Description
Architecture
- Active Directory domain
- RHEL 7/8 systems joined to domain (SSSD)
- Log on with AD user accounts
Limitations
- Users must log on with username+password (not ssh key) in order to obtain a Kerberos ticket from the AD domain and be able to leverage that ticket for mounting the NFS homedir.
- Users must log on once to the NFS server so that oddjob can create their home directory. It will then be available from any/all of the NFS clients.
Server configuration
Install packages
sudo yum install -y krb5-workstation nfs-utilsEnable services
sudo systemctl enable gssproxy.service
sudo systemctl enable nfs-serverConfig idmap
/etc/idmapd.conf
[General]
Domain = example.com
Local-Realms = EXAMPLE.COM
[Translation]
Method = nsswitch,static
GSS-Methods = nsswitch,staticDisable old NFS versions
Edit the NFS configuration file and uncomment/change these lines to match:
/etc/nfs.conf
[nfsd]
vers2=n
vers3=n
vers4=y
vers4.0=y
vers4.1=y
vers4.2=yDisable pre-v4 services and start server
sudo systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
sudo systemctl start nfs-serverConfigure firewall
sudo firewall-cmd --zone=public --permanent --add-service=nfs
sudo firewall-cmd --reloadConfigure export folder
Create the folder:
sudo mkdir -p -m 755 /home/usersIf you’re using a separate disk/partition for the exported homedirs, go ahead and mount that to /home/users.
Either way, you’ll also want to adjust the SELinux context for the new folder:
sudo semanage fcontext -a -e /home /home/users
sudo restorecon -Rv /home/usersCreate export
Edit /etc/exports to add two lines
/etc/exports
/home 192.168.1.0/24(sync,wdelay,hide,crossmnt,no_subtree_check,fsid=0,sec=krb5p,rw,secure,root_squash,no_all_squash)
/home/users 192.168.1.0/24(sync,wdelay,nohide,no_subtree_check,sec=krb5p,rw,secure,root_squash,no_all_squash)sudo exportfs -ravCreate NFS SPN
Needs to be run as root, and $USERNAME needs to be a domain user with rights to modify the computer object in AD
sudo -i
kinit ${USERNAME}
adcli update --service-name=nfs -vVerify that the SPNs got added:
klist -kFinal steps
Update /etc/sssd/sssd.conf to point to the new homedir:
fallback_homedir = /home/users/%uRestart sssd:
sudo systemctl restart sssdClient config
Add server to /etc/hosts
This will ensure things will work even if DNS isn’t working - and also prevent the clients from potentially trying to connect over IPv6 (which is gross)
/etc/hosts:
192.168.1.124 nfs-server.domain.local nfs-server
Manual mount
# make sure you've got a valid ticket
klist
sudo mount -vvv -t nfs4 -o vers=4.2,sec=krb5p,rw nfs-server.domain.local:/users /mnt/homedirs/
Automatic mount
Additional packages:
autofs
Make mountpoint for NFS homedirs
sudo mkdir /home/users/Add line to autofs master config to map the mountpoint with the autofs config file.
/etc/auto.master:
/home/users /etc/auto.homedirsCreate autofs config for this mount.
/etc/auto.homedirs:
* -fstype=nfs4,rw,soft,nosuid,sync,vers=4.2,sec=krb5p nfs-server.domain.local:/users/&Update /etc/sssd/sssd.conf to point to the new homedir:
fallback_homedir = /home/users/%uEnable nfs-secure (RHEL7 clients only):
sudo systemctl enable nfs-secure --nowRestart SSSD and autofs:
sudo systemctl restart sssd
sudo systemctl restart autofsSee also: