Kerberos is used for authentication and the idea is that within Kerberos, a set of credentials is kept hence we will configure a Kerberized NFS Server. Kerberos will know about the NFS server, Kerberos will know about the NFS clients, and Kerberos will know about the user.

How to configure secure Kerberized NFS Server ( RHEL / CentOS 7)

 

Kerberized NFS Server

We need Kerberized NFS because NFS is very limited security. It only checks the IP address or host name of the client and if the IP address or host name of the client is okay, then access will be granted. If you want to tighten security a little bit more, you can use the sec= option, which works with different arguments.

IMPORTANT NOTE:
I have already written a detailed step by step tutorial to configure FreeIPA server and client. So I will use the same setup to demonstrate this article on setting up Kerberized NFS server.

 

Create NFS service on IPA server

Before starting with the NFS service configuration, we must add a new service on any on of the IPA server or client. For this article I will create NFS service on IPA server i.e. node1.example.com.

Follow the below screenshots to achieve the same.

I will login to my IPA server using the browser on node1.example.com

How to configure secure Kerberized NFS Server ( RHEL / CentOS 7)

 

Next choose the service as ‘nfs‘ from the drop down menu and select the host on which the service must be created which for us node1.example.com

How to configure secure Kerberized NFS Server ( RHEL / CentOS 7)

 

Verify the service which we just created.

How to configure secure Kerberized NFS Server ( RHEL / CentOS 7)

 

Now since I have configured my IPA server as NFS server hence I don’t need to import the keytab file but in case you have a different NFS server then follow the below command

[root@node3 ~]# ipa-getkeytab -s  -p nfs/ -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab

View the available credentials

[root@node1 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/node1.example.com@EXAMPLE.COM
   2 host/node1.example.com@EXAMPLE.COM
   2 host/node1.example.com@EXAMPLE.COM
   2 host/node1.example.com@EXAMPLE.COM
   2 host/node1.example.com@EXAMPLE.COM
   2 host/node1.example.com@EXAMPLE.COM
   1 nfs/node1.example.com@EXAMPLE.COM
   1 nfs/node1.example.com@EXAMPLE.COM

 

Configure Kerberized NFS share on server

To start with let us first of all create an NFS share path which will be shared across the network to our clients.

[root@node1 ~]# mkdir /secureshare

I will give full permission to my share for the sake of this article.

[root@node1 ~]# chmod 777 /secureshare/

 

There are three different options to configure Kerberized NFS: krb5, krb5i, and krb5p.
Different security options can be used with sec=

  • none: it allows anonymous access to files and writes to the server are issued as nfsnobody
  • sys: File access, in this case, is based on UID and GID mapping and that means that if a file on the server is owned by user 1000, and user 1000 from the client tries to access it, you will get the access permissions of user 1000 in the server. There is no checking to see if these are the same users, so it’s not ideal from a security perspective.
  • krb5: clients must prove ID using kerberos
  • krb5i: like krb5, but adds guarantee that data has not been tampered with
  • krb5p: adds encryption to the above

In fact, there is no reason to use anything but krb5p because using that option, the client must prove ID using a Kerberos ticket. Also, Kerberos acts to guarantee that data has not been tampered with and encryption is added, as well. That is a pretty nice option if you want to use Kerberized NFS

[root@node1 ~]# cat /etc/exports
/secureshare *(sec=krb5p,rw)

Next start you nfs-server and check the status to make sure the service is running properly.

[root@node1 ~]# systemctl start nfs-server

[root@node1 ~]# systemctl status nfs-server
● nfs-server.service - NFS server and services
   Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
  Drop-In: /run/systemd/generator/nfs-server.service.d
           └─order-with-mounts.conf
   Active: active (exited) since Wed 2019-04-10 05:52:13 IST; 4s ago
  Process: 4960 ExecStartPost=/bin/sh -c if systemctl -q is-active gssproxy; then systemctl restart gssproxy ; fi (code=exited, status=0/SUCCESS)
  Process: 4923 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
  Process: 4921 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
 Main PID: 4923 (code=exited, status=0/SUCCESS)
    Tasks: 0
   CGroup: /system.slice/nfs-server.service

Apr 10 05:52:08 node1.example.com systemd[1]: Starting NFS server and services...
Apr 10 05:52:13 node1.example.com systemd[1]: Started NFS server and services.

Validate the newly created mount point

[root@node1 ~]# showmount -e localhost
Export list for localhost:
/secureshare *
[root@node1 ~]# exportfs -v
/secureshare    (sync,wdelay,hide,no_subtree_check,sec=krb5p,rw,secure,root_squash,no_all_squash)

 

Enable NFS on the Firewall

Add NFS service in your firewall to all all the authentication request from clients.

[root@node1 ~]# firewall-cmd --permanent --add-service=nfs
success

[root@node1 ~]# firewall-cmd --permanent --add-service=mountd
success

[root@node1 ~]# firewall-cmd --permanent --add-service=rpc-bind
success

Reload the firewall services

[root@node1 ~]# systemctl reload firewalld

Verify the newly added firewall services.

[root@node1 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: ssh dhcpv6-client freeipa-ldap freeipa-ldaps dns nfs mountd rpc-bind
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

 

Configure Kerberized NFS service on the client node

Now let us start configuration on our client node. First of all generate a kerberos token using admin user.

[root@node2 ~]# kinit admin
Password for admin@EXAMPLE.COM:

Verify the kerberos credential using klist

[root@node2 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/node2.example.com@EXAMPLE.COM
   1 host/node2.example.com@EXAMPLE.COM

Next we need to install all the rpm required to configure NFS client with kerberos authentication

[root@node2 ~]# yum groups install -y "Network File System Client"

Next start and enable the nfs-secure service

[root@node2 ~]# systemctl enable nfs-secure
[root@node2 ~]# systemctl start nfs-secure

Create a mount point for the NFS share

[root@node2 ~]# mkdir /securenfs

It is time to mount the NFS share on our client node.

[root@node2 ~]# mount -o sec=krb5p node1.example.com:/secureshare /mnt

So the NFS share is successfully mounted, you can validate the same using mount command.

[root@node2 ~]# mount | grep securenfs
node1:/secureshare on /securenfs type nfs4 (rw,relatime,vers=4.1,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.0.2.31,local_lock=none,addr=10.0.2.30)

 

LDAP user to access nfs-secure share

Now this share is accessible by system users but the benefit of Kerberized NFS share is that it can be used by LDAP users as well. Now I have a LDAP user ‘deepak‘ so let me try to access the NFS share using ‘deepak‘ user.

[root@node2 securenfs]# su - deepak
Last login: Mon Feb 25 20:56:05 IST 2019 on :0

I will try to navigate inside my NFS share.

[deepak@node2 ~]$ cd /securenfs/
-bash: cd: /securenfs/: Permission denied

As you see we are getting permission denied. Now this is expected behaviour. Since there are no tokens generated for ‘deepak‘ user. So let us generate a kerberos token for deepak user using kinit

[deepak@node2 ~]$ kinit deepak
Password for deepak@EXAMPLE.COM:
Password expired.  You must change it now.
Enter new password:
Enter it again:

Next attempt to access the NFS share.

[deepak@node2 ~]$ cd /securenfs/

[deepak@node2 securenfs]$ pwd
/securenfs

[deepak@node2 securenfs]$ touch file

[deepak@node2 securenfs]$ ls -l
total 0
-rw-rw-r--. 1 deepak deepak 0 Apr 10 06:10 file

So now the deepak user is able to access the share and also has write permission on the share.

 

Lastly I hope the steps from the article to configure Kerberized NFS server on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Reply

Your email address will not be published. Required fields are marked *