FreeIPA Automount, NFS server configuration and testing, Setting permissions
Alright, welcome back to part 3 of my “Deploying a Linux Server Environment from Scratch” series. Today we will take a look at the automount feature FreeIPA has. This will allow us to automatically map the network drives on our clients. We will also configure a NFS server. I will use the existing “TEST-SHARE” server for this, but you could deploy a new one if you wanted.
Let’s begin.
System Information
Hostname | IP | Function |
TEST-IPA01 | 192.168.152.220/24 | Identity, Policy Management, DNS, DHCP, Certificate Authority |
TEST-FEDORA | 192.168.152.225/24 | Linux Client |
TEST-SHARE | 192.168.152.221/24 | NFS / SMB Server |
Network Information
Network | 192.168.152.0 |
Subnet | 255.255.255.0 |
Gateway | 192.168.152.254 |
NFS Server Installation
Configure the NFS service
Let’s begin with the NFS server.
Login to the “TEST-SHARE” server and grab a kerberos ticket.
test-share :: ~ » sudo kinit admin
Create a service principal for the NFS server.
test-share :: ~ » sudo ipa service-add nfs/test-share.test.intra
----------------------------------------------------
Added service "nfs/test-share.test.intra@TEST.INTRA"
----------------------------------------------------
Principal name: nfs/test-share.test.intra@TEST.INTRA
Principal alias: nfs/test-share.test.intra@TEST.INTRA
Managed by: test-share.test.intra
Next we need a keytab. Create and grab it.
test-share :: ~ » sudo ipa-getkeytab -s test-ipa01.test.intra -p nfs/test-share.test.intra -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Right. Now check if you have the required NFS packages. I already had them.
test-share :: ~ » sudo dnf install nfs-utils
Next, execute the “ipa-client-automount” command, to configure the ipmap and NFS settings.
test-share :: ~ » sudo ipa-client-automount
Create a folder for the exports. We could also do this with the 45Drives plugin for cockpit. But we are already on the cli.
test-share :: ~ » sudo mkdir -p /exports/nfs-share
Add the Kerberos aware NFS shares into the “/etc/exports” file.
test-share :: ~ » sudo vim /etc/exports
/exports/nfs-share *(rw,sec=krb5:krb5i:krb5p)
Now we can export the shares with “exportfs” and verify with “showmount“.
test-share :: ~ » sudo exportfs -a
test-share :: ~ » sudo showmount -e
/exports/nfs-share *
Create the firewall rules for NFS and start the service.
test-share :: ~ » sudo firewall-cmd --add-service={nfs,mountd,rpc-bind}
test-share :: ~ » sudo firewall-cmd --add-service={nfs,mountd,rpc-bind} --permanent
test-share :: ~ » sudo systemctl enable nfs-server --now
FreeIPA Automount Configuration
WebUI way
Right. Now, log into the FreeIPA webui and navigate to “Network Services” -> “Automount” and select “Default“.
Click on “Add” on the right side and select “Indirect“. Type in “auto.share” for the “Map” and your preferred mount point. I will use “/mnt/“
Navigate into the newly created map and click on Add.
Here we set “*” for the key and the network share for the mount information. The format for the share is as following. “test-share.test.intra:/exports/nfs-share“
CLI way
This is basically the same thing as the graphical way. If you used the webui, do not execute this.
Login to the TEST-IPA01 server and get a kerberos ticket.
test-ipa01 :: ~ » kinit admin
Now, set the map and key, after that the automount key.
test-ipa01 :: ~ » ipa automountmap-add-indirect default auto.share --mount=/mnt
test-ipa01 :: ~ » ipa automountkey-add default auto.share --key "'" --info "test-share.test.intra:/exports/nfs-share"
Ok, we are done with the server. Let’s test the configuration on our client.
Test the NFS configuration
First, reboot the client if it’s still running. Just to make sure the configuration was loaded correctly. Log into your client and type the path we defined earlier into the file explorer.
I created a couple of files and folder to see it mount was correct.
Create a folder, to see the permissions we have.
Nice. I also tested the connection from a client that is not joined to the FreeIPA domain, where I receive the following error message.
fedora-non-domain :: ~ » sudo mount -t nfs test-share.test.intra:/exports/nfs-share /mnt/TEMP
mount.nfs: access denied by server while mounting test-share.test.intra:/exports/nfs-share
But what happens, if another user tries to access the share, on the same client? For this I created a local user “temp” and navigated to the same location.
This is what it looks like.
Trying to access it, gives me an error message.
Alright, let’s switch the user to a domain account and open the folder first. What happens, once we switch back?
I could technically access it, but I need to authenticate with a administrator account first.
Fantastic.
NFS Permission
Just a quick look at the permission handling. The easiest way would be setting the file/folder permission using “chmod” and “chown“. I will quickly create a new group and assign it to one of the folder within the NFS share.
Navigate to the groups tab on the FreeIPA server and click on “Add”.
Give the group a name, I will just use “nfs”.
Click on the group, and click on “Add” in the “Users” tab. Here you can choose the user to add to this group.
Connect to the “TEST-SHARE” server and set the permission for a folder within the share.
# Navigate to the share
test-share :: ~ » cd /exports/nfs-share
# create a new subfolder
test-share :: nfs-share » mkdir nfs-folder
# set the permission
test-share :: nfs-share » chown :nfs nfs-folder
test-share :: nfs-share » chmod 770 nfs-folder
# Check if the permissions are set
test-share :: nfs-share » ls -l
test-share :: nfs-share » chown :nfs nfs-folder
drwxrwx---. 2 admin nfs 6 Jun 5 13:07 nfs-folder
Let’s test it. I will log in with the j.doe user, and try to access the new folder.
And we cannot access it. Great.
Ok than. So far, we have our central identity management, DNS, DHCP server, SMB and NFS server. In the next post I want to deploy a radius server. I don’t think I ever installed a linux based radius server. We will see how that goes. Anyways.
I hope you enjoyed this series so far. Till next time.