Kerberized NFS4 Exports

by on under Technical
1 minute read

While configuring AutoFS with NFS4 exports I encountered several problems that were preventing a successful mount. Both server and client must be correctly configured.

Server

On Fedora hosts the service nfs-secure-server must be enabled to have rpc.svcgssd started.

The exports must be correctly defined. Exports can be stored using multiple files in /etc/exports.d/, but beware, these files must have the extension .exports.

/home *(ro,async,no_subtree_check,sec=krb5:krb5i:krb5p)

The NFS server should be forced to run on specific ports, which can then be opened by the firewall. On a RedHat based system configure the file /etc/sysconfig/nfs to contain the following lines:

RPCMOUNTDOPTS="-p 32767"
STATDARG="-p 32765 -o 32766"

Open the ports 111, 2049, 32765-32767 for both tcp and udp traffic. If these ports are not opened (or only 2049) a manual mount sometimes worked fine, but with AutoFS it constantly failed.

Client

On the client side, the service nfs-secure must be enabled on Fedora hosts.

To mount a kerberos protected export, use the sec=krb5 mount option.

Linux, Kerberos, AutoFS, NFS