|   |     | 
| (45 intermediate revisions not shown) | 
| Line 1: | Line 1: | 
| - | This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA]. | + | This has been moved to [[NFS and FreeIPA]]. | 
| - |   | + |  | 
| - | Historically, configuring a secure NFSv4 export (or even a client) has beenchallenging, especially when it requires setting up of a [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos] realm.
 | + |  | 
| - | FreeIPA provides a packaged service of [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos 5], [http://en.wikipedia.org/wiki/LDAP LDAP] and helper software (ntp, httpd for admin interface, etc) with both a cli and web-based admin interface.
 | + |  | 
| - |   | + |  | 
| - | = Notes =
 | + |  | 
| - |   | + |  | 
| - | *These instructions are for [http://www.fedora.org/ Fedora 15].  Other distros will require similar setup - the key differences will be:
 | + |  | 
| - | **a package installation tool other than yum
 | + |  | 
| - | **a different config file layout
 | + |  | 
| - |   | + |  | 
| - | *This example uses a private network (192.168.56.0/24) with a fake DNS realm (example.fake).  Using real IPs with a real DNS server should be very similar.
 | + |  | 
| - |   | + |  | 
| - | *For simplicity, this domain only has one server (server.example.fake) and one client (client1.example.fake).
 | + |  | 
| - |   | + |  | 
| - | *This example is running on a NAT'd private network, so I just turned off the firewall on the server!  You probably shouldn't do that!  You'll need toallow traffic on:
 | + |  | 
| - | ** port 53 (TCP and UDP) for named
 | + |  | 
| - | ** port 80, 443 (TCP) for httpd (FreeIPA web interface)
 | + |  | 
| - | ** ports 88 and 464 (TCP and UDP) for Kerberos
 | + |  | 
| - | ** ports 389, 636 (TCP and UDP) for LDAP
 | + |  | 
| - | ** ports 123 (UDP) for NTP (network time protocol)
 | + |  | 
| - | ** port 2049 (TCP and UDP) for NFS
 | + |  | 
| - |   | + |  | 
| - | *All commands are run as root on both the client and server.  Either login as root or prepend "sudo " to each command.
 | + |  | 
| - |   | + |  | 
| - | = Configure DNS realm =
 | + |  | 
| - |   | + |  | 
| - | You might not need to do this.  If you're just setting up a client of FreeIPA, you can skip this section entirely.  
 | + |  | 
| - |   | + |  | 
| - | == Configure existing DNS realm ==
 | + |  | 
| - |   | + |  | 
| - | Make sure the full DNS names and reverse mappings for server(s) and client(s) are in DNS.
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# nslookup server.example.fake | + |  | 
| - | Server:		192.168.56.20
 | + |  | 
| - | Address:	192.168.56.20#53
 | + |  | 
| - |   | + |  | 
| - | Name:	server.example.fake
 | + |  | 
| - | Address: 192.168.56.20
 | + |  | 
| - |   | + |  | 
| - | [root@client1 ~]# nslookup 192.168.56.20 | + |  | 
| - | Server:		192.168.56.20
 | + |  | 
| - | Address:	192.168.56.20#53
 | + |  | 
| - |   | + |  | 
| - | 20.56.168.192.in-addr.arpa	name = server.example.fake.
 | + |  | 
| - |   | + |  | 
| - | [root@client1 ~]# nslookup client1.example.fake
 | + |  | 
| - | Server:		192.168.56.20
 | + |  | 
| - | Address:	192.168.56.20#53
 | + |  | 
| - |   | + |  | 
| - | Name:	client1.example.fake
 | + |  | 
| - | Address: 192.168.56.40
 | + |  | 
| - |   | + |  | 
| - | [root@client1 ~]# nslookup 192.168.56.40
 | + |  | 
| - | Server:		192.168.56.20
 | + |  | 
| - | Address:	192.168.56.20#53
 | + |  | 
| - |   | + |  | 
| - | 40.56.168.192.in-addr.arpa	name = client1.example.fake.
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Add the service entries for FreeIPA auto discovery. They are of the form:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | ; DNS auto discovery of services
 | + |  | 
| - | _ldap._tcp      SRV 10 10 389 server.example.fake.
 | + |  | 
| - | _kerberos._udp  SRV 10 10 88 server.example.fake.
 | + |  | 
| - | _kerberos._tcp  SRV 10 10 88 server.example.fake.
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | == Create a new DNS realm ==
 | + |  | 
| - |   | + |  | 
| - | If you are setting up a new domain, follow these instructions: [[Fake_DNS_Realm|Create a fake DNS realm for testing]].  If you are making a real DNS zone, these instructions should point you in the right direction.
 | + |  | 
| - |   | + |  | 
| - | = Install and configure the FreeIPA server =
 | + |  | 
| - |   | + |  | 
| - | Install and configure the FreeIPA software on the server (server.example.fake).
 | + |  | 
| - |   | + |  | 
| - | == Install the FreeIPA server and admintools package ==
 | + |  | 
| - |   | + |  | 
| - | This step fetches and installs FreeIPA and it's dependencies.  It will install around 100 packages, depending on what you already have installed.
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# yum install freeipa-server freeipa-admintools
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | == Configure FreeIPA server ==
 | + |  | 
| - |   | + |  | 
| - | Run the '''ipa-server-install''' program.  This takes a while.
 | + |  | 
| - |   | + |  | 
| - | All of the default answers should work if DNS hostnames and services are set up correctly and the full domain name is returned by hostname.
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# ipa-server-install 
 | + |  | 
| - |   | + |  | 
| - | The log file for this installation can be found in /var/log/ipaserver-install.log
 | + |  | 
| - | ==============================================================================
 | + |  | 
| - | This program will set up the FreeIPA Server.
 | + |  | 
| - |   | + |  | 
| - | This includes:
 | + |  | 
| - |   * Configure the Network Time Daemon (ntpd)
 | + |  | 
| - |   * Create and configure an instance of Directory Server
 | + |  | 
| - |   * Create and configure a Kerberos Key Distribution Center (KDC)
 | + |  | 
| - |   * Configure Apache (httpd)
 | + |  | 
| - |   | + |  | 
| - | To accept the default shown in brackets, press the Enter key.
 | + |  | 
| - |   | + |  | 
| - | Enter the fully qualified domain name of the computer
 | + |  | 
| - | on which you're setting up server software. Using the form
 | + |  | 
| - | <hostname>.<domainname>
 | + |  | 
| - | Example: master.example.com.
 | + |  | 
| - |   | + |  | 
| - |   | + |  | 
| - | Server host name [server.example.fake]: 
 | + |  | 
| - |   | + |  | 
| - | The domain name has been calculated based on the host name.
 | + |  | 
| - |   | + |  | 
| - | Please confirm the domain name [example.fake]: 
 | + |  | 
| - |   | + |  | 
| - | The IPA Master Server will be configured with
 | + |  | 
| - | Hostname:    server.example.fake
 | + |  | 
| - | IP address:  192.168.56.20
 | + |  | 
| - | Domain name: example.fake
 | + |  | 
| - |   | + |  | 
| - | The kerberos protocol requires a Realm name to be defined.
 | + |  | 
| - | This is typically the domain name converted to uppercase.
 | + |  | 
| - |   | + |  | 
| - | Please provide a realm name [EXAMPLE.FAKE]: 
 | + |  | 
| - | Certain directory server operations require an administrative user.
 | + |  | 
| - | This user is referred to as the Directory Manager and has full access
 | + |  | 
| - | to the Directory for system management tasks and will be added to the
 | + |  | 
| - | instance of directory server created for IPA.
 | + |  | 
| - | The password must be at least 8 characters long.
 | + |  | 
| - |   | + |  | 
| - | Directory Manager password: 
 | + |  | 
| - | Password (confirm): 
 | + |  | 
| - |   | + |  | 
| - | The IPA server requires an administrative user, named 'admin'.
 | + |  | 
| - | This user is a regular system account used for IPA server administration.
 | + |  | 
| - |   | + |  | 
| - | IPA admin password: 
 | + |  | 
| - | Password (confirm): 
 | + |  | 
| - |   | + |  | 
| - |   | + |  | 
| - | The following operations may take some minutes to complete.
 | + |  | 
| - | Please wait until the prompt is returned.
 | + |  | 
| - |   | + |  | 
| - | Configuring ntpd
 | + |  | 
| - |   [1/4]: stopping ntpd
 | + |  | 
| - |   [2/4]: writing configuration
 | + |  | 
| - |   [3/4]: configuring ntpd to start on boot
 | + |  | 
| - |   [4/4]: starting ntpd
 | + |  | 
| - | done configuring ntpd.
 | + |  | 
| - | Configuring directory server for the CA: Estimated time 30 seconds
 | + |  | 
| - |   [1/3]: creating directory server user
 | + |  | 
| - |   [2/3]: creating directory server instance
 | + |  | 
| - |   [3/3]: restarting directory server
 | + |  | 
| - | done configuring pkids.
 | + |  | 
| - | Configuring certificate server: Estimated time 6 minutes
 | + |  | 
| - |   [1/17]: creating certificate server user
 | + |  | 
| - |   [2/17]: creating pki-ca instance
 | + |  | 
| - |   [3/17]: restarting certificate server
 | + |  | 
| - |   [4/17]: configuring certificate server instance
 | + |  | 
| - |   [5/17]: restarting certificate server
 | + |  | 
| - |   [6/17]: creating CA agent PKCS#12 file in /root
 | + |  | 
| - |   [7/17]: creating RA agent certificate database
 | + |  | 
| - |   [8/17]: importing CA chain to RA certificate database
 | + |  | 
| - |   [9/17]: restarting certificate server
 | + |  | 
| - |   [10/17]: requesting RA certificate from CA
 | + |  | 
| - |   [11/17]: issuing RA agent certificate
 | + |  | 
| - |   [12/17]: adding RA agent as a trusted user
 | + |  | 
| - |   [13/17]: fixing RA database permissions
 | + |  | 
| - |   [14/17]: setting up signing cert profile
 | + |  | 
| - |   [15/17]: set up CRL publishing
 | + |  | 
| - |   [16/17]: configuring certificate server to start on boot
 | + |  | 
| - |   [17/17]: restarting certificate server
 | + |  | 
| - | done configuring pki-cad.
 | + |  | 
| - | Configuring directory server: Estimated time 1 minute
 | + |  | 
| - |   [1/32]: creating directory server user
 | + |  | 
| - |   [2/32]: creating directory server instance
 | + |  | 
| - |   [3/32]: adding default schema
 | + |  | 
| - |   [4/32]: enabling memberof plugin
 | + |  | 
| - |   [5/32]: enabling referential integrity plugin
 | + |  | 
| - |   [6/32]: enabling winsync plugin
 | + |  | 
| - |   [7/32]: configuring replication version plugin
 | + |  | 
| - |   [8/32]: enabling IPA enrollment plugin
 | + |  | 
| - |   [9/32]: enabling ldapi
 | + |  | 
| - |   [10/32]: configuring uniqueness plugin
 | + |  | 
| - |   [11/32]: configuring uuid plugin
 | + |  | 
| - |   [12/32]: configuring modrdn plugin
 | + |  | 
| - |   [13/32]: enabling entryUSN plugin
 | + |  | 
| - |   [14/32]: configuring lockout plugin
 | + |  | 
| - |   [15/32]: creating indices
 | + |  | 
| - |   [16/32]: configuring ssl for ds instance
 | + |  | 
| - |   [17/32]: configuring certmap.conf
 | + |  | 
| - |   [18/32]: configure autobind for root
 | + |  | 
| - |   [19/32]: restarting directory server
 | + |  | 
| - |   [20/32]: adding default layout
 | + |  | 
| - |   [21/32]: adding delegation layout
 | + |  | 
| - |   [22/32]: adding replication acis
 | + |  | 
| - |   [23/32]: configuring user private groups
 | + |  | 
| - |   [24/32]: configuring netgroups from hostgroups
 | + |  | 
| - |   [25/32]: creating default Sudo bind user
 | + |  | 
| - |   [26/32]: creating default HBAC rule allow_all
 | + |  | 
| - |   [27/32]: initializing group membership
 | + |  | 
| - |   [28/32]: adding master entry
 | + |  | 
| - |   [29/32]: configuring Posix uid/gid generation
 | + |  | 
| - |   [30/32]: enabling compatibility plugin
 | + |  | 
| - |   [31/32]: tuning directory server
 | + |  | 
| - |   [32/32]: configuring directory to start on boot
 | + |  | 
| - | done configuring dirsrv.
 | + |  | 
| - | Configuring Kerberos KDC: Estimated time 30 seconds
 | + |  | 
| - |   [1/14]: setting KDC account password
 | + |  | 
| - |   [2/14]: adding sasl mappings to the directory
 | + |  | 
| - |   [3/14]: adding kerberos entries to the DS
 | + |  | 
| - |   [4/14]: adding default ACIs
 | + |  | 
| - |   [5/14]: configuring KDC
 | + |  | 
| - |   [6/14]: adding default keytypes
 | + |  | 
| - |   [7/14]: adding default password policy
 | + |  | 
| - |   [8/14]: creating a keytab for the directory
 | + |  | 
| - |   [9/14]: creating a keytab for the machine
 | + |  | 
| - |   [10/14]: exporting the kadmin keytab
 | + |  | 
| - |   [11/14]: adding the password extension to the directory
 | + |  | 
| - |   [12/14]: adding the kerberos master key to the directory
 | + |  | 
| - |   [13/14]: starting the KDC
 | + |  | 
| - |   [14/14]: configuring KDC to start on boot
 | + |  | 
| - | done configuring krb5kdc.
 | + |  | 
| - | Configuring ipa_kpasswd
 | + |  | 
| - |   [1/2]: starting ipa_kpasswd 
 | + |  | 
| - |   [2/2]: configuring ipa_kpasswd to start on boot
 | + |  | 
| - | done configuring ipa_kpasswd.
 | + |  | 
| - | Configuring the web interface: Estimated time 1 minute
 | + |  | 
| - |   [1/12]: disabling mod_ssl in httpd
 | + |  | 
| - |   [2/12]: setting mod_nss port to 443
 | + |  | 
| - |   [3/12]: setting mod_nss password file
 | + |  | 
| - |   [4/12]: adding URL rewriting rules
 | + |  | 
| - |   [5/12]: configuring httpd
 | + |  | 
| - |   [6/12]: setting up ssl
 | + |  | 
| - |   [7/12]: setting up browser autoconfig
 | + |  | 
| - |   [8/12]: publish CA cert
 | + |  | 
| - |   [9/12]: creating a keytab for httpd
 | + |  | 
| - |   [10/12]: configuring SELinux for httpd
 | + |  | 
| - |   [11/12]: restarting httpd
 | + |  | 
| - |   [12/12]: configuring httpd to start on boot
 | + |  | 
| - | done configuring httpd.
 | + |  | 
| - | Setting the certificate subject base
 | + |  | 
| - | restarting certificate server
 | + |  | 
| - | Applying LDAP updates
 | + |  | 
| - | Restarting the directory server
 | + |  | 
| - | Restarting the KDC
 | + |  | 
| - | Restarting the web server
 | + |  | 
| - | Sample zone file for bind has been created in /tmp/sample.zone.I_fDwT.db
 | + |  | 
| - | ==============================================================================
 | + |  | 
| - | Setup complete
 | + |  | 
| - |   | + |  | 
| - | Next steps:
 | + |  | 
| - | 	1. You must make sure these network ports are open:
 | + |  | 
| - | 		TCP Ports:
 | + |  | 
| - | 		  * 80, 443: HTTP/HTTPS
 | + |  | 
| - | 		  * 389, 636: LDAP/LDAPS
 | + |  | 
| - | 		  * 88, 464: kerberos
 | + |  | 
| - | 		UDP Ports:
 | + |  | 
| - | 		  * 88, 464: kerberos
 | + |  | 
| - | 		  * 123: ntp
 | + |  | 
| - |   | + |  | 
| - | 	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
 | + |  | 
| - | 	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
 | + |  | 
| - | 	   and the web user interface.
 | + |  | 
| - |   | + |  | 
| - | Be sure to back up the CA certificate stored in /root/cacert.p12
 | + |  | 
| - | This file is required to create replicas. The password for this
 | + |  | 
| - | file is the Directory Manager password
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | = Install and configure FreeIPA client(s) =
 | + |  | 
| - |   | + |  | 
| - | Install the '''freeipa-client''' package on each client of the FreeIPA domain.
 | + |  | 
| - |   | + |  | 
| - | == Install the FreeIPA client package ==
 | + |  | 
| - |   | + |  | 
| - | Fetch and install the FreeIPA client.
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# yum install freeipa-client
 | + |  | 
| - | ...
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | == Configure the FreeIPA client package (OOPS!) ==
 | + |  | 
| - |   | + |  | 
| - | Again, if DNS is setup correctly and '''hostname''' returns the full DNS name, the default answers should work.
 | + |  | 
| - |   | + |  | 
| - | You want to use "admin" (the administrator user you created when configuring the FreeIPA server) as the enrollment principal.
 | + |  | 
| - |   | + |  | 
| - | Oh no! Currently, Fedora 15 gives me this problem:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# ipa-client-install 
 | + |  | 
| - | Discovery was successful!
 | + |  | 
| - | Hostname: client1.example.fake
 | + |  | 
| - | Realm: EXAMPLE.FAKE
 | + |  | 
| - | DNS Domain: example.fake
 | + |  | 
| - | IPA Server: server.example.fake
 | + |  | 
| - | BaseDN: dc=example,dc=fake
 | + |  | 
| - |   | + |  | 
| - |   | + |  | 
| - | Continue to configure the system with these values? [no]: yes
 | + |  | 
| - | Enrollment principal: admin
 | + |  | 
| - | Password for admin@EXAMPLE.FAKE: 
 | + |  | 
| - |   | + |  | 
| - | Joining realm failed because of failing XML-RPC request.
 | + |  | 
| - |   This error may be caused by incompatible server/client major versions.
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | This problem is easily worked around, but you may not need to - I'm sure this will be fixed soon.
 | + |  | 
| - |   | + |  | 
| - | == Configure the FreeIPA client package (The Workaround) ==
 | + |  | 
| - |   | + |  | 
| - | The problem and workaround are described here: https://www.redhat.com/archives/freeipa-users/2011-July/msg00029.html
 | + |  | 
| - |   | + |  | 
| - | === Get credentials and add the host to FreeIPA ===
 | + |  | 
| - |   | + |  | 
| - | Both of these commands should be run on the '''*server*'''.
 | + |  | 
| - |   | + |  | 
| - | First, get admin credentials.  If you are configuring multiple clients, this only needs to be run the first time.
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# kinit admin
 | + |  | 
| - | Password for admin@EXAMPLE.FAKE: 
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Now that you have credentials, you can add the client to FreeIPA.
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# ipa host-add client1.example.fake
 | + |  | 
| - | ---------------------------------
 | + |  | 
| - | Added host "client1.example.fake"
 | + |  | 
| - | ---------------------------------
 | + |  | 
| - |   Host name: client1.example.fake
 | + |  | 
| - |   Principal name: host/client1.example.fake@EXAMPLE.FAKE
 | + |  | 
| - |   Managed by: client1.example.fake
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | === (Force) Configure FreeIPA client ===
 | + |  | 
| - |   | + |  | 
| - | Back on the client now.  Run ipa-client-install again, but this time use the ''--force'' flag:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# ipa-client-install --force
 | + |  | 
| - | Discovery was successful!
 | + |  | 
| - | Hostname: client1.example.fake
 | + |  | 
| - | Realm: EXAMPLE.FAKE
 | + |  | 
| - | DNS Domain: example.fake
 | + |  | 
| - | IPA Server: server.example.fake
 | + |  | 
| - | BaseDN: dc=example,dc=fake
 | + |  | 
| - |   | + |  | 
| - |   | + |  | 
| - | Continue to configure the system with these values? [no]: yes
 | + |  | 
| - | Enrollment principal: admin
 | + |  | 
| - | Password for admin@EXAMPLE.FAKE: 
 | + |  | 
| - |   | + |  | 
| - | Joining realm failed because of failing XML-RPC request.
 | + |  | 
| - |   This error may be caused by incompatible server/client major versions.
 | + |  | 
| - |   Use ipa-getkeytab to obtain a host principal for this server.
 | + |  | 
| - | Created /etc/ipa/default.conf
 | + |  | 
| - | Configured /etc/sssd/sssd.conf
 | + |  | 
| - | Configured /etc/krb5.conf for IPA realm EXAMPLE.FAKE
 | + |  | 
| - | Failed to configure automatic startup of the NSCD daemon
 | + |  | 
| - | SSSD enabled
 | + |  | 
| - | nss_ldap is not able to use DNS discovery!
 | + |  | 
| - | Changing configuration to use hardcoded server name: server.example.fake
 | + |  | 
| - | Kerberos 5 enabled
 | + |  | 
| - | NTP enabled
 | + |  | 
| - | Client configuration complete.
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | === Manually fetch the keytab entry for the client ===
 | + |  | 
| - |  
 | + |  | 
| - | The last step of the workaround is to fetch the client's own keytab entry that '''ipa-client-install''' wasn't able to get.
 | + |  | 
| - |   | + |  | 
| - | To do this, you'll need to authenticate as admin again, but this time on the client:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# kinit admin
 | + |  | 
| - | Password for admin@EXAMPLE.FAKE: 
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Now run '''ipa-getkeytab''' on the client for the host keytab entries:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# ipa-getkeytab -s server.example.fake -p host/client1.example.fake -k /etc/krb5.keytab
 | + |  | 
| - | Keytab successfully retrieved and stored in: /etc/krb5.keytab
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Now, FreeIPA should be setup on the client.
 | + |  | 
| - |   | + |  | 
| - | = Add FreeIPA NFSservice for each host =
 | + |  | 
| - |   | + |  | 
| - | The next step is to setup kerberos principals for the NFS service on each host.
 | + |  | 
| - |   | + |  | 
| - | == Add FreeIPA NFS service for server ==
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# ipa service-add nfs/server.example.fake
 | + |  | 
| - | ----------------------------------------------------
 | + |  | 
| - | Added service "nfs/server.example.fake@EXAMPLE.FAKE"
 | + |  | 
| - | ----------------------------------------------------
 | + |  | 
| - |   Principal: nfs/server.example.fake@EXAMPLE.FAKE
 | + |  | 
| - |   Managed by: server.example.fake
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | == Add FreeIPA NFS service for client(s) ==
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# ipa service-add nfs/client1.example.fake
 | + |  | 
| - | -----------------------------------------------------
 | + |  | 
| - | Added service "nfs/client1.example.fake@EXAMPLE.FAKE"
 | + |  | 
| - | -----------------------------------------------------
 | + |  | 
| - |   Principal: nfs/client1.example.fake@EXAMPLE.FAKE
 | + |  | 
| - |   Managed by: client1.example.fake
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | == Import FreeIPA NFS service tickets on the server ==
 | + |  | 
| - |   | + |  | 
| - | Again, we have to fetch a keytab entry.  This time, it's for the nfs service of the local host.
 | + |  | 
| - |   | + |  | 
| - | According to [http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Enterprise_Identity_Management_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server.html this], we need to specify the enc type "des-cbc-crc".
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# ipa-getkeytab -s server.example.fake -e des-cbc-crc -p nfs/server.example.fake -k /etc/krb5.keytab
 | + |  | 
| - | Keytab successfully retrieved andstored in: /etc/krb5.keytab
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | You can check to see what's in the keytab like this:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# klist -ke /etc/krb5.keytab
 | + |  | 
| - | Keytab name: WRFILE:/etc/krb5.keytab
 | + |  | 
| - | KVNO Principal
 | + |  | 
| - | ---- --------------------------------------------------------------------------
 | + |  | 
| - |    6 nfs/server.example.fake@EXAMPLE.FAKE (des-cbc-crc) 
 | + |  | 
| - |    4 host/server.example.fake@EXAMPLE.FAKE (aes256-cts-hmac-sha1-96) 
 | + |  | 
| - |    4 host/server.example.fake@EXAMPLE.FAKE (aes128-cts-hmac-sha1-96) 
 | + |  | 
| - |    4 host/server.example.fake@EXAMPLE.FAKE (des3-cbc-sha1) 
 | + |  | 
| - |    4 host/server.example.fake@EXAMPLE.FAKE (arcfour-hmac) 
 | + |  | 
| - |    4 host/server.example.fake@EXAMPLE.FAKE (des-cbc-crc) 
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | == Import FreeIPANFS service tickets on the client(s) ==
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# ipa-getkeytab -s server.example.fake -e des-cbc-crc -p nfs/client1.example.fake -k /etc/krb5.keytab
 | + |  | 
| - | Keytab successfully retrieved and stored in: /etc/krb5.keytab
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | And here's what /etc/krb5.kettab has in it:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# klist -ke /etc/krb5.keytab
 | + |  | 
| - | Keytab name: WRFILE:/etc/krb5.keytab
 | + |  | 
| - | KVNO Principal
 | + |  | 
| - | ---- --------------------------------------------------------------------------
 | + |  | 
| - |    6 nfs/client1.example.fake@EXAMPLE.FAKE (des-cbc-crc) 
 | + |  | 
| - |    3 host/client1.example.fake@EXAMPLE.FAKE (aes256-cts-hmac-sha1-96) 
 | + |  | 
| - |    3 host/client1.example.fake@EXAMPLE.FAKE (aes128-cts-hmac-sha1-96) 
 | + |  | 
| - |    3 host/client1.example.fake@EXAMPLE.FAKE (des3-cbc-sha1) 
 | + |  | 
| - |    3 host/client1.example.fake@EXAMPLE.FAKE (arcfour-hmac) 
 | + |  | 
| - |    3 host/client1.example.fake@EXAMPLE.FAKE (des-cbc-crc) 
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | = Turn on "Secure NFS" on both client(s) and server =
 | + |  | 
| - |   | + |  | 
| - | This turns on NFS secure mounts and enables rpc.gssd and rpc.svcgssd.
 | + |  | 
| - |   | + |  | 
| - | Edit these lines in file "/etc/sysconfig/nfs":
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | # Set to turn on Secure NFS mounts.
 | + |  | 
| - | SECURE_NFS="yes"
 | + |  | 
| - | # Optional arguments passed to rpc.gssd. See rpc.gssd(8)
 | + |  | 
| - | RPCGSSDARGS="-vvv"
 | + |  | 
| - | # Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
 | + |  | 
| - | RPCSVCGSSDARGS="-vvv"
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | The -vvv flags are for better debugging output in file "/var/log/messages".
 | + |  | 
| - |   | + |  | 
| - | To pick up the changes, you must restart nfs services:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# service nfs restart
 | + |  | 
| - | Restarting nfs (via systemctl):                            [  OK  ]
 | + |  | 
| - | [root@client1 ~]# service rpcgssd restart
 | + |  | 
| - | Restarting rpcgssd (via systemctl):                        [  OK  ]
 | + |  | 
| - | [root@client1 ~]# service rpcsvcgssd restart
 | + |  | 
| - | Restarting rpcsvcgssd (via systemctl):                     [  OK  ]
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | This must be run on both clients and servers.
 | + |  | 
| - |   | + |  | 
| - | = Hosts' full DNS name in /etc/hosts =
 | + |  | 
| - |   | + |  | 
| - | NFS util program 'rpc.gssd' (XXX ???) requires that the full dns name of the host be in /etc/hosts.  The full DNS name must be the only entry on that line.
 | + |  | 
| - |   | + |  | 
| - | On the server:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# cat /etc/hosts
 | + |  | 
| - | 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
 | + |  | 
| - | ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
 | + |  | 
| - |   | + |  | 
| - | 192.168.56.20 server.example.fake
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | This must be done on the client(s) as well:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# cat /etc/hosts
 | + |  | 
| - | 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
 | + |  | 
| - | ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
 | + |  | 
| - |   | + |  | 
| - | 192.168.56.40 client1.example.fake
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | = Set up /etc/exports on the server =
 | + |  | 
| - |   | + |  | 
| - | Edit file "/etc/exports".  This makes one krb5 mountpoint of /export to be mounted as "/" or "/export".
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | /export *(rw,sec=krb5,no_subtree_check,no_root_squash)
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Restart nfs:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# service nfs restart
 | + |  | 
| - | Restarting nfs (via systemctl):                            [  OK  ]
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Now exportfs should show the mount:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# exportfs -av
 | + |  | 
| - | exportfs: scandir /etc/exports.d: No such file or directory
 | + |  | 
| - |   | + |  | 
| - | exporting *:/export
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | = Allow Kerberos to use "weak crypto" =
 | + |  | 
| - |   | + |  | 
| - | To use the des key kerberos must be told to allow "weak" crypto.  Newer kernels and nfsutils allow the use of AES, etc. 
 | + |  | 
| - |   | + |  | 
| - | Edit file '/etc/krb5.conf':
 | + |  | 
| - |   | + |  | 
| - | In section "libdefaults", add the line:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | allow_weak_crypto = true
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | The "libdefaults" section should look something like this:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [libdefaults]
 | + |  | 
| - |   default_realm = EXAMPLE.FAKE
 | + |  | 
| - |   dns_lookup_realm = false
 | + |  | 
| - |   dns_lookup_kdc = false
 | + |  | 
| - |   rdns = false
 | + |  | 
| - |   ticket_lifetime = 24h
 | + |  | 
| - |   forwardable = yes
 | + |  | 
| - |   allow_weak_crypto = true
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | = Mount the filesystem =
 | + |  | 
| - |   | + |  | 
| - | The moment of truth!  If you run in to problems, see [[ProblemsMounting|Problems Mounting]].
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# mount -v -t nfs4 -o sec=krb5 server.example.fake:/ /mnt
 | + |  | 
| - | mount.nfs4: timeout set for Tue Jul 19 22:36:46 2011
 | + |  | 
| - | mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.56.20,clientaddr=192.168.56.40'
 | + |  | 
| - | server.example.fake:/ on /mnt type nfs4 (rw,sec=krb5)
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Now test it:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# echo "test" > /mnt/example.com
 | + |  | 
| - | [root@client1 ~]# cat /mnt/example.com
 | + |  | 
| - | test
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | = Test the NFS mount as another user =
 | + |  | 
| - |   | + |  | 
| - | This section just covers testing the NFS mount with other users.
 | + |  | 
| - |   | + |  | 
| - | == Add another user ==
 | + |  | 
| - |   | + |  | 
| - | First, we need to add another user to FreeIPA.
 | + |  | 
| - |   | + |  | 
| - | This must be run with credentials. On the '''server''', run:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# ipa user-add someguy
 | + |  | 
| - | First name: guy
 | + |  | 
| - | Last name: someone
 | + |  | 
| - | --------------------
 | + |  | 
| - | Added user "someguy"
 | + |  | 
| - | --------------------
 | + |  | 
| - |   User login: someguy
 | + |  | 
| - |   First name: guy
 | + |  | 
| - |   Last name: someone
 | + |  | 
| - |   Full name: guy someone
 | + |  | 
| - |   Display name: guy someone
 | + |  | 
| - |   Initials: gs
 | + |  | 
| - |   Home directory: /home/someguy
 | + |  | 
| - |   GECOS field: guy someone
 | + |  | 
| - |   Login shell: /bin/sh
 | + |  | 
| - |   Kerberos principal: someguy@EXAMPLE.FAKE
 | + |  | 
| - |   UID: 25400004
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Now set a temporary password for the user.  The first time the user logs in, they must change it to something new.
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@server ~]# ipa passwd someguy
 | + |  | 
| - | Password: 
 | + |  | 
| - | Enter Password again to verify: 
 | + |  | 
| - | -------------------------------------------
 | + |  | 
| - | Changed password for "someguy@EXAMPLE.FAKE"
 | + |  | 
| - | -------------------------------------------
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | == Test NFS ==
 | + |  | 
| - |   | + |  | 
| - | Now there is a new user on the client(s)!
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | [root@client1 ~]# su someguy
 | + |  | 
| - | sh-4.2$ id
 | + |  | 
| - | uid=25400004(someguy) gid=25400004(someguy) groups=25400004(someguy),25400001(ipausers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Authenticate as the user:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | sh-4.2$ kinit
 | + |  | 
| - | Password for someguy@EXAMPLE.FAKE: 
 | + |  | 
| - | Password expired.  You must change it now.
 | + |  | 
| - | Enter new password: 
 | + |  | 
| - | Enter it again: 
 | + |  | 
| - | </pre>
 | + |  | 
| - |   | + |  | 
| - | Now test NFS:
 | + |  | 
| - |   | + |  | 
| - | <pre>
 | + |  | 
| - | sh-4.2$ echo bar > /mnt/foo
 | + |  | 
| - | sh-4.2$ cat /mnt/foo
 | + |  | 
| - | bar
 | + |  | 
| - | sh-4.2$ ls -l /mnt
 | + |  | 
| - | total 12
 | + |  | 
| - | -rw-r--r--. 1 nobody  nobody  4 Jul 19 17:22 bar
 | + |  | 
| - | -rw-r--r--. 1 nobody  nobody  5 Jul 19 22:35 example.com
 | + |  | 
| - | -rw-r--r--.1 someguy someguy 4 Jul 19 22:44 foo
 | + |  | 
| - | </pre>
 | + |  |