Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > Dell PowerScale: Integrating OneFS with Kerberos Environment for Protocols > Kerberize CentOS 7 with MIT Kerberos
The following steps configure a CentOS 7 client integrated into a MIT Kerberos server with an LDAP backend. Similar to AD Kerberos, we use SSSD to complete the configuration.
# yum install sssd krb5-workstation
# authconfig --update --enablesssd --enablesssdauth --enablemkhomedir
The authconfig tool will configure the related services automatically, such as NSS and PAM services. Configure LDAP as the identity provider and Kerberos as the authentication provider for SSSD. Modify the /etc/sssd/sssd.conf file to contain the settings for domain (such as in the following example). Make sure the file is accessible only by the owner and owned by root.
[sssd]
domains = example.com services = nss, pam config_file_version = 2 Sample configuration for Kerberizing CentOS 7
[domain/example.com] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com
auth_provider = krb5 krb5_server = kerberos.example.com krb5_realm = EXAMPLE.COM
# systemctl enable sssd
# systemctl start sssd
[libdefaults]
… default_realm = EXAMPLE.COM
…
[realms]
EXAMPLE.COM = { kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM
# id user01@EXAMPLE.COM
uid=10001(user01) gid=10000(ldapusers) groups=10000(ldapusers)
Use kinit to request a Kerberos ticket for an LDAP user, then check the ticket using the klist command.
# kinit user01@EXAMPLE.COM
Password for user01@EXAMPLE.COM:
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user01@EXAMPLE.COM
Valid starting Expires Service principal
02/03/19 12:31:24 03/03/19 12:31:24 krbtgt/EXAMPLE.COME@EXAMPLE.COM
Within the same kadmin session, export the newly created principal names into the local NFS client file named krb5.keytab along with the multiple supported encryption type.
# kadmin -r EXAMPLE.COM -p kadmin/admin@EXAMPLE.COM
Authenticating as principal kadmin/admin@EXAMPLE.COM with password.
Password for kadmin/admin@EXAMPLE.COM:
kadmin: addprinc -randkey host/nfsclient.example.com
WARNING: no policy specified for host/nfsclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/nfsclient.example.com@EXAMPLE.COM" created.
kadmin: addprinc -randkey nfs/nfsclient.example.com
WARNING: no policy specified for nfs/nfsclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "nfs/nfsclient.example.com@EXAMPLE.COM" created.
kadmin: ktadd -k /etc/krb5.keytab host/nfsclient.example.com
Entry for principal host/nfsclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/nfsclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/nfsclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/nfsclient.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/nfsclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: ktadd -k /etc/krb5.keytab nfs/nfsclient.example.com
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
Add the NFSv4 domain setting: Domain=example.com
Add SSSD as the method of NFSv4 ID <=> Name mapper: Method=nsswitch,sss
Start the rpcidmapd service using systemctl start rpcidmapd.
# modprobe auth_rpcgss
# modprobe rpcsec_gss_krb5
# depmod -a
# systemctl restart rpcgssd.
# sudo mount -t nfs -vo nfsvers=4.0,sec=krb5 sc01.example.com:/ifs/nfs
/mnt/nfs
sc01.example.local:/ifs/nfs /mnt/nfs nfs4 rw,vers=4.0,sec=krb5 0 0
You can view the NFS ticket using the klist command.
# klist
Ticket cache: KEYRING:persistent:40681:krb_ccache_2QXSkuj
Default principal: user01@EXAMPLE.COM
Valid starting Expires Service principal
03/03/19 06:46:34 04/03/19 06:46:20 nfs/sc01.example.com@EXAMPLE.COM
03/03/19 06:46:20 04/03/19 06:46:20 krbtgt/EXAMPLE.COME@EXAMPLE.COM