Authenticating NFS share users via Kerberos
This feature is experimental and not intended for use in production environments.
User authentication via Kerberos includes these steps:
- Enabling Kerberos authentication in the NFS settings.
- Creating principals with their key tables (keytabs) for the Kerberos client and for an NFS share on the Kerberos server.
- Setting up a Kerberos client on a host that the NFS share will be mounted to.
- Enabling user authentication for the NFS share.
- Mounting the NFS share to the host with the Kerberos client.
Prerequisites
- NFS shares are created and stopped, as described in Creating NFS shares and Managing NFS shares.
- The share’s IP address is assigned a forward and reverse resolvable FQDN (fully qualified domain name).
To enable Kerberos authentication
Admin panel
- Go to the Storage services > NFS > Settings tab and then switch to the Kerberos screen.
-
Specify the following Kerberos information:
- In Realm, specify your DNS name in uppercase letters.
- In KDC service, specify the DNS name or IP address of the host running the realm’s Key Distribution Center (KDC) service.
-
In KDC admin service, specify the DNS name or IP address of the host running the realm’s KDC administration service.
The KDC and its administration service usually run on the same host.
- Click Save to apply your changes.
Command-line interface
Use the following command:
vinfra service nfs kerberos settings set --realm <realm> --kdc-service <kdc-service> --kdc-admin-service <kdc-admin-service>
--realm <realm>
- Realm name in uppercase letters
--kdc-service <kdc-service>
- DNS name or IP address of the KDC service
--kdc-admin-service <kdc-admin-service>
- DNS name or IP address of the KDC administration service
For example, to enable Kerberos authentication, run:
# vinfra service nfs kerberos settings set --realm EXAMPLE.COM --kdc-service 10.136.10.10 \ --kdc-admin-service 10.136.10.10
To create a keytab file for a principal
- On the Kerberos server, log in as administrator to the Kerberos database administration program.
-
Add principals for the Kerberos client and for the NFS share by using the command
addprinc -randkey nfs/<FQDN>@<realm>
. For example, if the client's domain name iskrb-client.example.com
and the share's domain nameshare1.example.com
, run:# addprinc -randkey nfs/krb-client.example.com@EXAMPLE.COM # addprinc -randkey nfs/share1.example.com@EXAMPLE.COM
-
Generate keytabs for the created principals and save them to a directory you can upload from. For example:
# ktadd -k /tmp/krb-client.keytab nfs/krb-client.example.com@EXAMPLE.COM # ktadd -k /tmp/share.keytab nfs/share1.example.com@EXAMPLE.COM
Each share and client must have their own principal and keytab.
To set up the Kerberos client
-
On a host that an NFS share will be mounted to, install the required packages. For example, on a CentOS server, run:
# yum install krb5-workstation krb5-libs –y
-
Configure
firewalld
andselinux
, if needed. For details, refer to your OS manual, such as Securing services in the Red Hat Enterprise Linux Security Guide. - Copy the
krb5.conf
configuration file and thekrb-client.keytab
keytab file from the Kerberos server to the client host. - Ensure that the client host can reach the Kerberos server and NFS share via their domain names. Also, the client host must have the domain name specified during the principal configuration on the Kerberos server.
-
Start the client service:
# systemctl start nfs-client
To enable user authentication for an NFS share
Admin panel
- Go to the Storage services > NFS > Shares tab, and then click the line with a share.
- If the share is running, stop it by clicking Stop on the right pane.
- Click Authentication on the right pane.
- In the Authentication window, enable user authentication, upload the corresponding keytab file, and then click Save.
Command-line interface
Use the following command:
vinfra service nfs share set [--krb-keytab <krb-keytab>] [--krb-auth <krb-auth>] <name>
--krb-keytab <krb-keytab>
- Kerberos keytab file
--krb-auth <krb-auth>
- Whether or not Kerberos authentication is enabled (
true
orfalse
) <name>
- NFS share name
For example, to enable authentication for the share share1
with the keytab file /tmp/krb5.keytab, run:
# vinfra service nfs share set share1 --krb-auth true --krb-keytab share1.keytab
To mount an NFS share with enabled Kerberos authentication
Specify the sec=krb5
option with the mount
command. For example, to mount share1
with the share1.example.com
domain name, run:
# mkdir /mnt/share # mount -t nfs4 -o sec=krb5 share1.example.com:/share1 /mnt/share/