Software >> OS >> Unix >> Linux >> RHEL >> 7 >> RHCE >> Section 6 - NFS

Provide network shares to specific clients


### Server installation and configuration


## install required packages


[root@rhel7server1 ~]# yum -y install nfs-utils

[root@rhel7server1 ~]# mkdir /test1 /test2

[root@rhel7server1 ~]# getsebool -a | grep nfs_export
nfs_export_all_ro --> on
nfs_export_all_rw --> on



## if not set to on, set it, otherwise skip this step


[root@rhel7server1 ~]# setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1


## add firewall rules

[root@rhel7server1 ~]# firewall-cmd --permanent --add-service=nfs
success

[root@rhel7server1 ~]# firewall-cmd --permanent --add-service=rpc-bind
success

[root@rhel7server1 ~]# firewall-cmd --reload
success


## enable and start the services


[root@rhel7server1 ~]# systemctl enable rpcbind

[root@rhel7server1 ~]# systemctl enable nfs-server
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.

[root@rhel7server1 ~]# systemctl start rpcbind

[root@rhel7server1 ~]# systemctl start nfs-server


## define and export the dir to be shared


[root@rhel7server1 ~]#
vi /etc/exports

/etc/exports
/test1   192.168.0.20(rw,no_root_squash)
/test2   192.168.0.20(sync)


## what are the NFS sharing options available

  • rw: Share as read-write. Keep in mind that normal Linux permissions still apply. (Note that this is a default option.)
  • ro: Share as read-only.
  • sync: File data changes are made to disk immediately, which has an impact on performance, but is less likely to result in data loss. On some distributions this is the default.
  • async: The opposite of sync; file data changes are made initially to memory. This speeds up performance but is more likely to result in data loss. On some distributions this is the default.
  • root_squash: Map the root user and group account from the NFS client to the anonymous accounts, typically either the nobody account or the nfsnobody account. See the next section, “User ID Mapping,” for more details. (Note that this is a default option.)
  • no_root_squash: Map the root user and group account from the NFS client to the local root and group accounts.
     


[root@rhel7server1 ~]# exportfs -avr
exporting 192.168.0.20:/test2
exporting 192.168.0.20:/test1


[root@rhel7server1 ~]# cat /var/lib/nfs/etab
/test2    192.168.0.20(ro,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,
acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,root_squash,no_all_squash)
/test1    192.168.0.20(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,
acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,no_root_squash,no_all_squash)

### Client Installation and Configuration

## install required packages

[root@rhel7client1 ~]# yum -y install nfs-utils

[root@rhel7client1 ~]# systemctl enable rpcbind

[root@rhel7client1 ~]# systemctl start rpcbind


## create mountpoint directories


[root@rhel7client1 ~]# mkdir /test1 /test2


## mount the NFS shares


[root@rhel7client1 ~]# mount -t nfs -o rw rhel7server1:/test1 /test1

[root@rhel7client1 ~]# mount -t nfs -o ro rhel7server1:/test2 /test2


## verify


[root@rhel7client1 ~]# df -h /test1 /test2
Filesystem           Size  Used Avail Use% Mounted on
rhel7server1:/test1   46G  8.5G   37G  19% /test1
rhel7server1:/test2   46G  8.5G   37G  19% /test2


## ensure NFS shares mounted on reboot


[root@rhel7client1 ~]# vi /etc/fstab


## add following


rhel7server1:/test1    /test1    nfs    _netdev,rw     0    0
rhel7server1:/test2    /test2    nfs    _netdev,ro     0    0


## unmount the NFS shares

[root@rhel7client1 ~]# umount /test1

[root@rhel7client1 ~]# umount /test2


## validate the fstab


[root@rhel7client1 ~]# mount -a

[root@rhel7client1 ~]# df -h /test1 /test2
Filesystem             Size  Used Avail Use% Mounted on
/dev/mapper/rhel-root   46G  8.5G   37G  19% /
/dev/mapper/rhel-root   46G  8.5G   37G  19% /

back to Objectives

 

Provide network shares suitable for group collaboration

 

### Server setup

## assuming NFS packages already installed

[root@rhel7server1 ~]# groupadd -g 7654 nfsdatagrp

[root@rhel7server1 ~]# useradd -g nfsdatagrp user3

[root@rhel7server1 ~]# useradd -g nfsdatagrp user4

[root@rhel7server1 ~]# mkdir /nfsdata

[root@rhel7server1 ~]# chown nfsnobody.nfsdatagrp /nfsdata


## turn on setgid permission and grant group full permssion


[root@rhel7server1 ~]# chmod 2770 /nfsdata

[root@rhel7server1 ~]# vi /etc/exports


## add the following
## 192.168.0.20 is the client's IP


/nfsdata 192.168.0.20(rw,no_root_squash)


## validate the config


[root@rhel7server1 ~]# exportfs -avr
exporting 192.168.0.20:/nfsdata

[root@rhel7server1 ~]# cat /var/lib/nfs/etab
/nfsdata    192.168.0.20(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,
acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,no_root_squash,no_all_squash)


### Client setup

## create the users, with same gid as that in the NFS server

[root@rhel7client1 ~]# groupadd -g 7654 nfsdatagrp

[root@rhel7client1 ~]# useradd -g nfsdatagrp user3

[root@rhel7client1 ~]# useradd -g nfsdatagrp user4

[root@rhel7client1 ~]# passwd user3

[root@rhel7client1 ~]# passwd user4


## create mountpoint and edit /etc/fstab


[root@rhel7client1 ~]# mkdir /nfsdata

[root@rhel7client1 ~]# vi /etc/fstab


## add the following to end of the file
## 192.168.0.10 is the server's IP


192.168.0.10:/nfsdata   /nfsdata                nfs     _netdev,rw      0 0


## mount


[root@rhel7client1 ~]# mount -a


## verify


[root@rhel7client1 ~]# df -h /nfsdata
Filesystem             Size  Used Avail Use% Mounted on
192.168.0.10:/nfsdata   46G  8.5G   37G  19% /nfsdata

[root@rhel7client1 ~]# su - user3

[user3@rhel7client1 ~]$ touch /nfsdata/user3.txt

[user3@rhel7client1 ~]$ exit
logout

[root@rhel7client1 ~]# su - user4

[user4@rhel7client1 ~]$ touch /nfsdata/user4.txt

[user4@rhel7client1 ~]$ exit
logout

[root@rhel7client1 ~]# ls -la /nfsdata
total 0
drwxrws---.  2 nfsnobody nfsdatagrp  40 Jun 15 22:53 .
dr-xr-xr-x. 21 root      root       284 Jun 15 22:24 ..
-rw-r--r--.  1 user3     nfsdatagrp   0 Jun 15 22:53 user3.txt
-rw-r--r--.  1 user4     nfsdatagrp   0 Jun 15 22:53 user4.txt

 back to Objectives

 

Use Kerberos to control access to NFS network shares


## assume the following servers
## (1) KDC server - 192.168.0.30 : rhel7mgmt1.myexample.com
## (2) NFS client & KDC client - 192.168.0.20 : rhel7client1.myexample.com
## (3) NFS server & KDC client - 192.168.0.10 : rhel7server1.myexample.com
##
## in lieu of DNS, add the following to /etc/hosts file of all the machines

192.168.0.10  rhel7server1 rhel7server1.myexample.com
192.168.0.20  rhel7client1 rhel7client1.myexample.com
192.168.0.30  rhel7mgmt1   rhel7mgmt1.myexample.com


## Assumptions
## (1) KDC server setup already done in the KDC server as described here
## (2) KDC client setup already done in the NFS client as described here


### On the NFS server (rhel7server1.myexample.com) set up the KDC Client

## install the required packages

[root@rhel7server1 ~]# yum -y install krb5-workstation pam_krb5


## edit /etc/krb5.conf and use the same config as the server

/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = MYEXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 MYEXAMPLE.COM = {
  kdc = rhel7mgmt1.myexample.com
  admin_server = rhel7mgmt1.myexample.com
 }

[domain_realm]
 .myexample.com = MYEXAMPLE.COM
 myexample.com = MYEXAMPLE.COM



## connect to the kadmin server and add host principal and nfs service principal

[root@rhel7server1 ~]# kadmin
Authenticating as principal root/admin@MYEXAMPLE.COM with password.
Password for root/admin@MYEXAMPLE.COM:

kadmin:  addprinc -randkey host/rhel7server1.myexample.com
WARNING: no policy specified for host/rhel7server1.myexample.com@MYEXAMPLE.COM; defaulting to no policy
Principal "host/rhel7server1.myexample.com@MYEXAMPLE.COM" created.


kadmin:  ktadd host/rhel7server1.myexample.com
Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7server1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.


kadmin:  addprinc -randkey nfs/rhel7server1.myexample.com
WARNING: no policy specified for nfs/rhel7server1.myexample.com@MYEXAMPLE.COM; defaulting to no policy
Principal "nfs/rhel7server1.myexample.com@MYEXAMPLE.COM" created.

kadmin:  ktadd nfs/rhel7server1.myexample.com
Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7server1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

kadmin:  quit


## edit /etc/ssh/ssh_config 


[root@rhel7server1 ~]# vi /etc/ssh/ssh_config


# uncomment GSSAPIAuthentication & set the value to yes
# uncomment GSSAPIDelegateCredentials & set the value to yes

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes



## create the test user

[root@rhel7server1 ~]# useradd krbtest


## enable kerberos authentication

[root@rhel7server1 ~]# authconfig --enablekrb5 --update


## verify kerberos authentication

[root@rhel7server1 ~]# su - krbtest

[krbtest@rhel7server1 ~]$ kinit
Password for krbtest@MYEXAMPLE.COM:

[krbtest@rhel7server1 ~]$ klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: krbtest@MYEXAMPLE.COM

Valid starting       Expires              Service principal
06/17/2020 13:41:32  06/18/2020 13:41:29  krbtgt/MYEXAMPLE.COM@MYEXAMPLE.COM


[krbtest@rhel7server1 ~]$ ssh rhel7mgmt1.myexample.com
The authenticity of host 'rhel7mgmt1.myexample.com (192.168.0.30)' can't be established.
ECDSA key fingerprint is SHA256:vNpmvuXbPajqQUZz4J+wzqni3r6SN0oxJE70Uy6iabg.
ECDSA key fingerprint is MD5:6f:05:e9:4e:37:25:b5:99:e0:49:99:14:d4:1c:e5:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel7mgmt1.myexample.com,192.168.0.30' (ECDSA) to the list of known hosts.
Last login: Wed Jun 17 13:22:37 2020 from rhel7client1.myexample.com
[krbtest@rhel7mgmt1 ~]$

### Configure NFS shares to use Kerberos

## Assuming that the server rhel7server1 have been configured to provide NFS shares as described here
## create the directory to share

[root@rhel7server1 ~]# mkdir /krbdata

[root@rhel7server1 ~]# chmod 0777 /krbdata

[root@rhel7server1 ~]# semanage fcontext --a -t public_content_rw_t "/krbdata(/.*)?"

[root@rhel7server1 ~]# restorecon -R /krbdata

[root@rhel7server1 ~]# ls -ldZ /krbdata
drwxrwxrwx. root root unconfined_u:object_r:public_content_rw_t:s0 /krbdata


## edit /etc/exports

[root@rhel7server1 ~]# vi /etc/exports

/etc/exports
/krbdata rhel7client1.myexample.com(rw,no_root_squash,sec=krb5)


## Note the following options for "sec" paramter as per RHEL7 documentation:




## validate

[root@rhel7server1 ~]# exportfs -avr
exporting rhel7client1.myexample.com:/krbdata

[root@rhel7server1 ~]# showmount -e localhost
Export list for localhost:
/krbdata rhel7client1.myexample.com


## reboot the NFS server for consistent behaviour

### Test from NFS client (rhel7client1.myexample.com)

## Assuming that the machine have been configured as NFS client as described here
## connect to kadmin and add the nfs service principal for this client

[root@rhel7client1 ~]# kadmin
Authenticating as principal root/admin@MYEXAMPLE.COM with password.
Password for root/admin@MYEXAMPLE.COM:

kadmin:  addprinc -randkey nfs/rhel7client1.myexample.com
WARNING: no policy specified for nfs/rhel7client1.myexample.com@MYEXAMPLE.COM; defaulting to no policy
Principal "nfs/rhel7client1.myexample.com@MYEXAMPLE.COM" created.

kadmin:  ktadd nfs/rhel7client1.myexample.com
Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/rhel7client1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

kadmin:  quit


## enable and start nfs-client.target

[root@rhel7client1 ~]# systemctl enable nfs-client.target

[root@rhel7client1 ~]# systemctl start nfs-client.target


## create mountpoint directory

[root@rhel7client1 ~]# mkdir /mnt/krbdata


## Verify - mount using nfs4


[root@rhel7client1 ~]# mount -t nfs4 -o sec=krb5 rhel7server1.myexample.com:/krbdata /mnt/krbdata

[root@rhel7client1 ~]# df -h /mnt/krbdata
Filesystem                           Size  Used Avail Use% Mounted on
rhel7server1.myexample.com:/krbdata   85G  5.6G   80G   7% /mnt/krbdata


## become user krbtest

[root@rhel7client1 ~]# su - krbtest
Last login: Wed Jun 17 15:02:41 +08 2020 on pts/0


## test cd to the NFS mount point without Kerberos token, you will get Permission denied error

[krbtest@rhel7client1 ~]$ cd /mnt/krbdata
-bash: cd: /mnt/krbdata: Permission denied


## run kinit to obtain the Kerberos token for user krbtest

[krbtest@rhel7client1 ~]$ kinit
Password for krbtest@MYEXAMPLE.COM:

[krbtest@rhel7client1 ~]$ cd /mnt/krbdata

[krbtest@rhel7client1 krbdata]$ touch krbtest.txt

[krbtest@rhel7client1 krbdata]$ ls -l
total 0
-rw-rw-r--. 1 krbtest krbtest 0 Jun 17 15:21 krbtest.txt



## now the user is allowed to cd to the NFS mount point and can write a file to it.




 back to Objectives


References

1. https://www.lisenet.com/2016/kerberised-nfs-server-on-rhel-7/