Configuring Kerberos for NFS 4.1 access ( Ubuntu)

This blog talks about configuring Kerberos on Ubuntu for NFS access. NFS is hosted on a 2 node cluster environment.

Environment:

Cluster node:

C:\> setspn –l node1

Registered ServicePrincipalNames for CN=node1.CN=Computers,DC=contoso,DC=local:

nfs/node1

nfs/node1.contoso.local

WSMAN/node1

WSMAN/node1. contoso.local

RestrictedkrbHost/node1

HOST/node1

RestrictedkrbHost/node1. contoso.local

HOST/node1. contoso.local

Windows 2012 DC:

On the DC, created a container and a user called linuxclientuser
Disabled Pre-Auth for the user and Enable AES 256 Bit encryption option
Register the spn for the Ubuntu (NFS client) by running the command below. The command needs to be run both for the host name and the FQDN of the Ubuntu client.

4. Ran the ktpass command to create the keytab

Note: ubuntu2.contoso.local is the linux machine host name. It is not joined to the windows domain rather only has the host (A) record in the DNS.

Note: In order to make sure AES works for the TGT, we need to raise the domain functional level to 2008 or later.

Note: We had to make a reverse lookup zone and registered the NFS Server PTR record there as linux client was constantly querying for this.

5. Exported the keytab file to Ubuntu.

Ubuntu:

1. Ran the following command on Ubuntu:

ktutil
rkt nfs.keytab
wkt /etc/krb5.keytab

<Additonal steps on Ubuntu, which was not mentioned on the blog (https://blogs.technet.com/b/filecab/archive/2012/10/09/how-to-nfs-kerberos-configuration-with-linux-client.aspx)

3. We need to install the below modules:

4. Run the following command

5. Add rpcsec_gss_krb5 to /etc/modules to have it loaded automatically ==> This at times get loaded automatically

6. Edit the file, /etc/default/nfs-common :

7. Start the following gssd service:

8. Run the command

kinit –k nfs/linuxclient.contoso.com ==> to make sure this has been configured properly

9. Try mounting the share using NFS v4.1 and Kerberos

Additional resources