Applies to: All versions of Centrify DirectControl on all OSes

Question:
How do you configure NFSv4 with Kerberos?

Answer:

The assumption is that this will be setup between 2 Redhat 5.3 machines:

                Windows Domain:        centrify.dev

                Centrify Zone:               nfszone

                NFSv4 Server Name:     nfsserver.centrify.dev

                NFSv4 Client Name:      nfsclient.centrify.dev

NFS Server side setup: (Run on the Linux machine unless otherwise noted)

1.       Open the firewall for NFSv4 ports

2.       Remove existing /etc/krb5.keytab if any

3.       Edit /etc/centrifydc/centrifydc.conf and set:  adclient.krb5.keytab.entries: 1

4.       Join the AD Domain: adjoin centrify.dev –z nfszone

5.       Make a directory to export and set the permissions: mkdir /nfs; chmod 0755 /nfs

6.       Edit the NFS export file and add the line: /nfs     gss/krb5p(rw,sync,fsid=0)

7.       Edit  /etc/sysconfig/nfs and set: SECURE_NFS=”yes”

8.       Restart NFS: service nfs restart; service rpcidmapd restart

NFS Client side setup: (Run on the Linux machine unless otherwise noted)

1.       Open the firewall for NFSv4 ports

2.       Remove existing /etc/krb5.keytab if any

3.       Edit /etc/centrifydc/centrifydc.conf and set:  adclient.krb5.keytab.entries: 1

4.       Join the AD Domain: adjoin centrify.dev –z nfszone

5.       *Depending on the version of nfs-utils the MS AD Domain and Forest level:

If nfs-utils is less than version 1.1.0:

If the MS AD level is 2000 or 2003 then: use ADSIEdit from Windows and go to the properties for the client machine and set the userPrincipleName to nfs/nfsclient.centrify.dev@CENTRIFY.DEV

If the MS AD level is 2008/2008R2 then: use ADSIEdit from Windows and go to the properties for the client machine and set the userPrincipleName to nfs/nfsclient.centrify.dev

Run: rpc.gssd

If nfs-utils is equal or greater than version 1.1.0:

Run: /usr/share/centrifydc/Kerberos/bin/kinit -k <host>$

Run: rpc.gssd -n

Note: 
DirectControl helps simplify this process by providing most of the Kerberos related parts. Out of the box, DirectControl will automatically set up the necessary NFS service principals and generate the Kerberos keytab files to support NFS v4 Kerberized servers.

For NFS v4 clients, some tricks are necessary to deal with its special user principal name (UPN) requirements. Specifically, the NFS v4 client uses the computer account principal in a special UPN format: "nfs/hostfqdn@REALM" (hostfqdn, is the full DNS name of your local host) when mounting volumes as root.

Normally Windows KDCs do not support this format. As a work-around, a system administrator can populate the userPrincipalName attribute of the local computer's Active Directory object, using ADSI Edit, Centrify's adkeytab utility, or Open LDAP's ldapmodify shipped with DirectControl. An alternative to populating the computer account's UPN may be implemented if you have an rpc.gssd that supports the -n option (nfs-utils version 1.1.0 or newer). In this case you can pre-create a credential cache for the root user with your local short host name:

/usr/share/centrifydc/kerberos/bin/kinit -k <hostname>$ 
 

6.       Edit  /etc/sysconfig/nfs and set: SECURE_NFS=”yes”

7.       Restart NFS: service nfs restart

8.       Create a mount point directory: mkdir /nfsmnt; chmod 0755 /nfsmnt

9.       Run: mount –t nfs4 –o sec=krb5p nfsserver.centrify.dev:/ /nfsmnt

Note:  Redhat 4 only supports DES encryption type and not ArcFour.  To make this work on Redhat 4, you need to modify /etc/krb5.conf and /etc/centrifydc/centrifydc.conf files and move DES to front in line as follows:

krb5.conf:

default_tgs_enctypes = des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5

Centriydc.conf:

adclient.krb5.permitted.encryption.types: des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5
adclient.krb5.tkt.encryption.types: des-cbc-md5 des-cbc-crc aes256-cts aes128-cts arcfour-hmac-md5

On AIX and Solaris, you need to change /etc/centrifydc/centrifydc.conf to:

adclient.krb5.permitted.encryption.types: des-cbc-crc des-cbc-md5 arcfour-hmac-md5
adclient.krb5.tkt.encryption.types: des-cbc-crc des-cbc-md5 arcfour-hmac-md5

adclient.force.salt.lookup: true
 

Change /etc/krb5/krb5.conf, [libdefaults]: 

default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
permitted_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5 arcfour-hmac-exp

restart adclient, and gssd.

Note:
In the latest patch for Windows 2008R2, DES encryption is off by default.  You will need to turn this on. See: KB-2098: How to configure Windows 2008 R2 to support DES/nfsv4?