Section 6 - NFS

Provide network shares to specific clients

`### Server installation and configuration`

## install required packages[root@rhel7server1 ~]# yum -y install nfs-utils [root@rhel7server1 ~]# mkdir /test1 /test2 [root@rhel7server1 ~]# getsebool -a | grep nfs_export nfs_export_all_ro --> on nfs_export_all_rw --> on ## if not set to on, set it, otherwise skip this step [root@rhel7server1 ~]# setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1 ## add firewall rules [root@rhel7server1 ~]# firewall-cmd --permanent --add-service=nfs success[root@rhel7server1 ~]# firewall-cmd --permanent --add-service=rpc-bind success [root@rhel7server1 ~]# firewall-cmd --reload success ## enable and start the services [root@rhel7server1 ~]# systemctl enable rpcbind [root@rhel7server1 ~]# systemctl enable nfs-server Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service. [root@rhel7server1 ~]# systemctl start rpcbind [root@rhel7server1 ~]# systemctl start nfs-server ## define and export the dir to be shared [root@rhel7server1 ~]#vi /etc/exports

/etc/exports

/test1   192.168.0.20(rw,no_root_squash)

                        /test2   192.168.0.20(sync)

## what are the NFS sharing options available

rw: Share as read-write. Keep in mind that normal Linux permissions still apply. (Note that this is a default option.)
ro: Share as read-only.
sync: File data changes are made to disk immediately, which has an impact on performance, but is less likely to result in data loss. On some distributions this is the default.
async: The opposite of sync; file data changes are made initially to memory. This speeds up performance but is more likely to result in data loss. On some distributions this is the default.
root_squash: Map the root user and group account from the NFS client to the anonymous accounts, typically either the nobody account or the nfsnobody account. See the next section, “User ID Mapping,” for more details. (Note that this is a default option.)
no_root_squash: Map the root user and group account from the NFS client to the local root and group accounts.

[root@rhel7server1 ~]# exportfs -avr exporting 192.168.0.20:/test2 exporting 192.168.0.20:/test1 [root@rhel7server1 ~]# cat /var/lib/nfs/etab /test2 192.168.0.20(ro,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks, acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,root_squash,no_all_squash) /test1 192.168.0.20(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks, acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,no_root_squash,no_all_squash)

`### Client Installation and Configuration`

## install required packages[root@rhel7client1 ~]# yum -y install nfs-utils [root@rhel7client1 ~]# systemctl enable rpcbind [root@rhel7client1 ~]# systemctl start rpcbind ## create mountpoint directories [root@rhel7client1 ~]# mkdir /test1 /test2 ## mount the NFS shares [root@rhel7client1 ~]# mount -t nfs -o rw rhel7server1:/test1 /test1 [root@rhel7client1 ~]# mount -t nfs -o ro rhel7server1:/test2 /test2 ## verify [root@rhel7client1 ~]# df -h /test1 /test2 Filesystem Size Used Avail Use% Mounted on rhel7server1:/test1 46G 8.5G 37G 19% /test1 rhel7server1:/test2 46G 8.5G 37G 19% /test2 ## ensure NFS shares mounted on reboot [root@rhel7client1 ~]# vi /etc/fstab
## add following



                        rhel7server1:/test1    /test1    nfs    _netdev,rw     0    0

rhel7server1:/test2    /test2    nfs    _netdev,ro     0    0

## unmount the NFS shares [root@rhel7client1 ~]# umount /test1 [root@rhel7client1 ~]# umount /test2## validate the fstab[root@rhel7client1 ~]# mount -a [root@rhel7client1 ~]# df -h /test1 /test2 Filesystem Size Used Avail Use% Mounted on /dev/mapper/rhel-root 46G 8.5G 37G 19% / /dev/mapper/rhel-root 46G 8.5G 37G 19% /

back to Objectives

Provide network shares suitable for group collaboration

`### Server setup`

## assuming NFS packages already installed[root@rhel7server1 ~]# groupadd -g 7654 nfsdatagrp [root@rhel7server1 ~]# useradd -g nfsdatagrp user3 [root@rhel7server1 ~]# useradd -g nfsdatagrp user4 [root@rhel7server1 ~]# mkdir /nfsdata [root@rhel7server1 ~]# chown nfsnobody.nfsdatagrp /nfsdata ## turn on setgid permission and grant group full permssion [root@rhel7server1 ~]# chmod 2770 /nfsdata [root@rhel7server1 ~]# vi /etc/exports ## add the following ## 192.168.0.20 is the client's IP /nfsdata 192.168.0.20(rw,no_root_squash) ## validate the config [root@rhel7server1 ~]# exportfs -avr exporting 192.168.0.20:/nfsdata [root@rhel7server1 ~]# cat /var/lib/nfs/etab /nfsdata 192.168.0.20(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks, acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,no_root_squash,no_all_squash)

`### Client setup`

## create the users, with same gid as that in the NFS server[root@rhel7client1 ~]# groupadd -g 7654 nfsdatagrp [root@rhel7client1 ~]# useradd -g nfsdatagrp user3 [root@rhel7client1 ~]# useradd -g nfsdatagrp user4 [root@rhel7client1 ~]# passwd user3 [root@rhel7client1 ~]# passwd user4 ## create mountpoint and edit /etc/fstab [root@rhel7client1 ~]# mkdir /nfsdata [root@rhel7client1 ~]# vi /etc/fstab ## add the following to end of the file ## 192.168.0.10 is the server's IP 192.168.0.10:/nfsdata /nfsdata nfs _netdev,rw 0 0 ## mount [root@rhel7client1 ~]# mount -a ## verify [root@rhel7client1 ~]# df -h /nfsdata Filesystem Size Used Avail Use% Mounted on 192.168.0.10:/nfsdata 46G 8.5G 37G 19% /nfsdata [root@rhel7client1 ~]# su - user3 [user3@rhel7client1 ~]$ touch /nfsdata/user3.txt [user3@rhel7client1 ~]$ exit logout [root@rhel7client1 ~]# su - user4 [user4@rhel7client1 ~]$ touch /nfsdata/user4.txt [user4@rhel7client1 ~]$ exit logout [root@rhel7client1 ~]# ls -la /nfsdata total 0 drwxrws---. 2 nfsnobody nfsdatagrp 40 Jun 15 22:53 . dr-xr-xr-x. 21 root root 284 Jun 15 22:24 .. -rw-r--r--. 1 user3 nfsdatagrp 0 Jun 15 22:53 user3.txt -rw-r--r--. 1 user4 nfsdatagrp 0 Jun 15 22:53 user4.txt

back to Objectives

Use Kerberos to control access to NFS network shares

## assume the following servers ## (1) KDC server - 192.168.0.30 : rhel7mgmt1.myexample.com ## (2) NFS client & KDC client - 192.168.0.20 : rhel7client1.myexample.com ## (3) NFS server & KDC client - 192.168.0.10 : rhel7server1.myexample.com ## ## in lieu of DNS, add the following to /etc/hosts file of all the machines
192.168.0.10 rhel7server1 rhel7server1.myexample.com 192.168.0.20 rhel7client1 rhel7client1.myexample.com 192.168.0.30 rhel7mgmt1 rhel7mgmt1.myexample.com ## Assumptions ## (1) KDC server setup already done in the KDC server as described here ## (2) KDC client setup already done in the NFS client as described here

`### On the NFS server (rhel7server1.myexample.com) set up the KDC Client`

## install the required packages[root@rhel7server1 ~]# yum -y install krb5-workstation pam_krb5
## edit /etc/krb5.conf and use the same config as the server

/etc/krb5.conf

# Configuration snippets may be placed in this directory as well

                        includedir /etc/krb5.conf.d/

                        

                        [logging]

                         default = FILE:/var/log/krb5libs.log

                         kdc = FILE:/var/log/krb5kdc.log

                         admin_server = FILE:/var/log/kadmind.log

                        

                        [libdefaults]

                         dns_lookup_realm = false

                         ticket_lifetime = 24h

                         renew_lifetime = 7d

                         forwardable = true

                         rdns = false

                         default_realm = MYEXAMPLE.COM

                         default_ccache_name = KEYRING:persistent:%{uid}

                        

                        [realms]

                         MYEXAMPLE.COM = {

                          kdc = rhel7mgmt1.myexample.com

                          admin_server = rhel7mgmt1.myexample.com

                         }

                        

                        [domain_realm]

 .myexample.com = MYEXAMPLE.COM

                         myexample.com = MYEXAMPLE.COM

## connect to the kadmin server and add host principal and nfs service principal [root@rhel7server1 ~]# kadmin Authenticating as principal root/admin@MYEXAMPLE.COM with password. Password for root/admin@MYEXAMPLE.COM: kadmin: addprinc -randkey host/rhel7server1.myexample.com WARNING: no policy specified for host/rhel7server1.myexample.com@MYEXAMPLE.COM; defaulting to no policy Principal "host/rhel7server1.myexample.com@MYEXAMPLE.COM" created. kadmin: ktadd host/rhel7server1.myexample.com Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab. kadmin: addprinc -randkey nfs/rhel7server1.myexample.com WARNING: no policy specified for nfs/rhel7server1.myexample.com@MYEXAMPLE.COM; defaulting to no policy Principal "nfs/rhel7server1.myexample.com@MYEXAMPLE.COM" created. kadmin: ktadd nfs/rhel7server1.myexample.com Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab. kadmin: quit ## edit /etc/ssh/ssh_config [root@rhel7server1 ~]# vi /etc/ssh/ssh_config
# uncomment GSSAPIAuthentication & set the value to yes # uncomment GSSAPIDelegateCredentials & set the value to yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes## create the test user [root@rhel7server1 ~]# useradd krbtest ## enable kerberos authentication [root@rhel7server1 ~]# authconfig --enablekrb5 --update ## verify kerberos authentication [root@rhel7server1 ~]# su - krbtest [krbtest@rhel7server1 ~]$ kinit Password for krbtest@MYEXAMPLE.COM:[krbtest@rhel7server1 ~]$ klist Ticket cache: KEYRING:persistent:1001:1001 Default principal: krbtest@MYEXAMPLE.COM Valid starting Expires Service principal 06/17/2020 13:41:32 06/18/2020 13:41:29 krbtgt/MYEXAMPLE.COM@MYEXAMPLE.COM [krbtest@rhel7server1 ~]$ ssh rhel7mgmt1.myexample.com The authenticity of host 'rhel7mgmt1.myexample.com (192.168.0.30)' can't be established. ECDSA key fingerprint is SHA256:vNpmvuXbPajqQUZz4J+wzqni3r6SN0oxJE70Uy6iabg. ECDSA key fingerprint is MD5:6f:05:e9:4e:37:25:b5:99:e0:49:99:14:d4:1c:e5:cc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'rhel7mgmt1.myexample.com,192.168.0.30' (ECDSA) to the list of known hosts. Last login: Wed Jun 17 13:22:37 2020 from rhel7client1.myexample.com [krbtest@rhel7mgmt1 ~]$

`### Configure NFS shares to use Kerberos`

## Assuming that the server rhel7server1 have been configured to provide NFS shares as described here ## create the directory to share [root@rhel7server1 ~]# mkdir /krbdata [root@rhel7server1 ~]# chmod 0777 /krbdata [root@rhel7server1 ~]# semanage fcontext --a -t public_content_rw_t "/krbdata(/.*)?" [root@rhel7server1 ~]# restorecon -R /krbdata [root@rhel7server1 ~]# ls -ldZ /krbdata drwxrwxrwx. root root unconfined_u:object_r:public_content_rw_t:s0 /krbdata ## edit /etc/exports [root@rhel7server1 ~]# vi /etc/exports

/etc/exports

/krbdata rhel7client1.myexample.com(rw,no_root_squash,sec=krb5)

## Note the following options for "sec" paramter as per RHEL7 documentation: ## validate [root@rhel7server1 ~]# exportfs -avr exporting rhel7client1.myexample.com:/krbdata [root@rhel7server1 ~]# showmount -e localhost Export list for localhost: /krbdata rhel7client1.myexample.com ## reboot the NFS server for consistent behaviour

`### Test from NFS client (rhel7client1.myexample.com)`

## Assuming that the machine have been configured as NFS client as described here ## connect to kadmin and add the nfs service principal for this client [root@rhel7client1 ~]# kadmin Authenticating as principal root/admin@MYEXAMPLE.COM with password. Password for root/admin@MYEXAMPLE.COM: kadmin: addprinc -randkey nfs/rhel7client1.myexample.com WARNING: no policy specified for nfs/rhel7client1.myexample.com@MYEXAMPLE.COM; defaulting to no policy Principal "nfs/rhel7client1.myexample.com@MYEXAMPLE.COM" created. kadmin: ktadd nfs/rhel7client1.myexample.com Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab. kadmin: quit ## enable and start nfs-client.target [root@rhel7client1 ~]# systemctl enable nfs-client.target [root@rhel7client1 ~]# systemctl start nfs-client.target ## create mountpoint directory [root@rhel7client1 ~]# mkdir /mnt/krbdata ## Verify - mount using nfs4 [root@rhel7client1 ~]# mount -t nfs4 -o sec=krb5 rhel7server1.myexample.com:/krbdata /mnt/krbdata [root@rhel7client1 ~]# df -h /mnt/krbdata Filesystem Size Used Avail Use% Mounted on rhel7server1.myexample.com:/krbdata 85G 5.6G 80G 7% /mnt/krbdata ## become user krbtest [root@rhel7client1 ~]# su - krbtest Last login: Wed Jun 17 15:02:41 +08 2020 on pts/0 ## test cd to the NFS mount point without Kerberos token, you will get Permission denied error [krbtest@rhel7client1 ~]$ cd /mnt/krbdata -bash: cd: /mnt/krbdata: Permission denied ## run kinit to obtain the Kerberos token for user krbtest[krbtest@rhel7client1 ~]$ kinit Password for krbtest@MYEXAMPLE.COM: [krbtest@rhel7client1 ~]$ cd /mnt/krbdata [krbtest@rhel7client1 krbdata]$ touch krbtest.txt [krbtest@rhel7client1 krbdata]$ ls -l total 0 -rw-rw-r--. 1 krbtest krbtest 0 Jun 17 15:21 krbtest.txt
## now the user is allowed to cd to the NFS mount point and can write a file to it.

back to Objectives

References

1. https://www.lisenet.com/2016/kerberised-nfs-server-on-rhel-7/