FreeIPA and NFSv4

From Linux NFS

Jump to: navigation, search

This is a WIP by dros@netapp.com - please let me finish before changing/commenting).

This document describes using NFSv4 with FreeIPA.

Historically, setting up a secure NFSv4 export (or even a client) was challenging, requiring the setup of a Kerberos realm and possibly an LDAP server. FreeIPA provides a packaged service of both Kerberos 5 and LDAP with the purpose of making this process much less painful.

These instructions are for Fedora 15. Other distros will require similar setup - the key differences will be a package installation tool other than yum(1), and a different config file layout.


Contents

Disclaimer about the testing environment

For this example I've used a private network (192.168.56.0/24) with a fake DNS realm (example.fake). Setup with routable IP addresses and a real DNS realm should be straightforward.

For this example I run the DNS server on the same machine as the NFSv4 export and the IPA server (server.example.fake). Of course, these could all be different machines.

I have not tried setting up freeipa without DNS, or using it's own DNS server.

I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server! You probably shouldn't do that! You'll need to allow traffic on:

  • port 53 for named(1)
  • port 88 for kerberos
  • port 389 for ldap
  • XXX MORE!!

Set up DNS realm

Create the DNS realm on the server

Install named(1) on the server

 [root@server ~]# sudo yum install bind
 

Configure the DNS zone

Create the file "/var/named/example.fake.zone":

$TTL 3D
@       IN      SOA     ns1.example.fake. hostmaster.example.fake. (
                       201107111       ; serial#
                       3600            ; refresh, seconds
                       3600            ; retry, seconds
                       3600            ; expire, seconds
                       3600 )          ; minimum, seconds

                NS      ns1             ; Inet Address of nameserver
example.fake.   MX      10 mail         ; Primary Mail Exchanger

ns1             A       192.168.56.20
server          A       192.168.56.20

client1         A       192.168.56.40

ipa             CNAME   build
mail            CNAME   build

; DNS auto discovery of services
_ldap._tcp      SRV 10 10 389 server.example.fake.
_kerberos._udp  SRV 10 10 88 server.example.fake.
_kerberos._tcp  SRV 10 10 88 server.example.fake.

Configure the reverse mapping

Create the file "/var/named/192-168-56.zone":

$TTL 2d  ; 172800 seconds
$ORIGIN 56.168.192.IN-ADDR.ARPA.
@       IN        SOA        ns1.example.fake.  hostmaster.example.fake. (
                            201107111          ; serial number
                            8H                 ; refresh, seconds
                            2H                 ; retry, seconds
                            4W                 ; expire, seconds
                            1D )               ; minimum, seconds

                IN      NS      ns1.example.fake.
20              IN      PTR     server.example.fake.
40              IN      PTR     client1.example.fake.


Modify named(1) config to use new zone files

Add the sections to file "/etc/named.conf":

zone "example.fake" IN {
	type master;
	file example.fake.zone;
};

zone "56.168.192.in-addr.arpa" IN {
	type master;
	file "192-168-56.zone";
};

Other named(1) config

There are a few other things that I needed to configure in my test setup.  You probably don't want to turn off dnssec in real world setups!

In the "options" section:

  • change the "listen-on" option to include the server's external address ""{ localhost; 192.168.56.20; }"
  • change "allow-query" option to "{ localhost; 192.168.56.0/24 }"
  • change "dnssec-enable" option to "no"
  • change "dnssec-validation" option to "no"

Restart named(1)

[root@server ~]# service named restart
Restarting named (via systemctl):                          [  OK  ]

Configure the client(s) and server to use the local DNS server

The server and all clients should use this name server (with this testing environment). With a real DNS server, clients shouldn't require this configuration.

Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the DNS1 line to:

DNS1=192.168.56.20

Restart the network service to pick up the change.

[root@server ~]# service network restart
Restarting network (via systemctl):                        [  OK  ]

And verify that it worked:

[root@server ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search example.fake
nameserver 192.168.56.20
[root@server ~]# nslookup server.example.fake
Server:		192.168.56.20
Address:	192.168.56.20#53

Name:	server.example.fake
Address: 192.168.56.20
Personal tools