# Need some clarity on Kerberos NFS



## BlueCoder (Jul 13, 2014)

Just recently was playing with NFS and Kerberos. But it turns out it's not doing what I thought it would do. I want to talk it through a bit so please correct me.

I was thinking that it would authenticate users accessing the mounted file system and grant access through their credentials. Instead what I think it's doing is just validating the machines through its machines credentials to connect to the NFS service principal on the server. A kinit and user credentials is in no way used.

I suppose that is a little better than in some respects to host-based access. But the machine itself is trusted to enforce username and group policy permissions. And it's worse than host-based access because all hosts within the Kerberos realm are allowed to mount to the NFS mountpoints no matter if they need to or not.

Again I was thinking it would be validating users which would be way more useful. Am I missing something?


----------



## acheron (Jul 14, 2014)

You may have done something wrong, kerberized NFS works fine on my machine. Can you explain a bit more how your setup is?


----------



## BlueCoder (Jul 22, 2014)

I had NFS set[]up with sys permission in addition to krb5p for the exports when I wrote this. For anyone trying to set[]up NFS with Kerberos remember to enable the gssd deamon with 
	
	



```
gss_enable="YES"
```

Second, you need to create a service principal in kadmin: 
	
	



```
add --random-key nfs/hostname.net
```

Then extract both the host key and the service key to krb5.keytab: 
	
	



```
ext host/hostname.net nfs/hostname.net
```


----------



## acheron (Jul 23, 2014)

The host key is not needed. You can generate and extract the principal in one command if you have kadmind running on your kdc: 
	
	



```
root@nfs-server: ktutil get -p admin nfs/nfs-server.example.org
```


----------

