NFS Server and Client with krb5p

rickricky · 03-27-2015, 09:43 PM

Hi All,

Im trying to setup a NFS with kerberos and with sub directories restrictions and domain restriction to X.example.com

Server side
mkdir -p /public
mkdir -p /protected/secrets

user01 needs to have read and right access in sub folder called secrets.

chmod 775 /protected/secrets

#vi /etc/exports
/public *.X.example.com(ro)
/protected *.X.example.com(sec=krb5p,rw)

Client side
to be mounted in /mnt/

#vi fstab
server:/public /mnt/nfsshare nfs _netdev 0 0
server:/protected /mnt/nfssecure nfs sec=krb5p,rw 0 0

/mnt/nfsshare #for public
/mnt/nfssecure #for protected

but when I switch user to user01 Im getting a permission denied when try to access in /nfssecure/secret

anyone experience this similar problem?

thanks

dijetlo · 03-28-2015, 07:49 AM

Is example.com part of your kerberos realm (or a trusted kerberos realm)? Do you have NIS/DNS configured to point to a working KDC to validate tickets?
The other thing, in a kerberos aware environment when you have access issues, the very first thing you check is that all the clients are synched to good NTP servers who in turn are synched to good NTP pools because you only have to be off a little bit before the KDC decides you're a replay attack and shuts you down.

rickricky · 03-28-2015, 09:49 PM

Hi Dijetlo,

Thanks for the reply, I never tried to check the NTP server my bad, I will do this next time. This is part of the exam I took earlier.

Im sure kerberos realm (or a trusted kerberos realm), NIS/DNS is properly configured. This is by default configured on the exam.

anything you would like to advise? or maybe just the NTP server.

Thanks

dijetlo · 03-29-2015, 01:19 AM

No Problem Rick,

Actually... it's hard to say because I don't know the preconditions of the exam. Was this the RHCA (the RHEL admin exam)?

You have to configure NFS, which means you have to turn on some rpc daemons (quotd, statd, lockd etc) but those are probably on. The Kerberos thing is more the result of a bad experience than something that happens a lot (though it happens often enough that I always want it checked on the client.) My suggestion is set up a virt environment and build it all from the ground up with the CLI. Do that a couple of times, then bring up the GUI and you'll find that it seems like childs play. It will also give you an understanding of the component processes your classmates wont be able to match, the first time you're sitting in a job interview you'll find it really useful to be able to run through the processes at that level of detail while your classmates talk about how they go to this menu and clickety click here, then clickety click there, then if that isn't red and this is green, they clickety click the gizmo...
Ask for 20 percent more than they ask for, you'll be worth it.

rickricky · 03-29-2015, 03:16 AM

Yes this is part of the RHEL exam, but not the RHCA this is just for RHCE 7.

thanks for the advise. I'm going to try to build this on a demo environment and verify it from there.

thanks again

cheers!

RHCE 7 exam is HELL!!!!!

itlinux · 04-09-2015, 01:35 AM

Hi, I had the same idea on how to configure that part, I guess I did not get it right since I did not get 300 on the exam, but pretty close. Anyhow, I will see if anyone knows what options to look for. Of course there is no much I can say about the test. Just prepare yourself well. It's a hard one. Good luck.