12 April,16 at 11:02 AM
Applies to: All versions of Centrify DirectControl on all OSes
Question:
How do you configure NFSv4 with Kerberos?
Answer:
The assumption is that this will be setup between 2 Redhat 5.3 machines:
Windows Domain: centrify.dev
Centrify Zone: nfszone
NFSv4 Server Name: nfsserver.centrify.dev
NFSv4 Client Name: nfsclient.centrify.dev
1. Open the firewall for NFSv4 ports
2. Remove existing /etc/krb5.keytab if any
3. Edit /etc/centrifydc/centrifydc.conf and set: adclient.krb5.keytab.entries: 1
4. Join the AD Domain: adjoin centrify.dev –z nfszone
5. Make a directory to export and set the permissions: mkdir /nfs; chmod 0755 /nfs
6. Edit the NFS export file and add the line: /nfs gss/krb5p(rw,sync,fsid=0)
7. Edit /etc/sysconfig/nfs and set: SECURE_NFS=”yes”
8. Restart NFS: service nfs restart; service rpcidmapd restart
1. Open the firewall for NFSv4 ports
2. Remove existing /etc/krb5.keytab if any
3. Edit /etc/centrifydc/centrifydc.conf and set: adclient.krb5.keytab.entries: 1
4. Join the AD Domain: adjoin centrify.dev –z nfszone
5. *Depending on the version of nfs-utils the MS AD Domain and Forest level:
If nfs-utils is less than version 1.1.0:
If the MS AD level is 2000 or 2003 then: use ADSIEdit from Windows and go to the properties for the client machine and set the userPrincipleName to nfs/nfsclient.centrify.dev@CENTRIFY.DEV
If the MS AD level is 2008/2008R2 then: use ADSIEdit from Windows and go to the properties for the client machine and set the userPrincipleName to nfs/nfsclient.centrify.dev
Run: rpc.gssd
If nfs-utils is equal or greater than version 1.1.0:
Run: /usr/share/centrifydc/Kerberos/bin/kinit -k <host>$
Run: rpc.gssd -n
Note:
DirectControl helps simplify this process by providing most of the Kerberos related parts. Out of the box, DirectControl will automatically set up the necessary NFS service principals and generate the Kerberos keytab files to support NFS v4 Kerberized servers.
For NFS v4 clients, some tricks are necessary to deal with its special user principal name (UPN) requirements. Specifically, the NFS v4 client uses the computer account principal in a special UPN format: "nfs/hostfqdn@REALM" (hostfqdn, is the full DNS name of your local host) when mounting volumes as root.
Normally Windows KDCs do not support this format. As a work-around, a system administrator can populate the userPrincipalName attribute of the local computer's Active Directory object, using ADSI Edit, Centrify's adkeytab utility, or Open LDAP's ldapmodify shipped with DirectControl. An alternative to populating the computer account's UPN may be implemented if you have an rpc.gssd that supports the -n option (nfs-utils version 1.1.0 or newer). In this case you can pre-create a credential cache for the root user with your local short host name:
/usr/share/centrifydc/kerberos/bin/kinit -k <hostname>$
6. Edit /etc/sysconfig/nfs and set: SECURE_NFS=”yes”
7. Restart NFS: service nfs restart
8. Create a mount point directory: mkdir /nfsmnt; chmod 0755 /nfsmnt
9. Run: mount –t nfs4 –o sec=krb5p nfsserver.centrify.dev:/ /nfsmnt
Note: Redhat 4 only supports DES encryption type and not ArcFour. To make this work on Redhat 4, you need to modify /etc/krb5.conf and /etc/centrifydc/centrifydc.conf files and move DES to front in line as follows:
krb5.conf:
default_tgs_enctypes = des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5
Centriydc.conf:
adclient.krb5.permitted.encryption.types: des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5
adclient.krb5.tkt.encryption.types: des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5
On AIX and Solaris, you need to change /etc/centrifydc/centrifydc.conf to:
adclient.krb5.permitted.encryption.types: des-cbc-crc des-cbc-md5 arcfour-hmac-md5
adclient.krb5.tkt.encryption.types: des-cbc-crc des-cbc-md5 arcfour-hmac-md5
adclient.force.salt.lookup: true
Change /etc/krb5/krb5.conf, [libdefaults]:
default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
permitted_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5 arcfour-hmac-exp
restart adclient, and gssd.
Note:
In the latest patch for Windows 2008R2, DES encryption is off by default. You will need to turn this on. See: KB-2098: How to configure Windows 2008 R2 to support DES/nfsv4?