NFSv4 with kerberos authentication
8:08 PM
Pre-requisites:
Configure ldap/kerberos (Join to AD)
Basic NFS should be configured.If nfs4 packgaes are not installed use below command. NFS4 does not need portmap. If you want to fall back to NFS3 portmap is needed.
yum install nfs-utils nfs4-acl-tools portmap
Users logging in to server should be able to authenticate against ldap.
Hostname should be same when checked through hostname command, /etc/hosts, /etc/sysconfig/network and /etc/idmapd.conf.
Forward and reverse lookup should work for nfs4 server host.
Sample config files:
/etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 rhel564bit localhost.localdomain localhost
10.102.91.201 iadcalyptest01p.calypso.Latheef,com iadcalyptest01p
10.100.185.21 iadcalypad01p.calypso.Latheef,com
::1 localhost6.localdomain6 localhost6
10.102.91.201 iadcalyptest01p.calypso.Latheef,com
10.102.91.202 iadcalyptest02p.calypso.Latheef,com
10.102.91.201 iadcalyptest01p
10.102.91.202 iadcalyptest02p
/etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = calypso.Latheef,com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
/etc/pam.d/system-auth
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
#account required /lib/security/$ISA/pam_permit.so
#New Line
password sufficient /lib/security/$ISA/pam_krb5.so debug minimum_uid=499 use_authok
#End
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
session required /lib/security/$ISA/pam_mkhomedir.so silent umask=077
/etc/krb5.conf file should look similar to this
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CALYPSO.Latheef,com
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CALYPSO.Latheef,com = {
kdc = 10.100.185.21:88
admin_server = iadcalypad01p.calypso.Latheef,com:749
default_domain = calypso.Latheef,com
}
[domain_realm]
calypso.Latheef,com = CALYPSO.Latheef,com
.calypso.Latheef,com = CALYPSO.Latheef,com
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/sysconfig/nfs contains below line uncomment it. Only then rpcgssd service will be started. If it does not start with nfs service, use "service rpcgssd start".
SECURE_NFS="yes"
/etc/ldap.conf should not contain this, comment it out
nss_map_attribute userPassword userPassword
/etc/sysconfig/network (FQDN should match realm)
HOSTNAME=iadcalyptest01p.calypso.Latheef,com
/etc/nsswitch.conf should contain
netgroup: files ldap
automount: files ldap
Create three users on the AD server to generate keytab files. In our example it is host-krb, host2-krb and nfs-krb. Run the below command in command prompt in the AD server to generate the keytab files. Host2-krb user is to generate keytab file for nfs client box, this is needed for implementing the ksu part of the setup.
ktpass -princ host/iadcalyptest01p.calypso.Latheef,com@calypso.Latheef,com -mapuser host-krb -crypto DES-CBC-CRC -pass Pass123! -ptype KRB5_NT_SRV_HST -out host.keytab
ktpass -princ nfs/iadcalyptest01p.calypso.Latheef,com@calypso.Latheef,com -mapuser nfs-krb -crypto DES-CBC-CRC -pass Pass123! -ptype KRB5_NT_SRV_HST -out nfs.keytab
ktpass -princ host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.Latheef,com -mapuser host2-krb -crypto DES-CBC-CRC -pass Pass123! -ptype KRB5_NT_SRV_HST -out client_host.keytab
Example output of ktpass command which is run in command prompt in AD server. There should be no warning.
C:\>ktpass -princ host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.Latheef,com -mapuser host2-krb -crypto DES-CBC-CRC -pass Pass123! -ptype KRB5_NT_SRV_HST -out client_host.keytab
Targeting domain controller: iadcalypad01p.calypso.Latheef,com
Successfully mapped host/iadcalyptest02p.calypso.Latheef,com to host2-krb.
Key created.
Output keytab to client_host.keytab:
Keytab version: 0x502
keysize 109 host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.CUST.COR
P.OPSOURCE.NET ptype 3 (KRB5_NT_SRV_HST) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x45aba443a2fb3b07)
Account host2-krb has been set for DES-only encryption.
Copy the keytab files over to NFS4 server using tools like winscp and use the ktutil command in nfs server as below to combine the three keytab files and generate a single keytab file.
[root@iadcalyptest01p ~]# ktutil
ktutil: read_kt nfs.keytab
ktutil: read_kt host.keytab
ktutil: read_kt client_host.keytab
ktutil: write_kt krb5.keytab
ktutil: quit
Once krb5.keytab file is generated, copy it to /etc and use below commands to check everything is working as expected.
The kvno should be the same for the server principals, this is a must. It can be same or different for the client principal. The outputs of kvno and klist must match
Before kvno command is run do a kdestroy and a kinit nfs-krb.
kvno nfs/iadcalyptest01p.calypso.Latheef,com
kvno host/iadcalyptest01p.calypso.Latheef,com
klist -k -e
Example:
[root@iadcalyptest01p shared]# klist -e -k
[root@iadcalyptest01p ~]# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/iadcalyptest01p.calypso.Latheef,com@CALYPSO.Latheef,com (DES cbc mode with CRC-32)
3 host/iadcalyptest01p.calypso.Latheef,com@CALYPSO.Latheef,com (DES cbc mode with CRC-32)
3 host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.Latheef,com (DES cbc mode with CRC-32)
[root@iadcalyptest01p ~]# kvno nfs/iadcalyptest01p.calypso.Latheef,com
nfs/iadcalyptest01p.calypso.Latheef,com@CALYPSO.Latheef,com: kvno = 3
[root@iadcalyptest01p ~]# kvno host/iadcalyptest01p.calypso.Latheef,com
host/iadcalyptest01p.calypso.Latheef,com@CALYPSO.Latheef,com: kvno = 3
[root@iadcalyptest01p ~]# kvno host/iadcalyptest02p.calypso.Latheef,com
host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.Latheef,com: kvno = 3
Below commands should not return any output if everything is working as expected.
kinit -k -t /etc/krb5.keytab nfs/iadcalyptest01p.calypso.Latheef,com
kinit -k -t /etc/krb5.keytab host/iadcalyptest01p.calypso.Latheef,com
Client Configuration:
Copy the krb5.conf and krb5.keytab to the client machine's /etc. Start nfs service as below. Again rpcgssd service needs to be running on the client.
service nfs start
service nfslock start
servive rpcgssd start
service rpcidmapd restart
Try mounting the the exported share from client machine.
Example:
mount -t nfs4 -o sec=krb5 iadcalyptest01p.calypso.Latheef,com:/ /nfs4/
If you get error related to rpc.gssd service make sure the /etc/sysconfig/nfs file is proper and forward and reverse lookup is working using dig command. Both service and dig should work on NFS4 server and client.
Example:
dig iadcalyptest01p.calypso.Latheef,com +short
dig -x 10.102.91.201 +short
Switch to a normal ldap user and try accessing the share. If you get a permission denied error, do the following as ldap user.
Example:
kinit <ldapusername>
Now you should be able to access the NFSv4 share on the client, write and read files from the share.
If you get a permission denied error while mounting the nfsv4 share from client then check the idmapd.conf file in both server and client it should contain the correct domain under "General" section the idmapd.conf file should be same on both client and server. Now re-export the share in nfs server box. Now try to mount the share from client. This will also help in getting the correct username for files when created by users in the nfs share. Restart rpcidmapd service.
NFSv4 without kerberos-Server config:
Stop nfs service
service nfs stop
/etc/sysconfig/nfs contains below line, comment it. Note that rpcgssd service will be ignored with nfs service restarts.
SECURE_NFS="yes"
Edit the /etc/exports file and replace the gss/krb5 with a *
Example:
Replace this
/calypsotest/nfs/ gss/krb5(rw,sync,acl,no_root_squash,no_subtree_check,nohide,fsid=0)
with
/calypsotest/nfs/ *(rw,sync,acl,no_root_squash,no_subtree_check,nohide,fsid=0)
Reexport with command
exportfs -frav
Start nfs service
service nfs start
Login to client and mount the share using below command. Note that we have excluded "-o sec=krb5" option from this which we used previously with kerberos
mount -t nfs4 iadcalyptest01p.calypso.Latheef,com:/ /nfs4/
Now you should be able to access, read and write to nfsv4 share.
Implementing ksu: ksu=kerberized su
Pre-requisite: Successful implementation of nfsv4 with kerberos as documented above.
In this example we have two users nfstest1 and nfstest2. Suppose nfstest1 user wants to ksu as nfstest2 then the below should be done.
Create a file by the name .k5login in the home of user nfstest2. Make sure entries similar to below example is in the .k5login file. An entry for the same user should also be present otherwise login to box will be denied.
[nfstest2@iadcalyptest02p ~]$ ls -la
-rw-r--r-- 1 nfstest2 opsource_sudo 80 Jul 27 09:02 .k5login
[nfstest2@iadcalyptest02p ~]$ cat .k5login
nfstest1@CALYPSO.Latheef,com
nfstest2@CALYPSO.Latheef,com
The .k5login file gives access to switch as a different user without authenticating against kerberos database.
Example:
[nfstest1@iadcalyptest02p ~]$ ksu nfstest2
Authenticated nfstest1@CALYPSO.Latheef,com
Account nfstest2: authorization for nfstest1@CALYPSO.Latheef,com successful
Changing uid to nfstest2 (10285)
[nfstest2@iadcalyptest02p nfstest1]$ pwd
/home/nfstest1
If the .k5login file does not have entries for ksu without password or the .k5login file itself is absent then ksu process will be as below, password of the user being switched to must be provided for access.
Example:
[nfstest2@iadcalyptest02p ~]$ ksu nfstest1
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for nfstest1@CALYPSO.Latheef,com: :
Configure ldap/kerberos (Join to AD)
Basic NFS should be configured.If nfs4 packgaes are not installed use below command. NFS4 does not need portmap. If you want to fall back to NFS3 portmap is needed.
yum install nfs-utils nfs4-acl-tools portmap
Users logging in to server should be able to authenticate against ldap.
Hostname should be same when checked through hostname command, /etc/hosts, /etc/sysconfig/network and /etc/idmapd.conf.
Forward and reverse lookup should work for nfs4 server host.
Sample config files:
/etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 rhel564bit localhost.localdomain localhost
10.102.91.201 iadcalyptest01p.calypso.Latheef,com iadcalyptest01p
10.100.185.21 iadcalypad01p.calypso.Latheef,com
::1 localhost6.localdomain6 localhost6
10.102.91.201 iadcalyptest01p.calypso.Latheef,com
10.102.91.202 iadcalyptest02p.calypso.Latheef,com
10.102.91.201 iadcalyptest01p
10.102.91.202 iadcalyptest02p
/etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = calypso.Latheef,com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
/etc/pam.d/system-auth
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
#account required /lib/security/$ISA/pam_permit.so
#New Line
password sufficient /lib/security/$ISA/pam_krb5.so debug minimum_uid=499 use_authok
#End
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
session required /lib/security/$ISA/pam_mkhomedir.so silent umask=077
/etc/krb5.conf file should look similar to this
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CALYPSO.Latheef,com
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CALYPSO.Latheef,com = {
kdc = 10.100.185.21:88
admin_server = iadcalypad01p.calypso.Latheef,com:749
default_domain = calypso.Latheef,com
}
[domain_realm]
calypso.Latheef,com = CALYPSO.Latheef,com
.calypso.Latheef,com = CALYPSO.Latheef,com
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/sysconfig/nfs contains below line uncomment it. Only then rpcgssd service will be started. If it does not start with nfs service, use "service rpcgssd start".
SECURE_NFS="yes"
/etc/ldap.conf should not contain this, comment it out
nss_map_attribute userPassword userPassword
/etc/sysconfig/network (FQDN should match realm)
HOSTNAME=iadcalyptest01p.calypso.Latheef,com
/etc/nsswitch.conf should contain
netgroup: files ldap
automount: files ldap
Create three users on the AD server to generate keytab files. In our example it is host-krb, host2-krb and nfs-krb. Run the below command in command prompt in the AD server to generate the keytab files. Host2-krb user is to generate keytab file for nfs client box, this is needed for implementing the ksu part of the setup.
ktpass -princ host/iadcalyptest01p.calypso.Latheef,com@calypso.Latheef,com -mapuser host-krb -crypto DES-CBC-CRC -pass Pass123! -ptype KRB5_NT_SRV_HST -out host.keytab
ktpass -princ nfs/iadcalyptest01p.calypso.Latheef,com@calypso.Latheef,com -mapuser nfs-krb -crypto DES-CBC-CRC -pass Pass123! -ptype KRB5_NT_SRV_HST -out nfs.keytab
ktpass -princ host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.Latheef,com -mapuser host2-krb -crypto DES-CBC-CRC -pass Pass123! -ptype KRB5_NT_SRV_HST -out client_host.keytab
Example output of ktpass command which is run in command prompt in AD server. There should be no warning.
C:\>ktpass -princ host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.Latheef,com -mapuser host2-krb -crypto DES-CBC-CRC -pass Pass123! -ptype KRB5_NT_SRV_HST -out client_host.keytab
Targeting domain controller: iadcalypad01p.calypso.Latheef,com
Successfully mapped host/iadcalyptest02p.calypso.Latheef,com to host2-krb.
Key created.
Output keytab to client_host.keytab:
Keytab version: 0x502
keysize 109 host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.CUST.COR
P.OPSOURCE.NET ptype 3 (KRB5_NT_SRV_HST) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x45aba443a2fb3b07)
Account host2-krb has been set for DES-only encryption.
Copy the keytab files over to NFS4 server using tools like winscp and use the ktutil command in nfs server as below to combine the three keytab files and generate a single keytab file.
[root@iadcalyptest01p ~]# ktutil
ktutil: read_kt nfs.keytab
ktutil: read_kt host.keytab
ktutil: read_kt client_host.keytab
ktutil: write_kt krb5.keytab
ktutil: quit
Once krb5.keytab file is generated, copy it to /etc and use below commands to check everything is working as expected.
The kvno should be the same for the server principals, this is a must. It can be same or different for the client principal. The outputs of kvno and klist must match
Before kvno command is run do a kdestroy and a kinit nfs-krb.
kvno nfs/iadcalyptest01p.calypso.Latheef,com
kvno host/iadcalyptest01p.calypso.Latheef,com
klist -k -e
Example:
[root@iadcalyptest01p shared]# klist -e -k
[root@iadcalyptest01p ~]# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/iadcalyptest01p.calypso.Latheef,com@CALYPSO.Latheef,com (DES cbc mode with CRC-32)
3 host/iadcalyptest01p.calypso.Latheef,com@CALYPSO.Latheef,com (DES cbc mode with CRC-32)
3 host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.Latheef,com (DES cbc mode with CRC-32)
[root@iadcalyptest01p ~]# kvno nfs/iadcalyptest01p.calypso.Latheef,com
nfs/iadcalyptest01p.calypso.Latheef,com@CALYPSO.Latheef,com: kvno = 3
[root@iadcalyptest01p ~]# kvno host/iadcalyptest01p.calypso.Latheef,com
host/iadcalyptest01p.calypso.Latheef,com@CALYPSO.Latheef,com: kvno = 3
[root@iadcalyptest01p ~]# kvno host/iadcalyptest02p.calypso.Latheef,com
host/iadcalyptest02p.calypso.Latheef,com@CALYPSO.Latheef,com: kvno = 3
Below commands should not return any output if everything is working as expected.
kinit -k -t /etc/krb5.keytab nfs/iadcalyptest01p.calypso.Latheef,com
kinit -k -t /etc/krb5.keytab host/iadcalyptest01p.calypso.Latheef,com
Client Configuration:
Copy the krb5.conf and krb5.keytab to the client machine's /etc. Start nfs service as below. Again rpcgssd service needs to be running on the client.
service nfs start
service nfslock start
servive rpcgssd start
service rpcidmapd restart
Try mounting the the exported share from client machine.
Example:
mount -t nfs4 -o sec=krb5 iadcalyptest01p.calypso.Latheef,com:/ /nfs4/
If you get error related to rpc.gssd service make sure the /etc/sysconfig/nfs file is proper and forward and reverse lookup is working using dig command. Both service and dig should work on NFS4 server and client.
Example:
dig iadcalyptest01p.calypso.Latheef,com +short
dig -x 10.102.91.201 +short
Switch to a normal ldap user and try accessing the share. If you get a permission denied error, do the following as ldap user.
Example:
kinit <ldapusername>
Now you should be able to access the NFSv4 share on the client, write and read files from the share.
If you get a permission denied error while mounting the nfsv4 share from client then check the idmapd.conf file in both server and client it should contain the correct domain under "General" section the idmapd.conf file should be same on both client and server. Now re-export the share in nfs server box. Now try to mount the share from client. This will also help in getting the correct username for files when created by users in the nfs share. Restart rpcidmapd service.
NFSv4 without kerberos-Server config:
Stop nfs service
service nfs stop
/etc/sysconfig/nfs contains below line, comment it. Note that rpcgssd service will be ignored with nfs service restarts.
SECURE_NFS="yes"
Edit the /etc/exports file and replace the gss/krb5 with a *
Example:
Replace this
/calypsotest/nfs/ gss/krb5(rw,sync,acl,no_root_squash,no_subtree_check,nohide,fsid=0)
with
/calypsotest/nfs/ *(rw,sync,acl,no_root_squash,no_subtree_check,nohide,fsid=0)
Reexport with command
exportfs -frav
Start nfs service
service nfs start
Login to client and mount the share using below command. Note that we have excluded "-o sec=krb5" option from this which we used previously with kerberos
mount -t nfs4 iadcalyptest01p.calypso.Latheef,com:/ /nfs4/
Now you should be able to access, read and write to nfsv4 share.
Implementing ksu: ksu=kerberized su
Pre-requisite: Successful implementation of nfsv4 with kerberos as documented above.
In this example we have two users nfstest1 and nfstest2. Suppose nfstest1 user wants to ksu as nfstest2 then the below should be done.
Create a file by the name .k5login in the home of user nfstest2. Make sure entries similar to below example is in the .k5login file. An entry for the same user should also be present otherwise login to box will be denied.
[nfstest2@iadcalyptest02p ~]$ ls -la
-rw-r--r-- 1 nfstest2 opsource_sudo 80 Jul 27 09:02 .k5login
[nfstest2@iadcalyptest02p ~]$ cat .k5login
nfstest1@CALYPSO.Latheef,com
nfstest2@CALYPSO.Latheef,com
The .k5login file gives access to switch as a different user without authenticating against kerberos database.
Example:
[nfstest1@iadcalyptest02p ~]$ ksu nfstest2
Authenticated nfstest1@CALYPSO.Latheef,com
Account nfstest2: authorization for nfstest1@CALYPSO.Latheef,com successful
Changing uid to nfstest2 (10285)
[nfstest2@iadcalyptest02p nfstest1]$ pwd
/home/nfstest1
If the .k5login file does not have entries for ksu without password or the .k5login file itself is absent then ksu process will be as below, password of the user being switched to must be provided for access.
Example:
[nfstest2@iadcalyptest02p ~]$ ksu nfstest1
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for nfstest1@CALYPSO.Latheef,com: :
0 comments