1 with the
share1.example.com domain name, run:
# mkdir /mnt/share # mount -t nfs4 -o sec=krb5 share1.example.com:/share1 /mnt/share/