RHEL 7 and NFSv4 with Kerberos
Over the past year I have been tasked with building out a large Secure NFSv4 Environment using DRBD, Corosync and Pacemaker and ran into a plethora of issues which included gotcha’s with setting up NFSv4 Server and Client Security settings related to gssproxy/rpc-gssd, how to enforce quotas remotely with rpc-rquotad, to setting up idmapd or sssd, and dealing with some known defects that are not patched below RHEL/Centos 7.6
Kerberos Setup for NFSv4
Some settings are needed in /etc/sysconfig/nfs to make kerberized NFS function correctly. Note if using an alternate keytab such as /etc/security/keytabs/nfs.keytab you must update RPCGSSDARGS and /etc/gssproxy/99-nfs-client.conf and /etc/gssproxy/99-nfs-server.conf. They are as follows and after setting these you must run: “systemctl restart nfs-config”
/etc/sysconfig/nfs settings
- RPCNFSCOUNT=16
- NFSD_V4_GRACE=10
- NFSD_V4_LEASE=10
- STATDARG=”–no-notify”
- RPCGSSDARGS=”-T 60 -t 60 -k /etc/security/keytabs/nfs.keytab”
- GSS_USE_PROXY=yes
- SECURE_NFS=yes
/etc/gssproxy/24-nfs-server.conf and /etc/gssproxy/99-nfs-client.conf
Note: As stated above this is only used if using an alternate keytab
cred_store = /etc/security/keytabs/nfs.keytab
Enforcing quotas on an NFSv4 Setup
NFS Export Options
Note: Allowing quota to work over NFS requires the following to options “uquota,gqnoenforce”
options="noatime,nodiratime,uquota,gqnoenforce"
Setup the file system to use xfs quotas
xfs_quota -x -c 'limit bsoft=9g bhard=10g -d' /data/drbd/exports/nfs
xfs_quota -xc 'report -h' /data/drbd/exports/nfs
Verify rpc-rquotad service is set to startup and is running on the NFS Servers
systemctl enable rpc-rquotad
systemctl start rpc-rquotad
Setting up idmapd to map NFSv4 Kerberos principals to userids using nsswitch
Note: This maps principals from the defined Kerberos Realms both local and remote to usernames that can be looked up using nsswitch.
[General]
Domain = hdp.senia.org
Local-Realms = HDP.SENIA.ORG, HDPSVC.HDPUSR.SENIA.ORG,HDPUSR.SENIA.ORG
Verbosity = 0
[Mapping]
Nobody-Group = nobody
Nobody-User = nobody
[Static]
[Translation]
Method = nsswitch
Update /etc/sysctl.d/90-filesystem.conf for idmap cache timeout
Note: this parameter is required if not your id’s could be incorrectly cached if a problem occurs.
fs.nfs.idmap_cache_timeout = 60
RHEL/Centos defects related to NFSv4 and Kerberos and GSSProxy
When attempting to utilize Non Local Kerberos Principal names we noticed that they would be mapped to nobody and because on the NFS Client the gssproxy/nfs-utils code has some known defects which are explained in the below links and are completely resolved with RHEL 7.6.
- https://bugzilla.redhat.com/show_bug.cgi?id=1326440
- https://bugzilla.redhat.com/show_bug.cgi?id=1451255
- https://bugzilla.redhat.com/show_bug.cgi?id=1458850
- https://bugzilla.redhat.com/show_bug.cgi?id=1458913
- https://bugzilla.redhat.com/show_bug.cgi?id=1488629
- https://bugzilla.redhat.com/show_bug.cgi?id=1507817
- https://bugzilla.redhat.com/show_bug.cgi?id=1519511