configuring RHEL for kerberized NFSv4


This is the last of a few loosely coupled posts to install and test a kerberized nfs4 environment with EMC Isilon. To test nfs4 with Isilon I required an active domain joined and nfsv4 enable linux client. This post will show the required configuration tasks.

I used a basic Redhat Enterprise Linux 6.5 installation and for this to work you will have to use at least RHEL 6.4.

network configuration:

The first thing we are doing after installation is to configure network by editing “/etc/sysconfig/network-scripts/ifcfg-eth0”. We are going to use the Windows 2012 R2 Active Directory server configure in the previous post.

Next we are configuring the hostname and gateway in “/etc/sysconfig/network”:

To change the hostname withou a reboot use following command:

It is crucial NOT to use a FQDN as the hostname!
This is important as the “rpc gssd” service relies on a proper set <hostname>. On the bottom of the post I added some insights to this service.

Next add following line to the “/etc/hosts” file:

A kerberos infrastructure will only work if the difference between client and server time is not greater than 5 minutes. The best way to keep the in sync is to use ntp by editing the file “/etc/ntp.conf” and add:

Afterward start the ntpdate service and make sure that the service starts by default:

To finish network configuration issue a “service network restart” and validate the content of the file “/etc/resolv.conf”, which should be automatically updated to this:

authentication:

Starting with RHEL 6.4 did Redhat improve the system security services daemon (sssd) greatly.

At first we are using “authconfig” to configure our client to use sssd and to create homedirs if nonexistent:

Next we have to edit/create some files:

/etc/krb5.conf

/etc/samba/smb.conf

/etc/sssd/sssd.conf

If you don’t want to maintain UID+GID in active directory, like described in previous post, you can also set “ldap_id_mapping” to “true”. This will ignore any manually configure UID and GID in the active directory and generate them using the object SID. The target NFS server also will have to be capable of this feature, EMC Isilon doesn’t. There are more caveats on this topic that I won’t cover. Please have a look here for more information.

Make sure that the sssd.conf is only readable by root and that the service starts by default:

Now it is time to join our active directory domain with user “administrator”:

If the command was successful we are ready to start the “sssd” daemon.

Enumerating a user should now be possible:

Also you can now login to your client as an active directory user!

NFSv4:

Now lets configure NFSv4 on the client.
First we have to enable NFSv4 in the file “/etc/sysconfig/nfs”:

To be able to correctly resolve uid and gid, the file “/etc/idmapd.conf” has to be edited:

The last part is to configure the “rpcgssd” and “rpcidmapd” to start automatically and actually start them:

Now you should be able to mount securely our isilon nfsv4 export configured in this post:

Conclustion:

I think the hardest part in this series for configuring and testing NFSv4 was getting the linux client running.
But after many frustrating hours of research and troubleshooting I was quite proud to get this running! 🙂

RPC GSSD:

rpc gssd” is used to establish a secure connection to our nfs server using kerberos. Keys are used for communication and are saved by default in “/etc/krb5.keytab”. This file is generated by joining the domain with “net ads join”. The rpcgssd service will look in this file for proper machine credentials using a specific order and format:

Rpcgssd is searching for an UPN and NOT a SPN in our Active Directory database! When you join a computer to a windows domain, the computer account does get a default UPN in the format <netbiosname>$@<REALM>. For our host it would be “client1$@EMC.LAB”.

And here is the problem: “<HOSTNAME>” is substituted by the name defined in “/etc/sysconfig/network”. Therefore you will either have to use a hostname without the domain extension or you’ll have to set a custom UPN when joining the domain with one of the formats specified above . This can be done for example by adding “createupn=’host/CLIENT1.EMC.LAB@EMC.LAB’ ” to the “net ads join” command.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.