RHCSA Rapid Track

S.H.I.E.L.D. (Storage Hardware Incorporating Every Last Document) uses a central server, serverX, to host a number of document share directories. Access to most directories is via LDAP-based users, authenticating using Kerberos; however, a number of shares are using standard Linux file access security. Users need to be able to log in and mount the manual NFS share, and should have the public NFS share available constantly.

Here are the key details you will need:

1. Download and install the krb5.keytab file to enable Kerberos access and security.

   [student@desktopX ~]$ sudo wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktopX.keytab

2. Enable and start the nfs-secure service.

   [student@desktopX ~]$ sudo systemctl enable nfs-secure
   ln -s '/usr/lib/systemd/system/nfs-secure.service'  ...
   [student@desktopX ~]$ sudo systemctl start nfs-secure

3. Use mkdir to create both mount points: /mnt/public and /mnt/manual.

   [student@desktopX ~]$ sudo mkdir -p /mnt/{public,manual}

4. Create the persistent mount. This mount will only be accessible to authenticated users.

   1. Use vim to edit the /etc/fstab file.

      [student@desktopX ~]$ sudo vim /etc/fstab

      Add this line to the end of the file:

      serverX:/shares/public  /mnt/public  nfs  sec=krb5p,sync  0 0

   2. Use mount to mount the share and begin using it.

      [student@desktopX ~]$ sudo mount -a

5. Use mount to manually mount /shares/manual on /mnt/manual. Since you already have a kerberized NFSv4 mount from the same server you will need to specify the sec=sys option.

   [student@desktopX ~]$ sudo mount -o sync,sec=sys serverX:/shares/manual /mnt/manual

6. Use ssh to switch to ldapuserX on localhost and confirm the mounts, and read/write access.

   1. Use ssh to log in as ldapuserX.

      [student@desktopX ~]$ ssh ldapuserX@localhost

      If you see something similar to the following, type yes to accept and continue.

      The authenticity of host 'localhost (::1)' can't be established.
      ECDSA key fingerprint is d9:cc:73:82:3b:8a:74:e4:11:2f:f3:2b:03:a4:46:4d.
      Are you sure you want to continue connecting (yes/no)? yes

      Enter the password: kerberos.

      ldapuserX@localhost's password: kerberos

   2. Verify you can switch to both share directories and confirm you have read/write access.

      Use cd to switch directories.

      [ldapuserX@desktopX ~]$ cd /mnt/manual

      Use echo and cat to verify read and write access.

      [ldapuserX@desktopX manual]$ echo hello > test.txt
      [ldapuserX@desktopX manual]$ cat test.txt
      hello

      Repeat this step to test /mnt/public.

      Use exit or Ctrl+D to log out of ldapuserX.

   3. Repeat the previous step as student on both directories. You should be able to change directory and list /mnt/manual, but get Permission denied on /mnt/public because student cannot authenticate using Kerberos.

      Instead of test.txt, you will want to use something like test2.txt, since student is not allowed to write to files owned by ldapuserX.

   Note

   When you are finished using the network storage, you can use the umount command to manually unmount the NFS shares.

   [student@desktopX ~]$ sudo umount /mnt/manual