I do not know what OS you are using but if it is RHEL 6 or CentOS 6 you would need to do the following:
In /etc/idmapd.conf: Domain = your.domain Add this to /etc/sysconfig/nfs SECURE_NFS="yes" In /etc/exports: /home/repo *(rw,sync,sec=krb5p) Make sure that you use NTP for every server/client and that the time is synced. Add the server to the IPA Domain Create a NFS Service for the server in IPA: ipa service-add nfs/your.server.name Generate a key using ipa-getkeytab -s ipa.server -p nfs/your.nfs.server -k /tmp/nfsserver.keytab # Do this on the nfs server and you can add the key directly to /etc/krb5.keytab. Add a firewall rule for tcp 2049. iptables -I INPUT 5 -p tcp -m state --state NEW,ESTABLISHED --dport 2049 -j ACCEPT Save and restart firewall + the other services and it should work. For RHEL 7 or Fedora it is essentially the same except that you do not add the line to /etc/sysconfig/nfs. Instead you need to enable and start nfs-server and nfs-secure-server using systemctl. For autofs you just need to add a proper direct or indirect map in IPA and on the IPA client run ipa-client-automount. Make sure that the nfs 4 kerberos share is working first before starting with autofs config. mount -t nfs4 -v -o sec=krb5p nfs.server:/home/repo /mnt Hope this could help you get it working. :-) Regards, Johan ________________________________________ From: [email protected] [[email protected]] on behalf of Dan Mossor [[email protected]] Sent: Thursday, September 18, 2014 06:57 To: [email protected] Subject: [Freeipa-users] Kerberized NFS and automount I have been fighting with getting my NFS servers kerberized since I first installed FreeIPA back in April - I still cannot create a secured NFS mount, and have exhausted all my resources in troublshooting, so I am reaching out to the list since I see many of you have it working. The next step in the puzzle will be to make this work with automount - which again, I can't get this working either. I am missing one key step here, but I can't find it. The documentation for both issues is confusing, especially to someone new to FreeIPA. So first, let's tackle the Kerberized NFS mounts. On the server doing the exporting, here are the pertinent files. /etc/sysconfig/nfs: RPCNFSDARGS="" RPCNFSDCOUNT=8 RPCMOUNTDOPTS="--debug all" STATDARG="" RPCIDMAPDARGS="" RPCGSSDARGS="--debug all" GSS_USE_PROXY="no" RPCSVCGSSDARGS="" My last attempt at an /etc/exports file before I gave up: /home/repo gss/krb5p(rw,no_root_squash,subtree_check,fsid=0) What other information do y'all need to help me get this working? -- Dan Mossor Systems Engineer at Large Fedora QA Team | Fedora KDE SIG | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
