Hubba's Blog

Category Archives | Automation | HowTo | Packaging (RPM) | Shell Scripting | System - AIX | System - Apple / OSX | System - Linux | System - Solaris | System - Windows | Toys and Gadgets | Virtualization |

Date Archives | September 2025 | August 2025 | June 2025 | February 2025 | December 2024 | March 2024 | February 2024 | December 2023 | August 2023 | June 2023 | March 2023 | October 2022 | June 2022 | November 2020 | March 2012 | December 2011 | October 2011 | September 2011 | December 2010 | July 2010 | June 2010 |

RSS Feed

EXIT

Encrypted NFS

Posted on Thu, Sep 04, 2025 at 17:04 by Hubertus A. Haniel

After joining AD we can use kerberos to encrypt nfs traffic as well - Obviously the NFS server must be joined to the same AD domain.

To this we need to add a SPN on the server side (already explained in the previously mentioned blog) to the NFS server nfs/<server name>

It needs to be visible in the keytab with klist -ke.

Then we add the export to the exports file womething like:

/TEST *.localnet.lan(rw,sec=krb5:krb5i:krb5p,no_root_squash)

We only really want krb5p as that is fully encrypted.

Then we need to set the domain in /etc/idmapd.conf - It should be returned when you run "nfsidmap -d" - In my case this is localnet.lan.

Most problems are about this SPN - so my SPN is nfs/server.localnet.lan but and the server name is the same but my kerberos realm is upnor.localnet.lan so I had to add this to my /etc/krb5.conf file that is mentioned in the other blog.

    
  [domain_realm]
  .localnet.lan = UPNOR.LOCALNET.LAN
  localnet.lan = UPNOR.LOCALNET.LAN
  .upnor.localnet.lan = UPNOR.LOCALNET.LAN
  upnor.localnet.lan = UPNOR.LOCALNET.LAN

I also added allow_weak_crypto - I am not sure it is required but in the redhat manuals it does tell you to do that so for completeness my config is now:

    includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = UPNOR.LOCALNET.LAN
    default_ccache_name = KEYRING:persistent:%{uid}
    allow_weak_crypto = true

[realms]
  UPNOR.LOCALNET.LAN = {
  kdc = 192.168.0.10
  }

[domain_realm]
  .localnet.lan = UPNOR.LOCALNET.LAN
  localnet.lan = UPNOR.LOCALNET.LAN
  .upnor.localnet.lan = UPNOR.LOCALNET.LAN
  upnor.localnet.lan = UPNOR.LOCALNET.LAN

If we have done this all correctly we should be able to mount this export with something like "mount -t nfs -o nfsvers=4,sec=krb5p,proto=tcp" - We want krb5p as that fully encrypts all traffic while krb5 and krb5i only encrypt certain parts of the protocol which may be to insecure in some environments.

It should be noted that users have to have a kerberos ticket before they can read/write files on this mount and then the normal file permissions apply - However in an export the no_root_squash is actually irrelevant as root may be able to read stuff using the host credentials but root can not write to the file system as root can not get a kerberos ticket. There are workarounds to make that work but in general they are not recommended as they make your environment less secure again.

You may want to read my article about about ssh kerberos authentication and ticket delegation.

Some of the errors that can be encountered are very misleading. - For example I have come accross "an incorrect mount option was specified" - This had nothing to do with the mount options but can mean it is an error in the client configuration. - In my case the culprit was that rpc-gssd.service actually had died and I needed to manually start it.

Edited on: Tue, Oct 28, 2025 16:41

Posted in HowTo (RSS), System - Linux (RSS)