Encrypted NFS
Posted on Thu, Sep 04, 2025 at 17:04 by Hubertus A. Haniel
After joining AD we can use kerberos to encrypt nfs traffic as well - Obviously the NFS server must be joined to the same AD domain.
To this we need to add a SPN on the server side (already explained in the previously mentioned blog) to the NFS server nfs/<server name>
It needs to be visible in the keytab with klist -ke.
Then we add the export to the exports file womething like:
/TEST *.localnet.lan(rw,sec=krb5:krb5i:krb5p,no_root_squash)
We only really want krb5p as that is fully encrypted.
Then we need to set the domain in /etc/idmapd.conf - It should be returned when you run "nfsidmap -d" - In my case this is localnet.lan.
Most problems are about this SPN - so my SPN is nfs/server.localnet.lan but and the server name is the same but my kerberos realm is upnor.localnet.lan so I had to add this to my /etc/krb5.conf file that is mentioned in the other blog.
[domain_realm] .localnet.lan = UPNOR.LOCALNET.LAN localnet.lan = UPNOR.LOCALNET.LAN .upnor.localnet.lan = UPNOR.LOCALNET.LAN upnor.localnet.lan = UPNOR.LOCALNET.LAN
I also added allow_weak_crypto - I am not sure it is required but in the
redhat manuals it does tell you to do that so for completeness my config
is now:
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = UPNOR.LOCALNET.LAN
default_ccache_name = KEYRING:persistent:%{uid}
allow_weak_crypto = true
[realms]
UPNOR.LOCALNET.LAN = {
kdc = 192.168.0.10
}
[domain_realm]
.localnet.lan = UPNOR.LOCALNET.LAN
localnet.lan = UPNOR.LOCALNET.LAN
.upnor.localnet.lan = UPNOR.LOCALNET.LAN
upnor.localnet.lan = UPNOR.LOCALNET.LAN
If we have done this all correctly we should be able to mount this export with something like "mount -t nfs -o nfsvers=4,sec=krb5p,proto=tcp" - We want krb5p as that fully encrypts all traffic while krb5 and krb5i only encrypt certain parts of the protocol which may be to insecure in some environments.
It should be noted that users have to have a kerberos ticket before they can read/write files on this mount and then the normal file permissions apply - However in an export the no_root_squash is actually irrelevant as root may be able to read stuff using the host credentials but root can not write to the file system as root can not get a kerberos ticket. There are workarounds to make that work but in general they are not recommended as they make your environment less secure again.
You may want to read my article about about ssh kerberos authentication and ticket delegation.
Some of the errors that can be encountered are very misleading. - For example I have come accross "an incorrect mount option was specified" - This had nothing to do with the mount options but can mean it is an error in the client configuration. - In my case the culprit was that rpc-gssd.service actually had died and I needed to manually start it.
You may notice that the no_root_squash option does not actually work with krb5. - There are various way to enable that but none are really recommended or even work as they will lower the security of your setup. RedHat have this article on that which would not work for me. - The ony way I was able to actually make that work with my setup is add the following to my realms section on the nfs server which will enable the client host linuxdev2 which will hold the host credential to be able to access shares as root (HOSTNAME$ is the actual computer account in AD and only root can use that to perform the initial mount):
[realms]
UPNOR.LOCALNET.LAN = {
kdc = 192.168.0.10
auth_to_local_names ={
LINUXDEV2$ = root
}
}
There are articles that explain how you can create a a root account
kerberos realm but that then means that root will also have to
authenticate with a password to perform the mount and mounts can not be
performed during boot out of fstab
Posted in HowTo (RSS), System - Linux (RSS)
