Kerberized NFS with FreeIPA on CentOS 7 and Fedora 28

I have an NFS server on a KVM guest, and I want to integrate auth into my IdM server so I can have an automount readily accessible from any of the hosts.

Most of my hosts are CentOS 7, but my personal laptop is running Fedora 28.

What I’ve done already

  • The FreeIPA server is already installed (refer to the Red Hat 7 IdM Install Guide)
  • Replica is already installed and providing failover CA and DNS services
  • Hosts are registered with the FreeIPA server

Configure FreeIPA

You need to add the service to both the client and server:

[root@ipa ~]# ipa service-add nfs/store.lan.nathancurry.com
[root@ipa ~]# ipa service-add nfs/tiny.lan.nathancurry.com

And then run the following on the NFS server and NFS client to import the keytab:

# Authenticate
[root@store ~]# kinit admin
# Pull a keytab for the hostname (FQDN)
[root@store ~]# ipa-getkeytab -s ipa.nathancurry.com -p nfs/`uname -n` -k /etc/krb5.keytab

Set up NFS

Install the necessary packages:

# Server:
[root@store /]# yum -y install nfs-utils nfs4-acl-tools
# Client:
[root@tiny /]# dnf -y install nfs-utils

Then on the server, I uncommented/edited the following lines to disable nfs3:

[nfsd]
vers3=n

Add exports to /etc/exports:

/exports/share 192.168.7.0/24(rw,sec=krb5)

I export the entire data drive mount, which may be a security concern in a production environment but is no problem here. In any case, you can provide pretty detailed controls with the nfs4-acl-utils package installed above.

I restrict sharing to only my LAN’s subnet. the sec option takes sys, krb5, krb5i, and krb5p options, in order of increasing security and overhead. I’m just setting up Kerberos auth for now, so I’m forgoing integrity and privacy controls.

Bring up the NFS server:

[root@store /]# firewall-cmd --add-service=nfs
[root@store /]# firewall-cmd --add-service=nfs --permanent
[root@store /]# systemctl start nfs
[root@store /]# systemctl enable nfs
# And for good measure
[root@store /]# exportfs

Note that on earlier versions of CentOS 7, you may have to start and enable nfs-secure-server.service. And if you run NFS3, you have to add the firewall services nfs3 and rpc-bind.

Set up mounts

I want a portable directory that follows me from computer to computer, perhaps as a remote home on all hosts besides my laptop once I free up my USB3 SSD. Static isn’t a bad choice, but I’m going with full-blown autoshares.

Option 1: Static

The following works as a static solution that doesn’t automount at boot and which my user account can mount without privilege escalation:

store:/exports/share/port /home/nc/port nfs vers=4,sec=krb5,noauto,user 0 0

Option 2: Manual AutoFS Configuration

While the end goal is to have FreeIPA push these changes to the clients, I had trouble configuring IPA. To avoid chasing my tail, I set up AutoFS locally to make sure I had a sane config:

# Create a new file /etc/auto.direct:
/home/nc/port     fstype=nfs,rw,sec=krb5    store:/exports/share/port

# Source the file by adding the following to /etc/auto.master
/- auto.direct

# Restart services
nc@tiny: ~ $ sudo systemctl restart nfs autofs

# Check that it's working
nc@tiny: ~ $ ls ~/port/
bin  build  git  go  sites  terraform
nc@tiny: ~ $ mount | grep /home/nc/port
auto.direct on /home/nc/port type autofs (rw,relatime,fd=5,pgrp=8250,timeout=300,minproto=5,maxproto=5,direct,pipe_ino=1169118)
store:/srv/share/port on /home/nc/port type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.7.77,local_lock=none,addr=192.168.7.44)

Option 3: FreeIPA and AutoFS

I set this up through the WebUI, though it’s trivial to set up through the CLI as well.

  1. Go to Network Services > Automount
  2. Under default, verify that the auto.master map has an entry for auto.direct with Key = /-
  3. In the auto.direct map, add an entry with Key = * (or CIDR block, or host name) and Mount Information = -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 store.lan.nathancurry.com:/srv/share/port

This is basically the same information as in a regular AutoFS config. I ended up having to uninstall the ipa-client from my laptop, reinstall, and rerun the ipa-automount install, but when I rebooted, it worked:

nc@tiny: ~ $ ls port
ls: cannot open directory 'port': Stale file handle
nc@tiny: ~ $ kinit nc
Password for nc@LAN.NATHANCURRY.COM:
nc@tiny: ~ $ ls port
bin  build  git  go  sites  terraform

Resources: