How do you setup an NFS4 server with Kerberos from Active Directory?
I can install and configure an NFS4 server and connect to it, but I can not get Kerberos to work under any circumstances where the Active Directory controls the KDC. Not even with a freshly installed Windows Server where I setup Active Directory myself.
I did a lot of debugging with a server I set up to my company's Active Directory, a lot of it is documented here: How does the Linux NFS server implementation of setclientid work?
The results were the same with a fresh Windows server with Active Directory – but surprisingly (well maybe it isn't so surprising) it works if I install some other kind of KDC.
I have a working server (as in NFS4 and Kerberos from Active Directory) that was installed about 8 months ago, it is running CentOS 7.6.1810 as well – but even when I replicate everything I did to that one, I can not get it to work.
I have used SSSD, PBIS Open and manual configuration of Kerberos.
Pretty much everything results in 'permission denied', with appears to come from an error code -13 from RPC. All Kerberos tickets that I have inspected have looked correctly.
What are the exact steps that need to be taken to configure an NFS4 server on CentOS Linux release 7.6.1810 (Core) to use Kerberos from Active Directory?
Best Answer
I use this method on both Linux (ubuntu) and on FreeBSD, so I'm pretty sure they are fairly generic to UN*X-like systems.
First of all, you need to make sure that dns works properly and that the hostname is correct. Make sure there are no pointers to 127.0.1.1 to hostname.domain.name
Also, make sure your system is set up to use nfs4 with sec=krb5 (or krb5i or krb5p).
You need to set an SPN for nfs to use. There is a unix-command called msktutil that can handle it. It's probably available in centos. I know it's available in ubuntu's standard repos. See https://github.com/msktutil/msktutil
I've a script that handles it all.
Make sure you've joined the domain and that everything works as it should. (except for kerberized nfs4 of course.) I usually do the following:
klist should show your administrator ticket.
Make a backup of /etc/krb5.keytab before you run the script.
After that I run this script: (You will join the domain twice, so that your /etc/krb5.keytab gets updated properly. I'm not sure if it is strictly needed.)
After that you should be ready to go! (Assuming your nfs-server is set up correctly. And kerberos and everything else. For instance, on ubuntu 18.04 /etc/default/nfs-kernel-server looks like this on my system.
And my /etc/idmapd.conf looks like this:
And /etc/default/nfs-common looks like so: (There is probably something similar for centos)
Hope this helps!