2

How do you setup an NFS4 server with Kerberos from Active Directory?

I can install and configure an NFS4 server and connect to it, but I can not get Kerberos to work under any circumstances where the Active Directory controls the KDC. Not even with a freshly installed Windows Server where I setup Active Directory myself.

I did a lot of debugging with a server I set up to my company's Active Directory, a lot of it is documented here: How does the Linux NFS server implementation of setclientid work? The results were the same with a fresh Windows server with Active Directory - but surprisingly (well maybe it isn't so surprising) it works if I install some other kind of KDC.

I have a working server (as in NFS4 and Kerberos from Active Directory) that was installed about 8 months ago, it is running CentOS 7.6.1810 as well - but even when I replicate everything I did to that one, I can not get it to work.

I have used SSSD, PBIS Open and manual configuration of Kerberos.

Pretty much everything results in 'permission denied', with appears to come from an error code -13 from RPC. All Kerberos tickets that I have inspected have looked correctly.

What are the exact steps that need to be taken to configure an NFS4 server on CentOS Linux release 7.6.1810 (Core) to use Kerberos from Active Directory?

Tobias
  • 86
  • 1
  • 7

1 Answers1

1

I use this method on both Linux (ubuntu) and on FreeBSD, so I'm pretty sure they are fairly generic to UN*X-like systems.

First of all, you need to make sure that dns works properly and that the hostname is correct. Make sure there are no pointers to 127.0.1.1 to hostname.domain.name

Also, make sure your system is set up to use nfs4 with sec=krb5 (or krb5i or krb5p).

You need to set an SPN for nfs to use. There is a unix-command called msktutil that can handle it. It's probably available in centos. I know it's available in ubuntu's standard repos. See https://github.com/msktutil/msktutil

I've a script that handles it all.

Make sure you've joined the domain and that everything works as it should. (except for kerberized nfs4 of course.) I usually do the following:

kinit Administrator
(enter password)

klist should show your administrator ticket.

Make a backup of /etc/krb5.keytab before you run the script.

After that I run this script: (You will join the domain twice, so that your /etc/krb5.keytab gets updated properly. I'm not sure if it is strictly needed.)

#!/bin/bash

HOST_NAME=`hostname -s`
DOMAIN_NAME=`hostname -d`
FULL_NAME=`hostname -A`
DC=your-dc.your.domain
kinit Administrator;

rm -f /etc/krb5.keytab

msktutil \
--delegation --dont-expire-password --no-pac --computer-name $HOST_NAME \
--enctypes 0x1F -b "OU=Services" -k /etc/krb5.keytab \
-h $HOST_NAME -s nfs/$FULL_NAME --upn nfs/$FULL_NAME --verbose

net ads join -k

After that you should be ready to go! (Assuming your nfs-server is set up correctly. And kerberos and everything else. For instance, on ubuntu 18.04 /etc/default/nfs-kernel-server looks like this on my system.

# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
#RPCSVCGSSDOPTS=""

# Options for rpc.nfsd.
RPCNFSDOPTS=""
RPCSVCGSSDOPTS="-k /etc/krb5.keytab"

And my /etc/idmapd.conf looks like this:

[General]   

Verbosity = 1   
Pipefs-Directory = /run/rpc_pipefs   
# set your own domain here, if id differs from FQDN minus hostname.   
# Domain = localdomain    
Domain = my.domain 
Local-Realms = MY.DOMAIN   
[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]

Method = nsswitch

And /etc/default/nfs-common looks like so: (There is probably something similar for centos)

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".


# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".    
#   For more information, see rpc.statd(8) 
STATDOPTS=
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
RPCSVCGSSDOPTS="-k /etc/krb5.keytab"

Hope this helps!

Fredrik
  • 11
  • 2