FreeIPA and NFSv4

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
(Modify named(1) config to use new zone files)
(Replaced content with "This has been moved to NFS and FreeIPA.")
 
(93 intermediate revisions not shown)
Line 1: Line 1:
-
This is a WIP by dros@netapp.com - please let me finish before changing/commenting).
+
This has been moved to [[NFS and FreeIPA]].
-
 
+
-
This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA].
+
-
 
+
-
Historically, setting up a secure NFSv4 export (or even a client) was challenging, requiring the setup of a [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos] realm and possibly an [http://en.wikipedia.org/wiki/LDAP LDAP] server.  FreeIPA provides a packaged service of both [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos 5] and [http://en.wikipedia.org/wiki/LDAP LDAP] with the purpose of making this process much less painful.
+
-
 
+
-
These instructions are for [http://www.fedora.org/ Fedora 15].  Other distros will require similar setup - the key differences will be a package installation tool other than yum(1), and a different config file layout.
+
-
 
+
-
 
+
-
 
+
-
= Disclaimer about the testing environment =
+
-
 
+
-
For this example I've used a private network (192.168.56.0/24) with a fake DNS realm (example.fake).
+
-
Setup with routable IP addresses and a real DNS realm should be straightforward.
+
-
 
+
-
For this example I run the DNS server on the same machine as the NFSv4 export and the IPA server (server.example.fake).  Of course, these could all be different machines.
+
-
 
+
-
I have not tried setting up freeipa without DNS, or using it's own DNS server.
+
-
 
+
-
I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server!  You probably shouldn't do that!  You'll need to allow traffic on:
+
-
* port 53 for named(1)
+
-
* port 88 for kerberos
+
-
* port 389 for ldap
+
-
* XXX MORE!!
+
-
 
+
-
= Set up DNS realm =
+
-
 
+
-
== Create the DNS realm on the server ==
+
-
 
+
-
=== Install named(1) on the server ===
+
-
 
+
-
<pre>
+
-
[root@server ~]# sudo yum install bind
+
-
</pre>
+
-
 
+
-
=== Configure the DNS zone ===
+
-
 
+
-
Create the file "/var/named/example.fake.zone":
+
-
 
+
-
<pre>
+
-
$TTL 3D
+
-
@      IN      SOA    ns1.example.fake. hostmaster.example.fake. (
+
-
                      201107111      ; serial#
+
-
                      3600            ; refresh, seconds
+
-
                      3600            ; retry, seconds
+
-
                      3600            ; expire, seconds
+
-
                      3600 )          ; minimum, seconds
+
-
 
+
-
                NS      ns1            ; Inet Address of nameserver
+
-
example.fake.  MX      10 mail        ; Primary Mail Exchanger
+
-
 
+
-
ns1            A      192.168.56.20
+
-
server          A      192.168.56.20
+
-
 
+
-
client1        A      192.168.56.40
+
-
 
+
-
ipa            CNAME  build
+
-
mail            CNAME  build
+
-
 
+
-
; DNS auto discovery of services
+
-
_ldap._tcp      SRV 10 10 389 server.example.fake.
+
-
_kerberos._udp  SRV 10 10 88 server.example.fake.
+
-
_kerberos._tcp  SRV 10 10 88 server.example.fake.
+
-
</pre>
+
-
 
+
-
=== Configure the reverse mapping ===
+
-
 
+
-
Create the file "/var/named/192-168-56.zone":
+
-
 
+
-
<pre>
+
-
$TTL 2d  ; 172800 seconds
+
-
$ORIGIN 56.168.192.IN-ADDR.ARPA.
+
-
@      IN        SOA        ns1.example.fake.  hostmaster.example.fake. (
+
-
                            201107111          ; serial number
+
-
                            8H                ; refresh, seconds
+
-
                            2H                ; retry, seconds
+
-
                            4W                ; expire, seconds
+
-
                            1D )              ; minimum, seconds
+
-
 
+
-
                IN      NS      ns1.example.fake.
+
-
20              IN      PTR    server.example.fake.
+
-
40              IN      PTR    client1.example.fake.
+
-
</pre>
+
-
 
+
-
 
+
-
=== Modify named(1) config to use new zone files ===
+
-
 
+
-
Add the sections to file "/etc/named.conf":
+
-
 
+
-
<pre>
+
-
zone "example.fake" IN {
+
-
type master;
+
-
file "example.fake.zone";
+
-
};
+
-
 
+
-
zone "56.168.192.in-addr.arpa" IN {
+
-
type master;
+
-
file "192-168-56.zone";
+
-
};
+
-
</pre>
+
-
 
+
-
=== Other named(1) config ===
+
-
 
+
-
There are a few other things that I needed to configure in my test setup.  You probably don't want to turn off dnssec in real world setups!
+
-
 
+
-
In the "options" section:
+
-
 
+
-
* change the "listen-on" option to include the server's external address ""{ localhost; 192.168.56.20; }"
+
-
* change "allow-query" option to "{ localhost; 192.168.56.0/24 }"
+
-
* change "dnssec-enable" option to "no"
+
-
* change "dnssec-validation" option to "no"
+
-
 
+
-
=== Restart named(1) ===
+
-
 
+
-
<pre>
+
-
[root@server ~]# service named restart
+
-
Restarting named (via systemctl):                          [  OK  ]
+
-
</pre>
+
-
 
+
-
== Configure the client(s) and server to use the local DNS server ==
+
-
 
+
-
The server and all clients should use this name server (with this testing environment).  With a real DNS server, clients shouldn't require this configuration.
+
-
 
+
-
Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the DNS1 line to:
+
-
 
+
-
<pre>
+
-
DNS1=192.168.56.20
+
-
</pre>
+
-
 
+
-
Restart the network service to pick up the change.
+
-
 
+
-
<pre>
+
-
[root@server ~]# service network restart
+
-
Restarting network (via systemctl):                        [  OK  ]
+
-
</pre>
+
-
 
+
-
And verify that it worked:
+
-
 
+
-
<pre>
+
-
[root@server ~]# cat /etc/resolv.conf
+
-
# Generated by NetworkManager
+
-
search example.fake
+
-
nameserver 192.168.56.20
+
-
</pre>
+
-
 
+
-
<pre>
+
-
[root@server ~]# nslookup server.example.fake
+
-
Server: 192.168.56.20
+
-
Address: 192.168.56.20#53
+
-
 
+
-
Name: server.example.fake
+
-
Address: 192.168.56.20
+
-
</pre>
+
-
 
+
-
 
+
-
= Install and configure the FreeIPA server =
+
-
 
+
-
Install and configure the FreeIPA software on the server (server.example.fake).
+
-
 
+
-
== Install the FreeIPA server and admintools package ==
+
-
 
+
-
This step fetches and installs FreeIPA and it's dependencies.  It will install around 100 packages, depending on what you already have installed.
+
-
 
+
-
<pre>
+
-
[root@server ~]# yum install freeipa-server freeipa-admintools
+
-
</pre>
+
-
 
+
-
== Configure FreeIPA server ==
+
-
 
+
-
Run the ipa-server-install(1) program.  This takes a while.  All of the default answers should work if DNS hostnames and services are set up correctly and the full domain name is returned by hostname(1).
+
-
 
+
-
<pre>
+
-
[root@server ~]# ipa-server-install
+
-
 
+
-
The log file for this installation can be found in /var/log/ipaserver-install.log
+
-
==============================================================================
+
-
This program will set up the FreeIPA Server.
+
-
 
+
-
This includes:
+
-
  * Configure the Network Time Daemon (ntpd)
+
-
  * Create and configure an instance of Directory Server
+
-
  * Create and configure a Kerberos Key Distribution Center (KDC)
+
-
  * Configure Apache (httpd)
+
-
 
+
-
To accept the default shown in brackets, press the Enter key.
+
-
 
+
-
Enter the fully qualified domain name of the computer
+
-
on which you're setting up server software. Using the form
+
-
<hostname>.<domainname>
+
-
Example: master.example.com.
+
-
 
+
-
 
+
-
Server host name [server.example.fake]:
+
-
 
+
-
The domain name has been calculated based on the host name.
+
-
 
+
-
Please confirm the domain name [example.fake]:
+
-
 
+
-
The IPA Master Server will be configured with
+
-
Hostname:    server.example.fake
+
-
IP address:  192.168.56.20
+
-
Domain name: example.fake
+
-
 
+
-
The kerberos protocol requires a Realm name to be defined.
+
-
This is typically the domain name converted to uppercase.
+
-
 
+
-
Please provide a realm name [EXAMPLE.FAKE]:
+
-
Certain directory server operations require an administrative user.
+
-
This user is referred to as the Directory Manager and has full access
+
-
to the Directory for system management tasks and will be added to the
+
-
instance of directory server created for IPA.
+
-
The password must be at least 8 characters long.
+
-
 
+
-
Directory Manager password:
+
-
Password (confirm):
+
-
 
+
-
The IPA server requires an administrative user, named 'admin'.
+
-
This user is a regular system account used for IPA server administration.
+
-
 
+
-
IPA admin password:
+
-
Password (confirm):
+
-
 
+
-
 
+
-
The following operations may take some minutes to complete.
+
-
Please wait until the prompt is returned.
+
-
 
+
-
Configuring ntpd
+
-
  [1/4]: stopping ntpd
+
-
  [2/4]: writing configuration
+
-
  [3/4]: configuring ntpd to start on boot
+
-
  [4/4]: starting ntpd
+
-
done configuring ntpd.
+
-
Configuring directory server for the CA: Estimated time 30 seconds
+
-
  [1/3]: creating directory server user
+
-
  [2/3]: creating directory server instance
+
-
  [3/3]: restarting directory server
+
-
done configuring pkids.
+
-
Configuring certificate server: Estimated time 6 minutes
+
-
  [1/17]: creating certificate server user
+
-
  [2/17]: creating pki-ca instance
+
-
  [3/17]: restarting certificate server
+
-
  [4/17]: configuring certificate server instance
+
-
  [5/17]: restarting certificate server
+
-
  [6/17]: creating CA agent PKCS#12 file in /root
+
-
  [7/17]: creating RA agent certificate database
+
-
  [8/17]: importing CA chain to RA certificate database
+
-
  [9/17]: restarting certificate server
+
-
  [10/17]: requesting RA certificate from CA
+
-
  [11/17]: issuing RA agent certificate
+
-
  [12/17]: adding RA agent as a trusted user
+
-
  [13/17]: fixing RA database permissions
+
-
  [14/17]: setting up signing cert profile
+
-
  [15/17]: set up CRL publishing
+
-
  [16/17]: configuring certificate server to start on boot
+
-
  [17/17]: restarting certificate server
+
-
done configuring pki-cad.
+
-
Configuring directory server: Estimated time 1 minute
+
-
  [1/32]: creating directory server user
+
-
  [2/32]: creating directory server instance
+
-
  [3/32]: adding default schema
+
-
  [4/32]: enabling memberof plugin
+
-
  [5/32]: enabling referential integrity plugin
+
-
  [6/32]: enabling winsync plugin
+
-
  [7/32]: configuring replication version plugin
+
-
  [8/32]: enabling IPA enrollment plugin
+
-
  [9/32]: enabling ldapi
+
-
  [10/32]: configuring uniqueness plugin
+
-
  [11/32]: configuring uuid plugin
+
-
  [12/32]: configuring modrdn plugin
+
-
  [13/32]: enabling entryUSN plugin
+
-
  [14/32]: configuring lockout plugin
+
-
  [15/32]: creating indices
+
-
  [16/32]: configuring ssl for ds instance
+
-
  [17/32]: configuring certmap.conf
+
-
  [18/32]: configure autobind for root
+
-
  [19/32]: restarting directory server
+
-
  [20/32]: adding default layout
+
-
  [21/32]: adding delegation layout
+
-
  [22/32]: adding replication acis
+
-
  [23/32]: configuring user private groups
+
-
  [24/32]: configuring netgroups from hostgroups
+
-
  [25/32]: creating default Sudo bind user
+
-
  [26/32]: creating default HBAC rule allow_all
+
-
  [27/32]: initializing group membership
+
-
  [28/32]: adding master entry
+
-
  [29/32]: configuring Posix uid/gid generation
+
-
  [30/32]: enabling compatibility plugin
+
-
  [31/32]: tuning directory server
+
-
  [32/32]: configuring directory to start on boot
+
-
done configuring dirsrv.
+
-
Configuring Kerberos KDC: Estimated time 30 seconds
+
-
  [1/14]: setting KDC account password
+
-
  [2/14]: adding sasl mappings to the directory
+
-
  [3/14]: adding kerberos entries to the DS
+
-
  [4/14]: adding default ACIs
+
-
  [5/14]: configuring KDC
+
-
  [6/14]: adding default keytypes
+
-
  [7/14]: adding default password policy
+
-
  [8/14]: creating a keytab for the directory
+
-
  [9/14]: creating a keytab for the machine
+
-
  [10/14]: exporting the kadmin keytab
+
-
  [11/14]: adding the password extension to the directory
+
-
  [12/14]: adding the kerberos master key to the directory
+
-
  [13/14]: starting the KDC
+
-
  [14/14]: configuring KDC to start on boot
+
-
done configuring krb5kdc.
+
-
Configuring ipa_kpasswd
+
-
  [1/2]: starting ipa_kpasswd
+
-
  [2/2]: configuring ipa_kpasswd to start on boot
+
-
done configuring ipa_kpasswd.
+
-
Configuring the web interface: Estimated time 1 minute
+
-
  [1/12]: disabling mod_ssl in httpd
+
-
  [2/12]: setting mod_nss port to 443
+
-
  [3/12]: setting mod_nss password file
+
-
  [4/12]: adding URL rewriting rules
+
-
  [5/12]: configuring httpd
+
-
  [6/12]: setting up ssl
+
-
  [7/12]: setting up browser autoconfig
+
-
  [8/12]: publish CA cert
+
-
  [9/12]: creating a keytab for httpd
+
-
  [10/12]: configuring SELinux for httpd
+
-
  [11/12]: restarting httpd
+
-
  [12/12]: configuring httpd to start on boot
+
-
done configuring httpd.
+
-
Setting the certificate subject base
+
-
restarting certificate server
+
-
Applying LDAP updates
+
-
Restarting the directory server
+
-
Restarting the KDC
+
-
Restarting the web server
+
-
Sample zone file for bind has been created in /tmp/sample.zone.I_fDwT.db
+
-
==============================================================================
+
-
Setup complete
+
-
 
+
-
Next steps:
+
-
1. You must make sure these network ports are open:
+
-
TCP Ports:
+
-
  * 80, 443: HTTP/HTTPS
+
-
  * 389, 636: LDAP/LDAPS
+
-
  * 88, 464: kerberos
+
-
UDP Ports:
+
-
  * 88, 464: kerberos
+
-
  * 123: ntp
+
-
 
+
-
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
+
-
  This ticket will allow you to use the IPA tools (e.g., ipa user-add)
+
-
  and the web user interface.
+
-
 
+
-
Be sure to back up the CA certificate stored in /root/cacert.p12
+
-
This file is required to create replicas. The password for this
+
-
file is the Directory Manager password
+
-
</pre>
+
-
 
+
-
= Install and configure FreeIPA client(s) =
+
-
 
+
-
Install the freeipa-client package on each machine (besides the FreeIPA server) that want to participate in the FreeIPA domain.
+
-
 
+
-
== Install the FreeIPA client package ==
+
-
 
+
-
This step fetches just the client-side software needed to connect to a FreeIPA server.
+
-
 
+
-
<pre>
+
-
[root@client1 ~]# yum install freeipa-client
+
-
...
+
-
</pre>
+
-
 
+
-
You might also want to install ntp here to run ntpd(1) for time synchronization.  Kerberos depends on it.
+
-
 
+
-
== Configure the FreeIPA client package (OOPS!) ==
+
-
 
+
-
Again, if DNS is setup correctly and hostname(1) returns the full DNS name, the default answers should work.
+
-
 
+
-
You want to use "admin" (the administrator user you created when configuring the FreeIPA server) as the enrollment principal.
+
-
 
+
-
Oh no! Currently, Fedora 15 gives me this problem:
+
-
 
+
-
<pre>
+
-
[root@client1 ~]# ipa-client-install
+
-
Discovery was successful!
+
-
Hostname: client1.example.fake
+
-
Realm: EXAMPLE.FAKE
+
-
DNS Domain: example.fake
+
-
IPA Server: server.example.fake
+
-
BaseDN: dc=example,dc=fake
+
-
 
+
-
 
+
-
Continue to configure the system with these values? [no]: yes
+
-
Enrollment principal: admin
+
-
Password for admin@EXAMPLE.FAKE:
+
-
 
+
-
Joining realm failed because of failing XML-RPC request.
+
-
  This error may be caused by incompatible server/client major versions.
+
-
</pre>
+
-
 
+
-
This problem is easily worked around, but you may not need to - I'm sure this will be fixed soon.
+
-
 
+
-
== Configure the FreeIPA client package (The Workaround) ==
+
-
 
+
-
The problem and workaround are described here: https://www.redhat.com/archives/freeipa-users/2011-July/msg00029.html
+
-
 
+
-
=== Get credentials and add the host to FreeIPA ===
+
-
 
+
-
Both of these commands should be run on the *server*.
+
-
 
+
-
First, get admin credentials.  If you are configuring multiple clients, this only needs to be run the first time.
+
-
 
+
-
<pre>
+
-
[root@server ~]# kinit admin
+
-
Password for admin@EXAMPLE.FAKE:
+
-
</pre>
+
-
 
+
-
Now that you have credentials, you can add the (client) host to FreeIPA.
+
-
 
+
-
<pre>
+
-
[root@server ~]# ipa host-add client1.example.fake
+
-
---------------------------------
+
-
Added host "client1.example.fake"
+
-
---------------------------------
+
-
  Host name: client1.example.fake
+
-
  Principal name: host/client1.example.fake@EXAMPLE.FAKE
+
-
  Managed by: client1.example.fake
+
-
</pre>
+
-
 
+
-
=== (Force) Configure FreeIPA client ===
+
-
 
+
-
Back on the client now.  Run ipa-client-install again, but this time use the --force flag:
+
-
 
+
-
<pre>
+
-
[root@client1 ~]# ipa-client-install --force
+
-
Discovery was successful!
+
-
Hostname: client1.example.fake
+
-
Realm: EXAMPLE.FAKE
+
-
DNS Domain: example.fake
+
-
IPA Server: server.example.fake
+
-
BaseDN: dc=example,dc=fake
+
-
 
+
-
 
+
-
Continue to configure the system with these values? [no]: yes
+
-
Enrollment principal: admin
+
-
Password for admin@EXAMPLE.FAKE:
+
-
 
+
-
Joining realm failed because of failing XML-RPC request.
+
-
  This error may be caused by incompatible server/client major versions.
+
-
  Use ipa-getkeytab to obtain a host principal for this server.
+
-
Created /etc/ipa/default.conf
+
-
Configured /etc/sssd/sssd.conf
+
-
Configured /etc/krb5.conf for IPA realm EXAMPLE.FAKE
+
-
Failed to configure automatic startup of the NSCD daemon
+
-
SSSD enabled
+
-
nss_ldap is not able to use DNS discovery!
+
-
Changing configuration to use hardcoded server name: server.example.fake
+
-
Kerberos 5 enabled
+
-
NTP enabled
+
-
Client configuration complete.
+
-
</pre>
+
-
 
+
-
=== Manually fetch the keytab entry for the client ===
+
-
+
-
Still on the client, the last step is to fetch the keytab entry that ipa-client-install(1) wasn't able to get.
+
-
 
+
-
To do this, you'll need to authenticate as admin again (but this time on the client):
+
-
 
+
-
<pre>
+
-
[root@client1 ~]# kinit admin
+
-
Password for admin@EXAMPLE.FAKE:
+
-
</pre>
+
-
 
+
-
Now run ipa-getkeytab:
+
-
 
+
-
<pre>
+
-
[root@client1 ~]# ipa-getkeytab -s server.example.fake -p host/client1.example.fake -k /etc/krb5.keytab
+
-
Keytab successfully retrieved and stored in: /etc/krb5.keytab
+
-
</pre>
+
-
 
+
-
Now, FreeIPA should be setup on the client.
+
-
 
+
-
= Add FreeIPA NFS service for each host =
+
-
 
+
-
The next step is to setup kerberos principals for the NFS service on each host - the server and the client(s).
+
-
 
+
-
== Add FreeIPA NFS service for server ==
+
-
 
+
-
<pre>
+
-
[root@server ~]# ipa service-add nfs/server.example.fake
+
-
----------------------------------------------------
+
-
Added service "nfs/server.example.fake@EXAMPLE.FAKE"
+
-
----------------------------------------------------
+
-
  Principal: nfs/server.example.fake@EXAMPLE.FAKE
+
-
  Managed by: server.example.fake
+
-
</pre>
+
-
 
+
-
== Add FreeIPA NFS service for client(s) ==
+
-
 
+
-
<pre>
+
-
[root@server ~]# ipa service-add nfs/client1.example.fake
+
-
-----------------------------------------------------
+
-
Added service "nfs/client1.example.fake@EXAMPLE.FAKE"
+
-
-----------------------------------------------------
+
-
  Principal: nfs/client1.example.fake@EXAMPLE.FAKE
+
-
  Managed by: client1.example.fake
+
-
</pre>
+
-
 
+
-
== Import FreeIPA NFS service tickets on the server ==
+
-
 
+
-
<pre>
+
-
[root@server ~]# ipa-getkeytab -s server.example.fake -p nfs/server.example.fake -k /etc/krb5.keytab
+
-
Keytab successfully retrieved and stored in: /etc/krb5.keytab
+
-
</pre>
+
-
 
+
-
You can check to see what's in the keytab like this:
+
-
 
+
-
<pre>
+
-
[root@server ~]# ktutil
+
-
ktutil:  read_kt /etc/krb5.keytab
+
-
ktutil:  list
+
-
slot KVNO Principal
+
-
---- ---- ---------------------------------------------------------------------
+
-
  1    2    host/server.example.fake@EXAMPLE.FAKE
+
-
  2    2    host/server.example.fake@EXAMPLE.FAKE
+
-
  3    2    host/server.example.fake@EXAMPLE.FAKE
+
-
  4    2    host/server.example.fake@EXAMPLE.FAKE
+
-
  5    2    host/server.example.fake@EXAMPLE.FAKE
+
-
  6    2    host/server.example.fake@EXAMPLE.FAKE
+
-
  7    1    nfs/server.example.fake@EXAMPLE.FAKE
+
-
  8    1    nfs/server.example.fake@EXAMPLE.FAKE
+
-
  9    1    nfs/server.example.fake@EXAMPLE.FAKE
+
-
  10    1    nfs/server.example.fake@EXAMPLE.FAKE
+
-
ktutil:  q
+
-
</pre>
+
-
 
+
-
== Import FreeIPA NFS service tickets on the client(s) ==
+
-
 
+
-
<pre>
+
-
[root@client1 ~]# ipa-getkeytab -s server.example.fake -p nfs/client1.example.fake -k /etc/krb5.keytab
+
-
Keytab successfully retrieved and stored in: /etc/krb5.keytab
+
-
</pre>
+
-
 
+
-
And here's what /etc/krb5.kettab has in it:
+
-
 
+
-
<pre>
+
-
[root@client1 ~]# ktutil
+
-
ktutil:  read_kt /etc/krb5.keytab
+
-
ktutil:  list
+
-
slot KVNO Principal
+
-
---- ---- ---------------------------------------------------------------------
+
-
  1    1  host/client1.example.fake@EXAMPLE.FAKE
+
-
  2    1  host/client1.example.fake@EXAMPLE.FAKE
+
-
  3    1  host/client1.example.fake@EXAMPLE.FAKE
+
-
  4    1  host/client1.example.fake@EXAMPLE.FAKE
+
-
  5    1    nfs/client1.example.fake@EXAMPLE.FAKE
+
-
  6    1    nfs/client1.example.fake@EXAMPLE.FAKE
+
-
  7    1    nfs/client1.example.fake@EXAMPLE.FAKE
+
-
  8    1    nfs/client1.example.fake@EXAMPLE.FAKE
+
-
ktutil:  q
+
-
</pre>
+
-
 
+
-
  - host/
+
-
  - nfs/
+
-
  - root/ (is this needed?)
+
-
 
+
-
- configure client/server with right tickets
+
-
 
+
-
  - klist -ea
+
-
      ...
+
-
 
+
-
- configure client and server for secure nfs
+
-
 
+
-
  - edit /etc/sysconfig/nfs
+
-
 
+
-
    SECURE=yes
+
-
 
+
-
    flags -> -vvv on rpc.gssd, rpc.svcgssd
+
-
 
+
-
  - edit /etc/hosts, put canonical name for main external IP
+
-
 
+
-
- common debugging problems
+
-
 
+
-
  - named starts *after*
+
-
 
+
-
- clock skew
+

Latest revision as of 02:48, 1 March 2012

This has been moved to NFS and FreeIPA.

Personal tools