Project

General

Profile

Actions
Copy link

action #25704

closed

Use kerberos authentication for nfs shares

Added by ingogoeppert about 7 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
ingogoeppert
Category:
-
Target version:
14.2
Start date:
2017-10-01
Due date:
% Done:

100%

Estimated time:

Description

To improve security when nfs shares are used, we should use kerberos authentication.

Needs:

  • Modified share configuration
  • SPNs
  • Modified client configuration

Links:

Current state:

  • invis Server 14 setup is prepared for kerberos, but exports are still without
  • membermod adds the spn we need for kerberos (execute manual)
  • client setup is prepared for kerberos. Todo: Exporting the additional spn to the client keytab after the join (or do it manual).

Export keytab on the client: "net ads keytab create" or "net ads keytab create -P"

Files

nfs-kerberos (2.05 KB) nfs-kerberos ingogoeppert, 2018-07-15 20:27
Actions
Copy link
 #1

Updated by ingogoeppert about 7 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by ingogoeppert about 7 years ago

  • Category changed from 364 to Developement
Actions
Copy link
 #3

Updated by ingogoeppert over 6 years ago

  • Project changed from invis-server to invisAD-setup
  • Category deleted (Developement)
  • Target version deleted (Next)
Actions
Copy link
 #4

Updated by flacco over 6 years ago

  • Target version set to Future
Actions
Copy link
 #5

Updated by flacco over 6 years ago

  • Assignee set to ingogoeppert
Actions
Copy link
 #6

Updated by ingogoeppert over 6 years ago

First setup was successful. Steps to modify a classic nfs setup to a kerberos setup are described in German in the attached document. Test setup was a invis 15 Server and a openSUSE Leap 42.3 Client with KDE Desktop. Both VirtualBox VMs.

Actions
Copy link
 #7

Updated by ingogoeppert over 6 years ago

  • Private changed from Yes to No
Actions
Copy link
 #8

Updated by ingogoeppert about 6 years ago

  • Description updated (diff)
Actions
Copy link
 #9

Updated by ingogoeppert about 6 years ago

Tests at FrOSCon 13 failed with "permission denied". Very strange: after restarting sssd in the running system it succeeds. It also happened at my test setup. We have to find out why before we roll out nfs with kerberos as default or reconfigure systems to nfs with kerberos.

Actions
Copy link
 #10

Updated by ingogoeppert about 6 years ago

  • Description updated (diff)
Actions
Copy link
 #11

Updated by ingogoeppert about 6 years ago

  • Description updated (diff)
Actions
Copy link
 #12

Updated by flacco almost 6 years ago

File /etc/sysconfig/nfs did not contain the variable NFS_SECURITY_GSS in openSUSE leap 15.0. We have to investigate this.

Actions
Copy link
 #13

Updated by ingogoeppert over 3 years ago

  • Status changed from In Progress to Closed
  • Target version changed from Future to 14.2

First steps done, was not used in production setups until now.

Actions
Copy link
 #14

Updated by ingogoeppert about 3 years ago

  • % Done changed from 30 to 100
Actions
Copy link

Also available in: Atom PDF