configuring RHEL for kerberized NFSv4


This is the last of a few loosely coupled posts to install and test a kerberized nfs4 environment with EMC Isilon. To test nfs4 with Isilon I required an active domain joined and nfsv4 enable linux client. This post will show the required configuration tasks.

I used a basic Redhat Enterprise Linux 6.5 installation and for this to work you will have to use at least RHEL 6.4.

network configuration:

The first thing we are doing after installation is to configure network by editing “/etc/sysconfig/network-scripts/ifcfg-eth0”. We are going to use the Windows 2012 R2 Active Directory server configure in the previous post.

DEVICE="eth0"
IPADDR=192.168.186.5
NETMASK=255.255.255.0
ONBOOT="yes"
BOOTPROTO=none
DNS1=192.168.186.2
DOMAIN=EMC.LAB

Next we are configuring the hostname and gateway in “/etc/sysconfig/network”:

NETWORKING=yes
HOSTNAME=client1
GATEWAY=192.168.1.254

To change the hostname withou a reboot use following command:

hostname client1

It is crucial NOT to use a FQDN as the hostname!
This is important as the “rpc gssd” service relies on a proper set <hostname>. On the bottom of the post I added some insights to this service.

Next add following line to the “/etc/hosts” file:

192.168.186.5  client1  client1.emc.lab

A kerberos infrastructure will only work if the difference between client and server time is not greater than 5 minutes. The best way to keep the in sync is to use ntp by editing the file “/etc/ntp.conf” and add:

server dc1.emc.lab

Afterward start the ntpdate service and make sure that the service starts by default:

$> service ntpdate start
$> chkconfig ntpdate on

To finish network configuration issue a “service network restart” and validate the content of the file “/etc/resolv.conf”, which should be automatically updated to this:

; generated by /sbin/dhclient-script
nameserver 192.168.186.2
search EMC.LAB

authentication:

Starting with RHEL 6.4 did Redhat improve the system security services daemon (sssd) greatly.

At first we are using “authconfig” to configure our client to use sssd and to create homedirs if nonexistent:

$> authconfig --enablesssdauth --enablesssd --enablemkhomedir --update

Next we have to edit/create some files:

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EMC.LAB
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]

[domain_realm]

/etc/samba/smb.conf

[global]
workgroup = EMC
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
realm = EMC.LAB
security = ads

/etc/sssd/sssd.conf

[domain/emc.lab]
id_provider = ad
ldap_id_mapping = False

[sssd]
services = nss, pam
config_file_version = 2
domains = emc.lab

[nss]

[pam]

If you don’t want to maintain UID+GID in active directory, like described in previous post, you can also set “ldap_id_mapping” to “true”. This will ignore any manually configure UID and GID in the active directory and generate them using the object SID. The target NFS server also will have to be capable of this feature, EMC Isilon doesn’t. There are more caveats on this topic that I won’t cover. Please have a look here for more information.

Make sure that the sssd.conf is only readable by root and that the service starts by default:

$> chmod 0600 /etc/sssd/sssd.conf
$> chkconfig sssd on

Now it is time to join our active directory domain with user “administrator”:

$> net ads join -k  -U Administrator
Using short domain name -- EMC
Joined 'CLIENT1' to dns domain 'emc.lab'

If the command was successful we are ready to start the “sssd” daemon.

$> service sssd start

Enumerating a user should now be possible:

$> id user1
uid=10001(user1) gid=20000(linux_user) groups=20000(linux_user)

Also you can now login to your client as an active directory user!

NFSv4:

Now lets configure NFSv4 on the client.
First we have to enable NFSv4 in the file “/etc/sysconfig/nfs”:

SECURE_NFS="yes"

To be able to correctly resolve uid and gid, the file “/etc/idmapd.conf” has to be edited:

domain=EMC.LAB

The last part is to configure the “rpcgssd” and “rpcidmapd” to start automatically and actually start them:

$> chkconfig rpcgssd on
$> chkconfig rpcidmapd on
$> service rpcgssd start
$> service rpcidmapd start

Now you should be able to mount securely our isilon nfsv4 export configured in this post:

$> mount -o vers=4,sec=krb5p isilonc1.emc.lab:/ifs/data/test /mnt
$> nfsstat -m
/mnt from isilonc1.emc.lab:/ifs/data/test/
 Flags: rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.186.6,minorversion=0,local_lock=none,addr=192.168.186.23

Conclustion:

I think the hardest part in this series for configuring and testing NFSv4 was getting the linux client running.
But after many frustrating hours of research and troubleshooting I was quite proud to get this running! 🙂

RPC GSSD:

rpc gssd” is used to establish a secure connection to our nfs server using kerberos. Keys are used for communication and are saved by default in “/etc/krb5.keytab”. This file is generated by joining the domain with “net ads join”. The rpcgssd service will look in this file for proper machine credentials using a specific order and format:

<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>

Rpcgssd is searching for an UPN and NOT a SPN in our Active Directory database! When you join a computer to a windows domain, the computer account does get a default UPN in the format <netbiosname>$@<REALM>. For our host it would be “client1$@EMC.LAB”.

And here is the problem: “<HOSTNAME>” is substituted by the name defined in “/etc/sysconfig/network”. Therefore you will either have to use a hostname without the domain extension or you’ll have to set a custom UPN when joining the domain with one of the formats specified above . This can be done for example by adding “createupn=’host/CLIENT1.EMC.LAB@EMC.LAB’ ” to the “net ads join” command.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.