WARNING: no policy specified for nfs/ defaulting to no policy WARNING: no policy specified for host/ defaulting to no policy In this example the KDC is also acting as the NFS server, which is why we create the host/nfs principles for ~]# kadmin.localĪuthenticating as principal root/ with password. Now on the KDC server we’ll use kadmin.local and create host and nfs principles for both the NFS server and client.
There can be a small performance impact here due to the overhead, however this is the most secure option. krb5p: In addition to everything that the krb5i option provides, this option also provides encryption.krb5i: In addition to everything that the krb5 option provides, this option also provides integrity for communications.krb5: This option provides authentication only, client identity is confirmed with the Kerberos keytab file.Standard Linux permissions are used, the UID/GID of the NFS client is mapped to the same ones on the server which may not be ideal as you could receive some other users UID/GID. sys: This is the default option and it trusts the UID/GID sent by a client.opt/mnt 192.168.1.14(rw, sec=krb5p)Īs shown the Kerberos option can be specified with the ‘sec’ option, the list below outlines the options available. With that in place we need to modify our NFS exports in /etc/exports to specify a Kerberos option. If you get any errors enabling or starting either of these services, try doing it again towards the end once things have been completely configured. Systemctl start nfs-secure-server nfs-server systemctl enable nfs-secure-server nfs-server In addition to the information provided in the NFS post linked above some additional services need to be enabled and started to support Kerberos, namely ‘nfs-secure-server’. We’re assuming that you have already setup a KDC and NFS server here, if you need to do this see the links in the prerequisites section. In this example, both the NFS server and KDC are running on the same CentOS 7 system. Both the server and client should have the ‘nfs-utils’ package installed.You should also already have a working NFS server and client setup.
In order to use Kerberos for NFS, we must first have a KDC setup with a client joined to the realm.In order for Kerberos to function correctly, the following must first be configured on both servers. It is also our NFS client and will mount from the server above. Kerberos Client: 192.168.1.14 – This Linux client will request Kerberos tickets from the KDC.Kerberos Server (KDC): 192.168.1.13 – This Linux server will act as our KDC and serve out Kerberos tickets.Here is a list of our servers that we will be testing with, both are running CentOS 7.
#WINDOWS NFS V4 CODE#
Studying for your RHCE certification? Checkout our RHCE video course over at Udemy which is 20% off when you use the code ROOTUSER. By default NFS is not very secure, there’s no real authentication and access is granted based on hostname or IP address, information is sent over the network in plain text, and it’s also fairly easy to fake your UID/GID.īy making use of Kerberos we can secure NFS as this provides authentication, encryption and integrity.
0 kommentar(er)
