NFS 4 Client

Please follow the steps below to configure your personal Linux system(s) for using NFS4 with Kerberos.

Packages

Fedora, CentOS and RHEL
# yum install -y nfs-utils nfs4-acl-tools
Ubuntu
$ sudo apt-get install -y nfs-common nfs4-acl-tools

System Keytab

The NFS4 client in Linux requires a ticket granting ticket to mount NFS4 shares with Kerberos. To obtain this ticket a Linux system typically has a keytab file /etc/krb5.keytab with an entry for a computer account. Managed Linux installations from isginf are set up like this.

For personal systems the user keytab for the ETH user name can also be used. Install the user-keytab command as described here and as root (or via sudo) run: 

user-keytab --user {your ETH user name} --output /etc/krb5.keytab

rpc.gssd

When using a system keytab for an ETH user name the rpc.gssd service needs to be configured to use a preexisting ticket. This ticket must also be obtained at system startup and regularly renewed.

Fedora, CentOS 7 and RHEL 7

Edit the file /etc/sysconfig/nfs as root and change the line for RPCGSSDARGS to: 

RPCGSSDARGS="-n -d /run/gssd:/tmp:/run/user/%U"

Ubuntu

Edit the file /etc/default/nfs-common as root and add the following line at the end: 

GSSDARGS="-n -d /run/gssd:/tmp:/run/user/%U"

Then also edit /usr/lib/systemd/scripts/nfs-utils_env.sh and add the following line to the other echo commands: 

echo GSSDARGS=\"$GSSDARGS\"

systemd

Download the following four files and copy them to /etc/systemd/system as root:

Copy-paste the following commands into the root shell to download them all: 

cd /etc/systemd/system/
wget https://www.isg.inf.ethz.ch/pub/Main/HelpDesktopsAndLaptopsLinuxNfs4Client/kinit-k.service -O kinit-k.service
wget https://www.isg.inf.ethz.ch/pub/Main/HelpDesktopsAndLaptopsLinuxNfs4Client/kinit-k-resume.service -O kinit-k-resume.service
wget https://www.isg.inf.ethz.ch/pub/Main/HelpDesktopsAndLaptopsLinuxNfs4Client/kinit-k-update.service -O kinit-k-update.service
wget https://www.isg.inf.ethz.ch/pub/Main/HelpDesktopsAndLaptopsLinuxNfs4Client/kinit-k-update.timer -O kinit-k-update.timer

All of the services need to know the principal to use in /etc/krb5.keytab. Create the file /etc/gss-principal as root with the following content: 

GSSPRINCIPAL={your ETH user name}

Then run the following commands as root to enable and start the ticket obtaining services: 

systemctl daemon-reload
systemctl enable kinit-k.service
systemctl enable kinit-k-resume.service
systemctl enable kinit-k-update.timer
systemctl start kinit-k.service
systemctl start kinit-k-update.timer

Fedora, CentOS 7 and RHEL 7

On the Red hat distributions SELinux must be configured to allow rpc.gssd to look in /var/run/gssd. Run the following commands as root to do so: 

semanage fcontext -a -t user_tmp_t "/var/run/gssd(/.*)?"
restorecon -RF /run/gssd

Start the NFS Client

Run the following commands as root to start all NFS client services: 

systemctl enable nfs-client.target
systemctl start nfs-client.target

Troubleshooting

If mounting does not work, please check the following:

  • Does /etc/gss-principal exist and does it contain your ETH user name?
  • Does /run/gssd/krb5cc_0 exist? If not then make sure that the kinit-k.service service is enabled and started.
  • Does ps -elf | fgrep rpc.gssd show that rpc.gssd is running with the arguments above?

I Attachment History Action Size Date Who Comment
Unknown file formatservice kinit-k-resume.service r1 manage 0.3 K 2018-03-09 - 15:10 StefanWalter  
Unknown file formatservice kinit-k-update.service r1 manage 0.2 K 2018-03-09 - 15:10 StefanWalter  
Unknown file formattimer kinit-k-update.timer r1 manage 0.1 K 2018-03-09 - 15:10 StefanWalter  
Unknown file formatservice kinit-k.service r2 r1 manage 0.5 K 2018-05-03 - 08:04 StefanWalter  

Page URL: https://isg.inf.ethz.ch/bin/view/Main/HelpDesktopsAndLaptopsLinuxNfs4Client
2024-12-26
© 2024 Eidgenössische Technische Hochschule Zürich