action #25704

Use kerberos authentication for nfs shares

Added by ingogoeppert almost 2 years ago. Updated 6 months ago.

Status:In ProgressStart date:01/10/2017
Priority:NormalDue date:
Assignee:ingogoeppert% Done:

30%

Category:-
Target version:Future
Duration:

Description

To improve security when nfs shares are used, we should use kerberos authentication.

Needs:
* Modified share configuration
* SPNs
* Modified client configuration

Links:
* http://users.suse.com/~sjayaraman/nfs4_howto.txt
* https://groups.google.com/forum/#!topic/linux.samba/uP119bAe0CA
* https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with-sssd-and-active-directory/

Current state:
* invis Server 14 setup is prepared for kerberos, but exports are still without
* membermod adds the spn we need for kerberos (execute manual)
* client setup is prepared for kerberos. Todo: Exporting the additional spn to the client keytab after the join (or do it manual).

Export keytab on the client: "net ads keytab create" or "net ads keytab create -P"

nfs-kerberos (2.05 KB) ingogoeppert, 15/07/2018 08:27 pm

History

#1 Updated by ingogoeppert almost 2 years ago

  • Description updated (diff)

#2 Updated by ingogoeppert over 1 year ago

  • Category changed from 364 to Developement

#3 Updated by ingogoeppert over 1 year ago

  • Project changed from invis-server to invisAD-setup
  • Category deleted (Developement)
  • Target version deleted (Next)

#4 Updated by flacco over 1 year ago

  • Target version set to Future

#5 Updated by flacco over 1 year ago

  • Assignee set to ingogoeppert

#6 Updated by ingogoeppert about 1 year ago

  • File nfs-kerberos added
  • Status changed from New to In Progress
  • % Done changed from 0 to 30

First setup was successful. Steps to modify a classic nfs setup to a kerberos setup are described in German in the attached document. Test setup was a invis 15 Server and a openSUSE Leap 42.3 Client with KDE Desktop. Both VirtualBox VMs.

#7 Updated by ingogoeppert about 1 year ago

  • Private changed from Yes to No

#8 Updated by ingogoeppert 11 months ago

  • Description updated (diff)

#9 Updated by ingogoeppert 11 months ago

Tests at FrOSCon 13 failed with "permission denied". Very strange: after restarting sssd in the running system it succeeds. It also happened at my test setup. We have to find out why before we roll out nfs with kerberos as default or reconfigure systems to nfs with kerberos.

#10 Updated by ingogoeppert 11 months ago

  • Description updated (diff)

#11 Updated by ingogoeppert 11 months ago

  • Description updated (diff)

#12 Updated by flacco 6 months ago

File /etc/sysconfig/nfs did not contain the variable NFS_SECURITY_GSS in openSUSE leap 15.0. We have to investigate this.

Also available in: Atom PDF