OpenLDAP with Kerberos authentication and NFS in RHEL/CENTOS7

Introduction

In this article we are going to configure OpenLDAP with Kerberos as authentication mechanism and  we will configure autofs to automount  directories on client's.

I recommend to refer my previous article of How to configure LDAP server.

1) Configuring Kerberos

Kerberos is the protocol for authenticating service requests between trusted hosts across an untrusted network. It is the default authentication mechanism in Windows OS. Almost all OS supports kerberos authentication.

As shown in above screen edit krb5.conf file and replace example.com with  your ldap domain also change kdc server name with your ldap server.

Next, file in which we need to made changes is kdc.conf file. Here, just change realms from example.com to your ldap domain.We are using linux.com as shown bellow:

Last file we need to change is kadm5.acl here also change from example.com to linux.com as shown bellow:

After making changes in configuration files we have to create database for kerberos i.e. kdb database.

We have created kdb database and started kerberos service.

[Note: In some cases if you are using VM and trying to create kdb database it will stuck forever on generating random number in that case available entropy with bellow command it should be in thousands:

If your entropy is in hundreds then install haveged package which is opensource project you can download it from  http://www.issihosts.com/haveged/.

How to use it ? Run bellow commands:

]

Final, steps in kerberos configuration is is adding administrator to kdb database and creating keytab file which tells server what access it should give to administrator.

In above, commands first we have added principle for root user and later on we have added principle for clients. With ktadd we have created keytab file and copied it on respective client.

Here, we are using two client servers:

i)) slave1.linux.com

ii) slave2.linux.com

Next step is to configure LDAP server configuration refer my previous article for the same. Link is given above in introduction.

2) Configuration on Clients:

Follow bellow steps on both the clients:

~]# yum install -y krb5-workstation pam_krb5 nss-pam-ldapd nfs-utils autofs

In above command we are installing kerberos, ldap related pam packages and autofs packages.

Next, making changes to use kerberos for authentication

Now, using authconfig-tui utility we are enabling LDAP and kerberos as shown bellow:

As per shown in previous article of configuring LDAP server add users in ldap database its simple to add using phpldapadmin and run bellow command on clients:

As shown above user is not exist on client but it present in LDAP so its getting imported from LDAP as a local user.

3) NFS and Autofs Configuration on Master LDAP server:

We have done NFS configuration on LDAP server. Now we have to make changes on client to automount this home directories on client everytime user logins.

4) Autofs configuration on client:

We have already install nfs and autofs packages. Now we have to make bellow  changes:

What we have done is everytime if any ldap user log on to client his home directory will get automatically mounted through autofs. 

Its complete the configuration of NFS. But wait here's something more I need to tell you, as we are using kerberos for authentication kerberos is grants ticket so for that ticket granting period user does not required to enter password again with that same password. So what if we have to change from one client to other client machine from slave1 to slave2  we not need to enter password again. We have to do some changes in ssh client file as bellow:

By default above settings are commented you can uncomment it and you will not require to enter password again while changing client machines.

So this completes LDAP, Kerberos, NFS configuration.