I do not know what OS you are using but if it is RHEL 6 or CentOS 6 you would 
need to do the following:

In /etc/idmapd.conf:

Domain = your.domain

Add this to /etc/sysconfig/nfs

SECURE_NFS="yes"

In /etc/exports:

/home/repo *(rw,sync,sec=krb5p) 

Make sure that you use NTP for every server/client and that the time is synced.

Add the server to the IPA Domain

Create a NFS Service for the server in IPA:

ipa service-add nfs/your.server.name 

Generate a key using ipa-getkeytab -s ipa.server -p nfs/your.nfs.server -k 
/tmp/nfsserver.keytab  # Do this on the nfs server and you can add the key 
directly to /etc/krb5.keytab.

Add a firewall rule for tcp 2049.

iptables -I INPUT 5 -p tcp -m state --state NEW,ESTABLISHED --dport 2049 -j 
ACCEPT

Save and restart firewall + the other services and it should work.

For RHEL 7 or Fedora it is essentially the same except that you do not add the 
line to /etc/sysconfig/nfs.

Instead you need to enable and start nfs-server and nfs-secure-server using 
systemctl.

For autofs you just need to add a proper direct or indirect map in IPA and on 
the IPA client run ipa-client-automount.

Make sure that the nfs 4 kerberos share is working first before starting with 
autofs config.

mount -t nfs4 -v -o sec=krb5p nfs.server:/home/repo /mnt

Hope this could help you get it working. :-)

Regards,
Johan

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dan Mossor [danofs...@gmail.com]
Sent: Thursday, September 18, 2014 06:57
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Kerberized NFS and automount

I have been fighting with getting my NFS servers kerberized since I
first installed FreeIPA back in April - I still cannot create a secured
NFS mount, and have exhausted all my resources in troublshooting, so I
am reaching out to the list since I see many of you have it working.

The next step in the puzzle will be to make this work with automount -
which again, I can't get this working either. I am missing one key step
here, but I can't find it. The documentation for both issues is
confusing, especially to someone new to FreeIPA.

So first, let's tackle the Kerberized NFS mounts. On the server doing
the exporting, here are the pertinent files.
/etc/sysconfig/nfs:
RPCNFSDARGS=""
RPCNFSDCOUNT=8
RPCMOUNTDOPTS="--debug all"
STATDARG=""
RPCIDMAPDARGS=""
RPCGSSDARGS="--debug all"
GSS_USE_PROXY="no"
RPCSVCGSSDARGS=""

My last attempt at an /etc/exports file before I gave up:
/home/repo gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)

What other information do y'all need to help me get this working?
--
Dan Mossor
Systems Engineer at Large
Fedora QA Team | Fedora KDE SIG | Fedora Server SIG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying 
or disseminating it or any information in it. Please notify the above if any 
misdirection.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to