I have an NFS server on a KVM guest, and I want to integrate auth into my IdM server so I can have an automount readily accessible from any of the hosts.
Most of my hosts are CentOS 7, but my personal laptop is running Fedora 28.
What I’ve done already
- The FreeIPA server is already installed (refer to the Red Hat 7 IdM Install Guide)
- Replica is already installed and providing failover CA and DNS services
- Hosts are registered with the FreeIPA server
You need to add the service to both the client and server:
[root@ipa ~]# ipa service-add nfs/store.lan.nathancurry.com [root@ipa ~]# ipa service-add nfs/tiny.lan.nathancurry.com
And then run the following on the NFS server and NFS client to import the keytab:
# Authenticate [root@store ~]# kinit admin # Pull a keytab for the hostname (FQDN) [root@store ~]# ipa-getkeytab -s ipa.nathancurry.com -p nfs/`uname -n` -k /etc/krb5.keytab
Set up NFS
Install the necessary packages:
# Server: [root@store /]# yum -y install nfs-utils nfs4-acl-tools # Client: [root@tiny /]# dnf -y install nfs-utils
Then on the server, I uncommented/edited the following lines to disable nfs3:
Add exports to
I export the entire data drive mount, which may be a security concern in a production environment but is no problem here. In any case, you can provide pretty detailed controls with the
nfs4-acl-utils package installed above.
I restrict sharing to only my LAN’s subnet. the
sec option takes sys, krb5, krb5i, and krb5p options, in order of increasing security and overhead. I’m just setting up Kerberos auth for now, so I’m forgoing integrity and privacy controls.
Bring up the NFS server:
[root@store /]# firewall-cmd --add-service=nfs [root@store /]# firewall-cmd --add-service=nfs --permanent [root@store /]# systemctl start nfs [root@store /]# systemctl enable nfs # And for good measure [root@store /]# exportfs
Note that on earlier versions of CentOS 7, you may have to start and enable nfs-secure-server.service. And if you run NFS3, you have to add the firewall services nfs3 and rpc-bind.
Set up mounts
I want a portable directory that follows me from computer to computer, perhaps as a remote home on all hosts besides my laptop once I free up my USB3 SSD. Static isn’t a bad choice, but I’m going with full-blown autoshares.
Option 1: Static
The following works as a static solution that doesn’t automount at boot and which my user account can mount without privilege escalation:
store:/exports/share/port /home/nc/port nfs vers=4,sec=krb5,noauto,user 0 0
Option 2: Manual AutoFS Configuration
While the end goal is to have FreeIPA push these changes to the clients, I had trouble configuring IPA. To avoid chasing my tail, I set up AutoFS locally to make sure I had a sane config:
# Create a new file /etc/auto.direct: /home/nc/port fstype=nfs,rw,sec=krb5 store:/exports/share/port # Source the file by adding the following to /etc/auto.master /- auto.direct # Restart services nc@tiny: ~ $ sudo systemctl restart nfs autofs # Check that it's working nc@tiny: ~ $ ls ~/port/ bin build git go sites terraform nc@tiny: ~ $ mount | grep /home/nc/port auto.direct on /home/nc/port type autofs (rw,relatime,fd=5,pgrp=8250,timeout=300,minproto=5,maxproto=5,direct,pipe_ino=1169118) store:/srv/share/port on /home/nc/port type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.7.77,local_lock=none,addr=192.168.7.44)
Option 3: FreeIPA and AutoFS
I set this up through the WebUI, though it’s trivial to set up through the CLI as well.
- Go to Network Services > Automount
- Under default, verify that the auto.master map has an entry for auto.direct with Key =
- In the auto.direct map, add an entry with Key =
*(or CIDR block, or host name) and Mount Information =
This is basically the same information as in a regular AutoFS config. I ended up having to uninstall the ipa-client from my laptop, reinstall, and rerun the ipa-automount install, but when I rebooted, it worked:
nc@tiny: ~ $ ls port ls: cannot open directory 'port': Stale file handle nc@tiny: ~ $ kinit nc Password for nc@LAN.NATHANCURRY.COM: nc@tiny: ~ $ ls port bin build git go sites terraform