Tuesday, April 26, 2016

Setting up Kerberized NFS



  • Setting up Selinux for NFS
    • vim /etc/sysconfig/nfs
      • RPCNFSDARGS="-V 4.2"
    • semanage fcontext  -a -t public_content_rw_t "/secureshell(/.*)?"
    • restorecon -R -v /secureshare/

  • On NFS Server
    • make the keytab available in NFS server
      • cp /tmp/nfs.keytab /etc/krb5.keytab
    • start and enable nfs-server and nfs-secure-server
      • systemctl start nfs-server
      • systemctl enable nfs-server
      • systemctl start nfs-secure-server
      • systemctl enable nfs-secure-server
    • mkdir /secureshare
    • vim /etc/exports
      • /secureshare *.example.com(sec=krb5p,rw)
    • exportfs -r
    • firewall-cmd --permanent --add-service=nfs
    • firewall-cmd  --reload
  • On NFS Client server
    • make the keytab available in NFS client
      • cp /tmp/nfs.keytab /etc/krb5.keytab
    • systemctl start nfs-secure
    • systemctl enable nfs-secure
    • mount -o sec=krb5p,v4.2 server2:/secureshare /mnt
    • vim /etc/fstab
      • server2:/secureshare /mnt nfs defaults,v4.2,sec=krb5p 0 0
Before:

[root@server3 ~]# ls -dZ /secureshare
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /secureshare

After:

[root@server3 ~]# ls -dZ /secureshare
drwxr-xr-x. root root unconfined_u:object_r:public_content_rw_t:s0 /secureshare
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)