NFS Integration for Systems Administrators

This section assumes you are a systems administrator who knows how to manage shared files and folders on Linux, Unix, and Windows computers, including configuring the Linux and Unix file servers to run NFS and to comply with your IT security policy.

Instructions on how to set up NFS are beyond the scope of this document.

Requirements

The following prerequisites must be in place:

  • Root access to the Linux or Unix file server where you want to run Samba and AD Bridge.
  • AD Bridge
  • DNS capable of resolving FQDN of the NFS server and clients
  • The Linux or Unix computer must be connected to Active Directory with AD Bridge.

For instructions on how to join a domain, see the AD Bridge Installation Guide.

Server Setup

  1. Install AD Bridge 8.5.5 (or later).
  2. Add NFS Service Principal Name(SPN) to the machine. This step should be done before we join the domain to make sure the right SPNs are added to the machine account and the keytab file. If the system is already joined you need to run the domainjoin again after the new ServicePrincipalName is set: /opt/pbis/bin/config ServicePrincipalName "host" "nfs".
  3. Join the domain: domainjoin-cli join pbisdemo.com Administrator.
  4. Check keytab file content for SPNs: /opt/pbis/bin/klist -e -k /etc/krb5.keytab. Look for:
    4 nfs/rhel7@PBISDEMO.COM
4 nfs/RHEL7@PBISDEMO.COM
4 nfs/rhel7.pbisdemo.com@PBISDEMO.COM
4 nfs/RHEL7.PBISDEMO.COM@PBISDEMO.COM
  5. Install NFS Server: yum install nfs-utils nfs4-acl-tools.
  6. Start NFS Server: systemctl start nfs-server.
  7. Export Shares: vim /etc/exports. Making sure the folders exist, add entries like:
    /export/data/test *(rw,sec=sys:krb5:krb5i:krb5p,sync,nohide)
    /export/data/department *(rw,sec=sys:krb5:krb5i:krb5p,sync,nohide)
  8. Export filesystem: exportfs -ra.

Client Setup - CentOS 6

  1. Install AD Bridge 8.5.5 (or later).
  2. Before domain join: /opt/pbis/bin/config ServicePrincipalName "host" "cifs" "nfs".
  3. Join the domain: domainjoin-cli join pbisdemo.com Administrator.
  4. Install nfs4 acl: yum install nfs4-acl-tools.
  5. Enable NFS4 by setting SECURE_NFS to yes in /etc/sysconfig/nfsSECURE_NFS="yes".
  6. Services restart: service rpcidmapd restart.
  7. Configure autofs to mount it: 
    vim /etc/auto.test
* -fstype=nfs4,rw,sec=krb5,intr,hard,exec,insecure,no_subtree_check,wsize=4096,rsize=4096 rhel7.pbisdemo.com:/export/data/&
  8. Restart autofs: service autofs restart.

Now each user should have a krb5 ticket to access the shares when they authenticate. If you su to a user as root you need to run kinit to generate that users own krb5 ticket.

Client Setup - CentOS 7

Same steps as CentOS 6 until step 4:

  1. Install nfs4 acl: yum install nfs4-acl-tools nfs-utils.
  2. Configure autofs: 
    vim /etc/auto.test
* -fstype=nfs4,rw,sec=krb5,intr,hard,exec,insecure,no_subtree_check,wsize=4096,rsize=4096 rhel7.pbisdemo.com:/export/data/&

Always use FQDNs when mounting NFS shares for SPNs to match the keytab entries.

Autofs is not needed; it is provided as a use case. Manual mount example:
mount -t nfs4 -o sec=krb5 rhel7.pbisdemo.com:/export/data/& /mnt -vvv