Hubba's Blog

Category Archives | Automation | HowTo | Packaging (RPM) | Shell Scripting | System - AIX | System - Apple / OSX | System - Linux | System - Solaris | System - Windows | Toys and Gadgets | Virtualization |

Date Archives | September 2025 | August 2025 | June 2025 | February 2025 | December 2024 | March 2024 | February 2024 | December 2023 | August 2023 | June 2023 | March 2023 | October 2022 | June 2022 | November 2020 | March 2012 | December 2011 | October 2011 | September 2011 | December 2010 | July 2010 | June 2010 |

RSS Feed

EXIT

Encrypted NFS

Posted on Thu, Sep 04, 2025 at 17:04 by Hubertus A. Haniel

After joining AD we can use kerberos to encrypt nfs traffic as well - Obviously the NFS server must be joined to the same AD domain.

To this we need to add a SPN on the server side (already explained in the previously mentioned blog) to the NFS server nfs/<server name>

It needs to be visible in the keytab with klist -ke.

Then we add the export to the exports file womething like:

/TEST *.localnet.lan(rw,sec=krb5:krb5i:krb5p,no_root_squash)

We only really want krb5p as that is fully encrypted.

Then we need to set the domain in /etc/idmapd.conf - It should be returned when you run "nfsidmap -d" - In my case this is localnet.lan.

Most problems are about this SPN - so my SPN is nfs/server.localnet.lan but and the server name is the same but my kerberos realm is upnor.localnet.lan so I had to add this to my /etc/krb5.conf file that is mentioned in the other blog.

    
  [domain_realm]
  .localnet.lan = UPNOR.LOCALNET.LAN
  localnet.lan = UPNOR.LOCALNET.LAN
  .upnor.localnet.lan = UPNOR.LOCALNET.LAN
  upnor.localnet.lan = UPNOR.LOCALNET.LAN

I also added allow_weak_crypto - I am not sure it is required but in the redhat manuals it does tell you to do that so for completeness my config is now:

    includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = UPNOR.LOCALNET.LAN
    default_ccache_name = KEYRING:persistent:%{uid}
    allow_weak_crypto = true

[realms]
  UPNOR.LOCALNET.LAN = {
  kdc = 192.168.0.10
  }

[domain_realm]
  .localnet.lan = UPNOR.LOCALNET.LAN
  localnet.lan = UPNOR.LOCALNET.LAN
  .upnor.localnet.lan = UPNOR.LOCALNET.LAN
  upnor.localnet.lan = UPNOR.LOCALNET.LAN

If we have done this all correctly we should be able to mount this export with something like "mount -t nfs -o nfsvers=4,sec=krb5p,proto=tcp" - We want krb5p as that fully encrypts all traffic while krb5 and krb5i only encrypt certain parts of the protocol which may be to insecure in some environments.

Edited on: Thu, Sep 04, 2025 17:27

Posted in HowTo (RSS), System - Linux (RSS)