How to setup NFSv4 using kerberos authentication on RHEL6 using Active Directory

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat Enterprise Linux 6
samba

Issue

How to setup NFSv4 using kerberos authentication on RHEL6 using Active Directory

Resolution

This setup will use samba to manage the kerberos principles in /etc/krb5.keytab. It will also use winbind to track NSS info and authenticate users with PAM.

Taking a look at /etc/samba/smb.conf the autorid backend will be used to keep uid/gid data consistent across multiple systems.

[global]
   workgroup = 2K8R2DOMAIN
   password server = win2k8sp1-64.2k8r2domain.gss
   realm = 2K8R2DOMAIN.GSS
   security = ads
   idmap config * : backend = autorid
   idmap config * : range = 1000000-201000000
   idmap config * : rangesize = 2000000
   winbind use default domain = true
   winbind refresh tickets = true
   template shell = /bin/bash
   kerberos method = secrets and keytab

Adding the following lines to /etc/security/pam_winbind.conf will configure the pam_winbind module to create a kerberos tgt ticket when a users logs in succesfuly.

krb5_auth = yes
krb5_ccache_type = FILE

To enable kerberos for nfs uncoment the following line in /etc/sysconfig/nfs

SECURE_NFS="yes"

Configure the necessary PAM/nsswitch files

# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --update

The idmap daemon is configured to use the appropriate domain in /etc/idmapd.conf.

[General]
Domain = 2k8r2domain.gss

The systems kerberos config is configured for the realm in /etc/krb5.conf.

[libdefaults]
 default_realm = 2K8R2DOMAIN.GSS
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 2K8R2DOMAIN.GSS = {
  kdc = win2k8sp1-64.2k8r2domain.gss
  admin_server = win2k8sp1-64.2k8r2domain.gss
 }

[domain_realm]
 2k8r2domain.gss = 2K8R2DOMAIN.GSS
 .2k8r2domain.gss = 2K8R2DOMAIN.GSS

Both nfs client and server have correct forward and reverse dns record's that all systems can resolve.

[root@rhel6-nfsserver ~]# net ads join -U Administrator createupn=nfs/rhel6-nfsserver.2k8r2domain.gss@2K8R2DOMAIN.GSS

[root@rhel6-nfsserver ~]# net ads keytab add nfs -U Administrator

[root@rhel6-nfsserver ~]# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/rhel6-nfsserver.2k8r2domain.gss@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 host/rhel6-nfsserver.2k8r2domain.gss@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 host/rhel6-nfsserver.2k8r2domain.gss@2K8R2DOMAIN.GSS (arcfour-hmac) 
   2 host/rhel6-nfsserver@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 host/rhel6-nfsserver@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 host/rhel6-nfsserver@2K8R2DOMAIN.GSS (arcfour-hmac) 
   2 RHEL6-NFSSERVER$@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 RHEL6-NFSSERVER$@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 RHEL6-NFSSERVER$@2K8R2DOMAIN.GSS (arcfour-hmac) 
   2 nfs/rhel6-nfsserver.2k8r2domain.gss@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 nfs/rhel6-nfsserver.2k8r2domain.gss@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 nfs/rhel6-nfsserver.2k8r2domain.gss@2K8R2DOMAIN.GSS (arcfour-hmac) 
   2 nfs/rhel6-nfsserver@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 nfs/rhel6-nfsserver@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 nfs/rhel6-nfsserver@2K8R2DOMAIN.GSS (arcfour-hmac)

After joining the domain the winbind daemon will need to be started.

# chkconfig winbind on
# service winbind start

The nfs export is configured so kerberos auth is allowed. In addition a directory is configued to allow a user permission to write data to the nfs server.

[root@rhel6-nfsserver ~]# cat /etc/exports 
/nfsexports	10.12.0.0/255.255.0.0(rw,insecure,sec=sys:krb5:krb5i:krb5p,fsid=0,nohide,no_subtree_check)

[root@rhel6-nfsserver ~]# ls -laR /nfsexports/
/nfsexports/:
total 12
drwxr-xr-x. 3 root  root 4096 Sep  4 16:43 .
drwxr-xr-x. 3 root  root 4096 Sep  4 16:25 ..
drwx------. 2 jagee root 4096 Sep  5 11:52 jagee

The nfs and idmapd services will need to be restarted to load the new setting and the new kerberos principle.

# service nfs restart
# service rpcidmapd restart

Any nfsv4 client system will need the same configuration from above for kerberos, nss, pam, samba, and idmapd. Here you will see the keytab getting created.

[root@rhel6-nfsclient ~]# net ads join -U jagee createupn=nfs/rhel6-nfsclient.2k8r2domain.gss@2K8R2DOMAIN.GSS

[root@rhel6-nfsclient ~]# net ads keytab add nfs -U jagee

[root@rhel6-nfsclient ~]# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/rhel6-nfsclient.2k8r2domain.gss@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 host/rhel6-nfsclient.2k8r2domain.gss@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 host/rhel6-nfsclient.2k8r2domain.gss@2K8R2DOMAIN.GSS (arcfour-hmac) 
   2 host/rhel6-nfsclient@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 host/rhel6-nfsclient@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 host/rhel6-nfsclient@2K8R2DOMAIN.GSS (arcfour-hmac) 
   2 RHEL6-NFSCLIENT$@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 RHEL6-NFSCLIENT$@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 RHEL6-NFSCLIENT$@2K8R2DOMAIN.GSS (arcfour-hmac) 
   2 nfs/rhel6-nfsclient.2k8r2domain.gss@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 nfs/rhel6-nfsclient.2k8r2domain.gss@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 nfs/rhel6-nfsclient.2k8r2domain.gss@2K8R2DOMAIN.GSS (arcfour-hmac) 
   2 nfs/rhel6-nfsclient@2K8R2DOMAIN.GSS (des-cbc-crc) 
   2 nfs/rhel6-nfsclient@2K8R2DOMAIN.GSS (des-cbc-md5) 
   2 nfs/rhel6-nfsclient@2K8R2DOMAIN.GSS (arcfour-hmac)

The rpcgssd and idmapd services will need to be restart to load the new setting and the new kerberos principle. Winbind will also need to be started.

# chkconfig winbind on
# service winbind start
# service rpcgssd restart
# service rpcidmapd restart

On the client side we are testing the different mounts. We have one for each type and they are all mounted.

[root@rhel6-nfsclient ~]# grep nfs /etc/fstab 
rhel6-nfsserver.2k8r2domain.gss:/	/mnt/sys	nfs4	defaults,sec=sys,_netdev 0 0 
rhel6-nfsserver.2k8r2domain.gss:/	/mnt/krb5	nfs4	defaults,sec=krb5,_netdev 0 0
rhel6-nfsserver.2k8r2domain.gss:/	/mnt/krb5i	nfs4	defaults,sec=krb5i,_netdev 0 0
rhel6-nfsserver.2k8r2domain.gss:/	/mnt/krb5p	nfs4	defaults,sec=krb5p,_netdev 0 0

[root@rhel6-nfsclient ~]# mount | grep nfs
rhel6-nfsserver.2k8r2domain.gss:/ on /mnt/sys type nfs4 (rw,sec=sys,addr=10.12.53.81,clientaddr=10.12.53.145)
rhel6-nfsserver.2k8r2domain.gss:/ on /mnt/krb5 type nfs4 (rw,sec=krb5,addr=10.12.53.81,clientaddr=10.12.53.145)
rhel6-nfsserver.2k8r2domain.gss:/ on /mnt/krb5i type nfs4 (rw,sec=krb5i,addr=10.12.53.81,clientaddr=10.12.53.145)
rhel6-nfsserver.2k8r2domain.gss:/ on /mnt/krb5p type nfs4 (rw,sec=krb5p,addr=10.12.53.81,clientaddr=10.12.53.145)

Next we ssh into the client using and AD account. The pam_winbind module will create a tgt ticket and use this to when accessing the nfs mounts.

[jagee@bombe ~]$ ssh jagee@10.12.53.145
jagee@10.12.53.145's password: 
Last login: Tue Sep  4 17:56:08 2012 from 10.12.53.154

[jagee@rhel6-nfsclient ~]$ echo sys >> /mnt/sys/jagee/test.txt

[jagee@rhel6-nfsclient ~]$ echo krb5 >> /mnt/krb5/jagee/test.txt

[jagee@rhel6-nfsclient ~]$ echo krb5i >> /mnt/krb5i/jagee/test.txt

[jagee@rhel6-nfsclient ~]$ echo krb5p >> /mnt/krb5p/jagee/test.txt

[jagee@rhel6-nfsclient ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: jagee@2K8R2DOMAIN.GSS

Valid starting     Expires            Service principal
09/05/12 12:24:49  09/05/12 22:24:49  krbtgt/2K8R2DOMAIN.GSS@2K8R2DOMAIN.GSS
	renew until 09/12/12 12:24:49, Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96 
09/05/12 12:24:49  09/05/12 22:24:49  RHEL6-NFSCLIENT$@2K8R2DOMAIN.GSS
	renew until 09/12/12 12:24:49, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 
09/05/12 12:24:49  09/05/12 22:24:49  RHEL6-NFSCLIENT$@2K8R2DOMAIN.GSS
	renew until 09/12/12 12:24:49, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 
09/05/12 12:26:01  09/05/12 22:24:49  nfs/rhel6-nfsserver.2k8r2domain.gss@2K8R2DOMAIN.GSS
	renew until 09/12/12 12:24:49, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

We can take a look on the server and we see the text writes to the nfs share.

[root@rhel6-nfsserver ~]# cat /nfsexports/jagee/test.txt 
sys
krb5
krb5i
krb5p

This setup also enables SSO using gssapi for ssh access to servers. Once an AD users gets a tgt ticket from AD the user is able to ssh to any system that has a host/f.q.d.n princple in /etc/krb5.keytab and the user will not be prompted for a password.

[jagee@workstation ~]$ ssh jagee@10.12.53.145
jagee@10.12.53.145's password: 
Last login: Wed Sep  5 12:36:52 2012 from 10.12.53.154
[jagee@rhel6-nfsclient ~]$ ssh jagee@rhel6-nfsserver.2k8r2domain.gss
Creating home directory for jagee.
Last login: Wed Sep  5 12:36:54 2012 from rhel6-nfsclient.2k8r2domain.gss
[jagee@rhel6-nfsserver ~]$

Note:

We have some reports of the need to modify the setup above the following way.

Client Side
the rpc.gssd service has the special root access removed with the following setting in /etc/sysconfig/nfs.

RPCGSSDARGS="-n "

When modifing the rpc.gssd daemon, the computer account UPN needed to be host/f.q.d.n@REALM and not nfs/f.q.d.n@REALM. Please note that this nfs principle still exists but it is not assigned to the UPN.

Server Side
If users are part of a large amount of groups, there may be a need to drop the Privilege Attribute Certificate(PAC) information on service tickets.

In the Active Directory Users and Computers tool, select View -> Advanced Features.

Open the computer object properties
Select the Attribute Editor tab
Edit the userAccountControl attribute
The original value should be 4096 and be displayed as "0x1000 = (WORKSTATION_TRUST_ACCOUNT)"
Add 33554432 to the value field.
Click OK
Ensure the stored value shows "0x2000000 = (NO_AUTH_DATA_REQUIRED)"

SBR

Product(s)

Red Hat Enterprise Linux

Components

krb5
samba

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.