Home » » Integrating NIS + KERBEROS + NFS4

Integrating NIS + KERBEROS + NFS4

Written By 1 on Tuesday, June 14, 2011 | 3:14 AM

share "/test" on stationX.example.com to  allowed thru NFSV4 using "Kerberos" security method with example TESTSERVER1.EXAMPLE.COM  and IP 192.168.30.119
Integrating NIS + KERBEROS + NFS4

Configuring NIS
/etc/sysconfig/network
NISDOMAIN=testserver1
YPSERV_ARGS='-p 808'
Save and exit
nisdomainname testserver1
service network restart
chkconfig network on
yum -y install ypserv*
service ypserv restart
chkconfig ypserv on
service portmap restart
chkconfig portmap on
NOTE: NTP time should same on both machines else there might be an issue with the Kerberos
Useradd user1 < Donot provide password>
/usr/lib/ypinit –m            or make –C /var/yp
On stationY.example.com
System->Administration->Authentication->Enable NIS Support
NIS Domain -> testserv1
NIS Server -> stationx.example.com
ypcat passwd  “this must show user by anme user1 and after adding every user you must type
“make –C /var/yp” then only user will be added to NFS database

Configuring Kerberos
yum -y install krb5*
chkconfig kadmin on
chkconfig krb5kdc on
Note : Before configuration take the backups of the original files

Help :
kadmin.local:  ?
Available kadmin.local requests:
add_principal, addprinc, ank         Add principal
delete_principal, delprinc              Delete principal
modify_principal, modprinc          Modify principal
change_password, cpw                                 Change password
get_principal, getprinc                    Get principal
list_principals,                                    listprincs,
get_principals,                                  getprincs
add_policy, addpol                          Add policy
modify_policy, modpol                 Modify policy
delete_policy, delpol                     Delete policy
get_policy, getpol                            Get policy
list_policies,                                       listpols,
get_policies,                                      getpols
get_privs, getprivs                          Get privileges
ktadd, xst                                            Add entry(s) to a keytab
ktremove, ktrem                             Remove entry(s) from a keytab
lock                                                        Lock database exclusively (use with extreme caution!)
unlock                                                   Release exclusive database lock
list_requests, lr, ?                            List available requests.
quit, exit, q                                         Exit program.
vi /etc/krb5.conf
[libdefaults]
default_realm = TESTSERVER1.EXAMPLE.COM
[realm]
TESTSERVER1.EXAMPLE.COM = {
  kdc = 192.168.30.119:88
  admin_server = 192.168.30.119:749
remove default_domain
[domain_realm] CAREFUL DO NOT BE IN HURRY HERE
[domain_realm]
 testserver1.example.com = TESTSERVER1.EXAMPLE.COM
 stationy.example.com = TESTSERVER1.EXAMPLE.COM
[adddefaults]
  validate = true
save and exit

vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@TESTSERVER1.EXAMPLE.COM *
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 TESTSERVER1.EXAMPLE.COM = {
 master_key_type = des3-hmac-sha1    (Uncomment)
 default_principal_flags=+preauth (need to be added)
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }

krb5_util create -r STATIONX.EXAMPLE.COM -s
any password this is very import to remember and secure it
kadmin.local
addprinc user1 {password say abc123}
addprinc root/admin
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin { to check kadmin5.acl }
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
addprinc -randkey host/testserver1.example.com
ktadd -k /etc/krb5.keytab host/testserver1.example.com
quit
restorecon -R -v /var/kerberos/krb5kdc
restorecon -R -v /var/log
service kadmin restart
service krb5kdc restart
scp /etc/krb5.conf stationY.example.com:/etc  { where you needed to add the host to the Kerberos}
On stationY.example.com



System  -> Administration -> Authentication -> Enable kerberos Support

chcon -t krb5_conf_t /etc/krb5.conf
kadmin -p root/acdmin
addprinc -randkey host/stationY.example.com
ktadd -k /etc/krb5.keytab host/stationY.example.com
restorecon /etc/krb5.keytab
Note : login on tty1 as user1 and password abc123
type klist you must see an ticket form Kerberos server
Configuring NFS On testserver1.example.com
useradd nfsuser
vim /etc/sysconfig/nfs
LOCKD_TCPPORT=1200
LOCKD_UDPPORT=1200
MOUNTD_PORT=1201
STATD_PORT=1202
SECURE_NFS="yes"
Mkdir /test
Chmod 775 /test
Chown nfsuser.nfsuser /test
vim /etc/exports  ( man export)
Options : gss/krb5  (authentication only)
  gss/ krb5i (integrity protection) 
 gss/krb5p (privacy protection)
      /nfsv4share gss/krb5i(rw,sync,fsid=0,no_subtree_check)
Save and exit
vim /etc/exports    /exports  gss/krb5i(rw,sync,fsid=0,crossmnt)
   /exports/home/nfs     gss/krb5i(rw,sync)
Same and exit
exportfs –r
kadmin.local
addprinc  -randkey nfs/testserver1.example.com
ktadd  nfs/testserver1.example.com
ktadd -e des-cbc-md5:normal -k /etc/krb5.keytab nfs/testserver1.example.com
quit
Note : des-cbc-md5:normal from cat /var/kerberos/krb5kdc/kdc.conf
/etc/init.d/rpcidmapd restart
Chkconfig rpcidmapd  on
/etc/init.d/rpcsvcgssd restart
Chkconfig rpcsvcgssd  on
/etc/init.d/rpcgssd restart
Chkconfig rpcgssd  on
/etc/init.d/kadmin restart
Chkconfig kadmin  on
/etc/init.d/krb5kdc restart
Chkconfig krb5kdc  on
/etc/init.d/nfs restart
Chkconfig nfs on
/etc/init.d/portmap restart
Chkconfig portmap on
/etc/init.d/ypserv restart
Chkconfig ypserv on
make -C /var/yp ( this command will be used when every new user has been added into the NIS server to update username in NIS database

On Client Server
 kadmin -p root/admin
addprinc  -randkey nfs/stationY.example.com
ktadd  nfs/stationY.example.com                            
ktadd -e des-cbc-md5:normal -k /etc/krb5.keytab nfs/stationY.example.com
quit
vim /etc/sysconfig/nfs
SECURE_NFS="yes"
Save and exit
/etc/init.d/rpcidmapd restart
Chkconfig rpcidmapd on
/etc/init.d/rpcsvcgssd restart
Chkconfig rpcsvcgssd on
/etc/init.d/rpcgssd restart
Chkconfig rpcgssd on
/etc/init.d/nfs restart
Chkconfig nfs on
mkdir –p /mnt/test
Vim /etc/fstab
testserver1 .example.com:/ /mnt/nfsv4share nfs4  default,sec=krb5i 0 0
mount –a   à give some error
1)      Check for iptables
2)      Check for selinux
3)      Check for configeations
4)      And restart all the services
TEST
login in tty1 as nfsuser;
cd /mnt/test;
 touch a b
Label

0 Comment:

Post a Comment