RHEL7: Use Kerberos to control access to NFS network shares.

Share this link

Note: This is an RHCE 7 exam objective.

Prerequisites

First, you will have to configure a KDC (Kerberos Distribution Center) called here kbserver.example.com.

Then, you will need two additional servers: a NFS server (here nfsserver.example.com) and a NFS client (here nfsclient.example.com). If you’ve got only two servers/VM, regroup the KDC and the NFS servers on the same machine.
Also, to get Kerberos running, NTP synchronization and hostname resolution must be working.
It is advisable to set up a master DNS server but if none is working, add the following lines in the /etc/hosts file of each server (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 nfsserver.example.com
192.168.1.13 nfsclient.example.com

Kerberos NFS Server Configuration

Before adding the Kerberos configuration, set up the NFS server (use the nfsserver.example.com hostname in this tutorial).

Then, you will have to add the Kerberos client configuration (replace kbclient.example.com with nfsserver.example.com in this tutorial).

Finally, add the specific NFS part to the principals:

# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
kadmin:  addprinc -randkey nfs/nfsserver.example.com
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/nfsserver.example.com@EXAMPLE.COM" created.

Create a local copy stored by default in the /etc/krb5.keytab file:

kadmin:  ktadd nfs/nfsserver.example.com
Entry for principal host/nfsserver.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  quit

Edit the /etc/exports file and add the option sec=krb5 (or the option that you want, see note):

/home/tools nfsclient.example.com(rw,no_root_squash,sec=krb5)
/home/guests nfsclient.example.com(rw,no_root_squash,sec=krb5)

Note1: The sec option accepts four different values: sec=sys (no Kerberos use), sec=krb5 (Kerberos user authentication only), sec=krb5i (Kerberos user authentication and integrity checking), sec=krb5p (Kerberos user authentication, integrity checking and NFS traffic encryption). The higher the level, the more you consume resources.
Note2: If you want to use sec=sys (no Kerberos use), you also need to run setsebool -P nfsd_anon_write 1

Export the new configuration:

# exportfs -avr
exporting nfsclient.example.com:/home/guests
exporting nfsclient.example.com:/home/tools

Check your configuration:

# showmount -e localhost
Export list for localhost:
/home/guests nfsclient.example.com
/home/tools  nfsclient.example.com

Activate at boot and start the nfs-secure-server service (RHEL 7.0 only):

# systemctl enable nfs-secure-server && systemctl start nfs-secure-server

Note: If you want to get more information in the /var/log/messages file, edit the /etc/sysconfig/nfs file, assign the “-vvv” string to the RPCIDMAPDARGS/RPCSVCGSSDARGS variables and restart the nfs-idmap/nfs-secure-server daemons.

Kerberos NFS Client Configuration

Before adding the Kerberos configuration, set up the NFS client (use the nfsclient.example.com hostname in this tutorial).

Then, you will have to add the Kerberos client configuration (replace kbclient.example.com with nfsclient.example.com in this tutorial).

Finally, add the specific NFS part to the principals:

# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
kadmin:  addprinc -randkey nfs/nfsclient.example.com
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/nfsclient.example.com@EXAMPLE.COM" created.

Create a local copy stored by default in the /etc/krb5.keytab file:

kadmin:  ktadd nfs/nfsclient.example.com
Entry for principal host/nfsclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  quit

Activate at boot and start the nfs-secure service (RHEL 7.0 only):

# systemctl enable nfs-secure && systemctl start nfs-secure

Activate at boot and start the nfs-client target (RHEL 7.1 and after):

# systemctl enable nfs-client.target && systemctl start nfs-client.target

Note1: Since RHEL 7.1, the nfs-secure service automatically starts if there is a /etc/krb5.keytab file.
Note2: If you want to get more information in the /var/log/messages file, edit the /etc/sysconfig/nfs file, assign the “-vvv” string to the RPCIDMAPDARGS/RPCGSSDARGS variables and restart the nfs-idmap/nfs-secure daemons.
Note3: With the RHEL 7.3 release, the Systemd init system is able to use aliases. For example, the nfs.service is a symbolic link/alias to the nfs-server.service service file. This enables, for example, using the systemctl status nfs.service command instead of systemctl status nfs-server.service.
Previously, running the systemctl enable command using an alias instead of the real service name failed with an error.

Mount the remote directory:

# mount -t nfs4 -o sec=krb5 nfsserver.example.com:/home/tools /mnt

Note1: If you get the error message “mount.nfs4: an incorrect mount option was specified”, check that you started the correct daemons.
Note2: It is not necessary to specify the rw option, it is done by default.
Note3: You can test what shares are exported by the NFS server with the command showmount -e nfsserver.example.com but you first need to stop firewalld on the NFS server (or open the 111 udp and 20048 tcp ports).

To permanently set up the mount, paste the following line in the /etc/fstab file:

nfsserver.example.com:/home/tools /mnt nfs4 sec=krb5

Switch to the user01 user:

# su - user01

Create a Kerberos ticket:

$ kinit
Password for user01@EXAMPLE.COM: user01

Create a file called testFile:

$ cd /mnt
$ echo "This is a test." >testFile

Check the result:

$ ls -l
total 8
-rw-rw-r--. 1 user01 user01 16 Sep  7 16:42 testFile

Additional Resources

You can also watch Sander van Vugt‘s video about Mounting Kerberized NFS (17 min/2016).

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...

Leave a Reply

120 Comments on "RHEL7: Use Kerberos to control access to NFS network shares."

Notify of
Sort by:   newest | oldest
SkoolofManoovah
Member
SkoolofManoovah

When I do that last bit-

# mount -t nfs4 -o sec=krb5 nfsserver.example.com:/home/guests /mnt

I get the following error message, can’t find on web what the problem is-

“mount.nfs4: an incorrect mount option was specified”

I have checked and rechecked that I followed your instructions precisely except ips and fqdns. Any suggestions?

mrmarcus
Member
mrmarcus

For some reason I can not get the nfs-secure-server service to start following these instructions. I’ve followed the directions step by step on several VMs to no avail. Does this service have any pre-requisites?

Gjorgi
Member
Gjorgi

You will get this message if you haven’t previously started nfs-secure. This service has to be started first, before attempting secure NFS mount.
On the other hand, I can’t enable nfs-secure on my CentOS 7.2 virtual install. I am only allowed to manually start it. Any workarounds?

YDE
Member
YDE

Hi
I’ve followed it and it works except one problem.
When I want to write on mounted nfs storage I’ve “Permission denied” error (in Root or other users).
No problem before Kerberos configuration.
Any idea ?

YDE
Member
YDE

Other question, In this documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html
RedHat uses ipa-server and ipa-client to configure Kerberos authentication and Kerberized NFS / SMB.
Is it enough for RHCE ?
Can we use it during exam ? Or manual Kerberos configuration is required ?

Shikaz
Member
Shikaz

To use ipa-client-install you need admin password, which I am not sure that you will get that in the exam.

sandervanvugt
Member

You won’t have to do anything with IPA server, Kerberos server and so on. They’re not in the list of objectives. I’ve looked at RHEL 7 courseware, they’re just providing key tab files in the courseware. Which means that on the exam as well, you’ll get a fully functional IPA server, and key tab files as well.

jerky_rs
Member
jerky_rs

Great article.

I think Redhat would list IPA somewhere in the Objectives. It is also part of the RH413 expertise course (hidden..) = http://www.redhat.com/en/services/training/rh413-red-hat-server-hardening (Course outline tab).

So my guess is that you will need to setup NFS server and Kerberos client (as configuring Kerberos server is not an objective). Setting up the same in IPA requires specific knowledge of something that is not listed in objectives or is part of the RH300 course outline.

Shikaz
Member
Shikaz

Do you have an idea how to add the NFS + Kerberos in fstab?
Is it?: nfsserver.example.com:/home/guests /mnt nfs4 _netdev,krb5 0 0?

erik
Member
erik

If you want SElinux contexts to be consistent between the server / client, you will need to make the following tweak to the above configs:

Server:
In /etc/sysconfig/nfs set RPCNFSDARGS=”-V 4.2″

Client:
When you mount the share add the v4.2 option:
mount -t nfs4 -o sec=krb5p,v4.2 ehansen01:/home/tools /mnt/tools/
–or fstab–
server01:/home/tools /mnt/tools nfs sec=krb5p,v4.2

This is straight out of one of Redhat’s Sysadmin courses

BadBrains
Member
BadBrains

The course material only works on Centos 7.0 not Centos 7.1.
nfs-secure-server unit file is static in the latter so cannot be enabled. The SELINUX context does not appear to work either on version 7.1.
I am going to try with RHEL instead on Centos. Really hoping the exam version does not change with new releases.

tom
Member
tom

Does it work for you? I tested it on both RHEL 7.1 and CentOS 7.1 and it did not work:

[root@client3 ~]# mount -vvv -t nfs4 -o sec=krb5p,vers=4.2 server3.example.com:/srv/nfsusers /mnt
mount.nfs4: timeout set for Sun Oct 18 12:31:48 2015
mount.nfs4: trying text-based options ‘sec=krb5p,vers=4.2,addr=192.168.122.225,clientaddr=192.168.122.16’
mount.nfs4: mount(2): Protocol not supported
mount.nfs4: Protocol not supported

[root@client3 ~]# mount -vvv -t nfs4 -o sec=krb5p,v4.2 server3.example.com:/srv/nfsusers /mnt
mount.nfs4: timeout set for Sun Oct 18 12:32:48 2015
mount.nfs4: trying text-based options ‘sec=krb5p,v4.2,addr=192.168.122.225,clientaddr=192.168.122.16’
mount.nfs4: mount(2): Protocol not supported
mount.nfs4: Protocol not supported

It works with vers=4.1 but then SELinux contexts are not exported to client.

Any ideas?

tom
Member
tom

Nevermind, I figured it out. I turns out that it is not enough just to restart nfs-server, nfs-config and nfs-secure-server. You actually have to reboot server. To check if V 4.2 is actually enabled on your server, do: cat /proc/fs/nfsd/versions

michaels
Member
michaels

Hello,

CLIENT Side:

There is no enable option for

# systemctl enable nfs-secure

You can start the service independently (# systemctl start nfs-secure) but to enable it through the reboots we should enable the nfs-client service:

# systemctl enable nfs-client.target

Server Side:

There is no enable option for

# systemctl enable nfs-secure-server

Again, you can start it independently but to enable it through reboots is enough to enable the nfs-server.service:

# systemctl enable nfs-server.service

ky13
Member
ky13

You can enable nfs-secure and nfs-secure-server but you need to have /etc/krb5.keytab in place

fiend138
Member
fiend138
There are a few issues with the steps above. On the server side you can’t enable nfs-secure-server.service because it is a static service started by nfs-server.service. However on both RHEL 7.1 and CEntOS 7.1 I noticed a problem. In order for this to work I had to remove two lines from the service file ConditionPathExists=|!/run/gssproxy.pid ConditionPathExists=|!/proc/net/rpc/use-gss-proxy After that just run ‘systemctl enable nfs-server.service’ On the client side there is a similar issue. nfs-secure.service is also a static service started by the nfs-client.target. However in the version of nfs-utils used this is not enabled by default. There is supposedly a fix… Read more »
Lee Yang Jae
Member
Lee Yang Jae
I found Sander’s Centos 7 server VM nfs version and it can support nfs-secure-server and nfs-secure. The version is nfs-utils-1.3.0-0.el7.x86_64 [root@server1 ~]# rpm -qa | grep nfs-utils nfs-utils-1.3.0-0.el7.x86_64 [root@server1 ~]# systemctl enable nfs nfs-blkmap.service nfs-secure-server.service nfs-idmap.service nfs-secure.service nfslock.service nfs-server.service nfs-mountd.service nfs.service nfs-rquotad.service But after update as nfs verstion by yum update, [root@server1 ~]# rpm -qa | grep nfs-utils nfs-utils-1.3.0-0.21.el7.x86_64 [root@server1 ~]# systemctl enable nfs nfs-blkmap.service nfs-server.service nfs.service there is only nfs-server. Could you help to compare “nfs-utils-1.3.0-0.el7.x86_64” and “nfs-utils-1.3.0-0.21.el7.x86_64”. Is there a way to use nfs-secure-server and nfs-secure in latest nfs version?
circuscowboy
Member
circuscowboy

To make things more complicated the virtual machines for the official Red Hat labs are 7.0 and I believe the exam is the same. (February 2016)

rilindo
Member
rilindo

As a reminder, when practicing make secure that the clocks are synced (either using ntp or chronyd). Kerberos, after all, is sensitive to time.

(spent 19 minutes what could have been 5 trying to get kerberos working with NFS)

sandervanvugt
Member
I think that finally I found what goes wrong over and over again with kerberized NFS. The problem is in software updates. The symptom: you start with an installation of CentOS or RHEL 7.2. The procedure works as described as mentioned in my video (see “Additional Resources” above). Then you upgrade, and you get an “access denied” message from the Kerberized NFS server. The fun thing is that this has happened over and over again in my tests, on 7.0, on 7.1 as well as 7.2. Fortunately, it’s just an upgrade issue and not a configuration issue. The solution? DO… Read more »
danw
Member
danw

Hello, I need some info for this month of April 2016…

Did anyone take the RHCE exam last Friday? I would love to know what version of Red Hat is the exam on?

Hopefully the mess between nfs-client and nfs-secure is not going to compromise my exam…. I will let you know tomorrow when I finish my exam.

CaptainCaxap
Member
CaptainCaxap

Hi, I will have the RHCE exam on 29.04. I called my redhat certification center recently and they confirmed that current lab version they use is 7.0

asifshabir
Member
asifshabir

I have followed this method and I’m getting errors:

when I mount it takes a lot of time and then displays this error message

mount.nfs4: access denied by server while mounting nfsserver1.example.com:/home/tools

logs from kbserver.
http://www.heypasteit.com/clip/2MI2

I am using centos 7

cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)

Normal mount is working fine.

Can you please suggest a solution.

Jaz
Member
Jaz

This Kerberized NFS has become a real pain.
I am not sure how I am going to fulfil this requirement if I have to configure kerberized nfs during the exam.
I have tried every possible way and it didn’t work out on RHEL 7.0
“access denied while mounting” messages appear.
When I remove “sec=krb5” option from exports file then it mounts normally without any problem.

Seriously, what is wrong with it?

Gjorgi
Member
Gjorgi

You don’t have nfs-secure running. You probably got the generic keytab.conf downloaded to your client which doesn’t correctly identify Kerberos realm.
Address these two issues and attempt again.

Jaz
Member
Jaz

Actually, I realized this mistake right after my first comment.
There is a ‘mistake’ in Micheal Jang’s 7th edition (apparently too many in there). He made me create nfs server and client keytabs both with the same nfs server address which caused the issue.
# ktadd -k /tmp/server1.keytab server1.example.com
# ktadd -k /tmp/client.keytab server1.example.com

So I deleted the old keytab from /etc/ and also from Kerberos server and generated a new one with the client address and it worked.

mmhaque4
Member
mmhaque4
I wrote the RHCE 300 exam last 13th May, 2016. I was unable to get the kerberised NFS share part working. At the server: I added services: mountd, rpc-bind, nfs started services: nfs-server, nfs-secure, nfs-secure-servre, rpcbind Downloaded the keytab from the given server to : /etc/krb5.keytab. At the client: started services nfs-server, nfs-secure, rpcbind. In the /etc/fstab of the client machine; I had [ip of nfs server]/nfssecure nfs /mnt/nfs defaults, sec=krbp5 0 0 At first the error message was: mount.nfs: an incorrect mount option was specified Then I restarted all the services in both the server and client, changed the… Read more »
brucemzn
Member
brucemzn
@Jaz You had errors because you started invalid services. Please note that nfs-secure-server.service cannot start without a keytab file (/etc/krb5.keytab). The following services should be enable and started if using Redhat/Centos 7.0 : NFS Server: systemctl enable nfs-secure-server systemctl start nfs-secure-server systemctl status nfs-secure-server Add the services to the firewall: firewall-cmd –permanent –add-service=nfs firewall-cmd –permanent –add-service=mountd firewall-cmd –permanent –add-service=rpc-bind firewall-cmd –reload NFS Client: systemctl enable nfs-secure systemctl start nfs-secure systemctl status nfs-secure showmount -e nfs-server-hostname (or ip-nfs-server) You will obviously get an error “access denied by server while mounting…” The solution to this to reboot both nfs server and client… Read more »
brucemzn
Member
brucemzn

@ mmhaque4
This error is caused by either:
1. The nfs-secure-server is not running on the server side
2. The nfs-secure service is not running on the client side
3. The keytab files are stale, meaning that they are not valid.
4. You did not reboot the nfs server and client
Try those tricks and let us know how it goes. Check the validity of keytab files by running the “# klist -k” command on both nfs server and client. The results must correspond the hostname, respectively

mmhaque4
Member
mmhaque4
@brucemzn, I have tested at my home in centos 7.2 machines and was able to mount Kerberos nfs without rebooting server and client. Today I wrote the exam again and got the same score (196) as before. The nfs-secure-server was not starting at all in the server machine. I checked the keytab files in both server/client with cat /etc/krb5.keytab and each had their individual name. I started nfs-server, nfs-secure both in the server and client. I had a new problem today that I did not have on my first attempt. The ‘nmcli con up team0’ was giving error. The team0(link… Read more »
brucemzn
Member
brucemzn
@mmhaque4, Sorry for late response. Please note that the exam is based on Redhat 7.0 unless otherwise stated by Redhat on their official website. For you to pass the exam at this moment, you must practice using Redhat/Centos 7.0 To confirm keytab files, use # klist -k command Looks like you enabled and started all the service, but some were unnecessary, for example, you dont have to start the nfs-secure.service on the server side. The following will work, provided you have valid keytab files: Server Side: enable nfs-secure-server.service enable nfs-server.service start nfs-secure-server.service start nfs-server.service Client Side: enable nfs-server.service enable nfs-secure.service… Read more »
mmhaque4
Member
mmhaque4
Thanks brucemzn, During the exam, the ‘nfs-secure-server.service’ was not starting in the server even though I had the correct krb5.keytab file in the /etc/ directory. As for the team configuration, I do not remember what was the error message but it was something ‘nmcli’ and NetworkManager versions mismatch. As a result the new connection ‘team0’ was not turning up. It was created but was not shown under the device column. It appears the nmcli and NetworkManager should have exactly the same version numbers. I have just emailed RedHat regarding the versions mismatch and requested them to clarify whether it was… Read more »
brucemzn
Member
brucemzn
@mmhaque4 Thanks for the response. As for the network interface teaming, i would kindly request you to start a thread under Networking teaming, and i will post the solution there. Right now, let talk about Kerberised NFS. Its a pity that we cant discuss the exam questions here or anywhere. But we can recreate the scenario under lab environment. My request to you is to recreate the scenario, and let us know what the error messages are. These error messages are important to help troubleshoot. My questions to you are: 1. Do you have full functional Kerberos Server in your… Read more »
mmhaque4
Member
mmhaque4

Hi brucemzn,

I am happy to let you know that I finally passed the RHCE yesterday! That was my third attempt.

This time both Network Teaming and Kerborized NFS worked just fine.

As for teaming nmcli command worked. And for the NFS, I did not have to reboot both VMs before mounting. Also, I did not have to start ntp/chronyd service and selinux fcontext on this.

Thanks again for your help.

brucemzn
Member
brucemzn

Hi mmhaque4.

Congratulations and thanks for sharing. As you said that you did not start start ntp/chronyd this time. That’s an impressive theory. Like I said before, time does not affect NFS Kerberos. Thanks you for providing us with such information. That’s right, ntp/chronyd does not affect NFS Kerberos in RHCE exam lab environment.

brucemzn
Member
brucemzn
Hi CertDepot, Sorry for the late response. I been have away for quite some time. I have two labs. One is based on RHEL-7.0 and the other RHEL-7.1 When i do the Kerberised NFS task, clients can mount Kerberised NFS shares successfully, on both labs. Neither ntpd nor chronyd are running when i do the Kerberised NFS task. # systemctl status ntpd (shows dead) # systemctl status chronyd (shows dead) Therefore my theory that NTP does not affect Kerberos NFS in a lab environment is proven to be true. Please feel free to ask further questions. Any input will be… Read more »
brucemzn
Member
brucemzn

Hi CertDepot,

Thanks for the response. I agree and get your point. Its a learning curve.

Lisenet
Member

That’s not a proof I’m afraid, you are simply lucky to have your servers in time sync. Try shifting time one hour ahead so that it differs among servers, and let us know if you still get it working.

brucemzn
Member
brucemzn
Hi Lisenet, Thanks for the response. Well, i simulated the environment per your request. Three machines are involved in this scenario, a KDC, an NFS Server and NFS Client. I shifted the time, at least two hours apart from each machine. I then deleted existing keytab files. I then removed nfs-utils packages. I then installed nfs-utils from scratch. Then i created new keytab files on both NFS server and NFS client machine. The NFS client managed to mount the Kerberised NFS share with no issues at all. Please see attached screenshots on the following link. There are four images. Please… Read more »
Lisenet
Member

I’m sorry, but I cannot replicate it, NFS mount fails when I shift time.

Try the following:

1. Sync time with all 3 servers, IPA, NFS server and NFS client, ensure the time is in sync.
2. On the NFS server, stop chronyd, disable NTP sync, change time so that it’s 1 hour behind compared to IPA/NFS client.
3. On the NFS client, try to mount the kerberised NFS share.

brucemzn
Member
brucemzn
Hi Lisenet Thanks for the response. Your failure to replicate the scenario, made me wonder. And it led to one theory. The theory is that “One of us is doing something wrong.” So I went back to the drawing board, to simulate the scenario. After several tests, I came to realise that I’m the one who is wrong. I have been using the command # date set-time to shift the times on all three machines, but not realising that time was reverted after a reboot. Using the command timedatectl makes permanent changes. NFS client failed to mount the Kerberos share.… Read more »
Lisenet
Member

I second that.

David_V
Member
David_V

Does the krb5.keytab go on the NFS server machine or the NFS client machine? Sander and Asghar say the exact opposite.. Sander says NFS server, and Asghar says on the NFS client.

raj
Member
raj

I contacted Redhat Training to ask about the exact version of RHEL7 used for the RHCE EX300 exam. I got a response today confirming it as RHEL7.1.
I have created my own repo based on http://archive.kernel.org/centos-vault/7.1.1503/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso. This ensures I’m not upgraded to RHEL7.2.

raj
Member
raj

I was surprised as well but that’s the response I got from training-uk@redhat.com. I’m on the course/exam in a few weeks so I’ll confirm and post an update.

jameslondon2001
Member
jameslondon2001

I have been in contact with training-uk@redhat.com three times over the past 7 days today being 30th Aug 2016, yes that’s three times and each time they have confirmed that the exam currently for EX300 is in RHEL 7.0 NOT 7.1. I phoned them twice and got email confirmation that its v7.0. They have also escalated my concern as the phone representative agreed that it should be clearly stated on exam booking. Therefore I am very confused as to why people were told its being tested on 7.1 unless its changed again?

tron
Member
tron

I happen to be RHCI now, and asked my “inside contact” about this. His answer was that it is 7.0 (as always). The only official way to know is to ask via http://www.redhat.com/training/certification/comments.html
That’s not what I would like, but that’s how it is.

Lisenet
Member

I’ve got the following below. Somebody’s obviously lying.

Hi Tomas,

Thank you for writing to us.

We would like to inform you that the RHCE (EX300) exam operating system version is RHEL 7.1.

Please let me know should you require further information.

Regards,
Shim
Training Administrator

Red Hat Training UK
Tel: 0800 1456153
Fax: +44 (0) 1252 601 214
E-mail: training-uk@redhat.com
Web: http://www.redhat.com/training
Timings: Mon to Fri (0830 – 1700 Hrs)

Registered in England and Wales under Company Registration No. 03798903

thetechgal
Member
thetechgal

Red Hat Training are lying to you. I took the exams (RHCSA and RHCE), and they were both on RHEL 7.0.

raj
Member
raj

Thanks James for the update as I’ve been preparing for an exam based on RHEL7.1 . This uncertainty is very frustrating. I’ve just called Redhat training UK and they said that EX300 is based on RHEL7.0 but refused to comment on the email I have from them stating it was RHEL7.1 .

Their only statement was email us again and we’ll tell you the current version . I’ve asked for a URL which has the updated version of the exam as it is not on the objectives. Has anyone else contacted Redhat ?

Lisenet
Member

There are not that many differences between RHEL 7 versions. Walk the extra mile, practice all tasks on RHEL 7.0, 7.1 and 7.2, and you’ll be fine no matter what version you get on the exam. That’s what I ended up doing.

raj
Member
raj
As I understand it, the exact version (including point release ) is not listed anywhere on their site and can only be obtained by directly contacting Redhat. I’m loosing patience with Redhat now. Here is my latest response from Redhat UK training about 5 mins ago. “The EX300 is on Linux Rhel 7 version which you would be able to see clearly on our website as well, for details you can refer the link : https://www.redhat.com/en/services/training/ex300-red-hat-certified-engineer-rhce-exam However, if you want to still confirm on which the version is based on you can contact our certification team. We did check on… Read more »
Lisenet
Member

I know it’s not gonna help you much, but I tend to agree with Randy Russell from Red Hat. His comment about different minor releases made sense:

“What’s required is knowing underlying principles rather than rote memorization. Dot releases are part of the job.”

In prod, I need to work with all versions of RHEL.

raj
Member
raj
Hi Lisenet, Your email is interesting, below is the email I got today from the same training administrator. It’s ridiculous that this is not clearly documented on the site as there is no easy way to know if/when the version changes. When I enquired in June the same training administrator stated the version was 7.1 and I rebuilt my home lab to 7.1 . Three months later, I’m now being told it’s 7.0. Is Redhat moving backwards or was I initially given incorrect info? Hi , Sorry for the confusion and inconvenience caused to you. The EX300 is on Rhel… Read more »
Lisenet
Member

It now seems that it takes less time to learn exam-related differences between 7.0 and 7.1 than pursue Red Hat training for clarification.

alexritm
Member
alexritm

is it necessary to downgrade lab machines from 7.2?

sab
Member
sab
Hi, Could you please clarify for me how NFS Selinux booleans works? Manpage nfsd_selinux(8) says: nfs_export_all_ro: If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean. Enabled by default. nfs_export_all_rw: If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean. Enabled by default. However, no matter if these booleans are enabled or disabled on server, I am able to export shares and client is able to mount with RW permissions. And also I have a question regarding context on files… Read more »
Lisenet
Member

These booleans are not required when files to be shared via NFS are labeled with the public_content_t or public_content_rw_t types.

NFS can share files labeled with these types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off. This might explain why you are able to mount with RW permissions.

sab
Member
sab
Thanks for your comments, This should work as you describe, however I’m able to export files labeled with any context with disabled booleans: [root@nfsserver ~]# getsebool -a | grep ^nfs nfs_export_all_ro –> off nfs_export_all_rw –> off nfsd_anon_write –> off [root@nfsserver ~]# ls -ldZ /share/secured/ drwxr-xr-x. harry root unconfined_u:object_r:default_t:s0 /share/secured/ [root@nfsserver ~]# cat /etc/exports /share/secured *.example.com(rw,sec=krb5p) [root@nfsserver ~]# exportfs -rav exporting *.example.com:/share/secured On the client: [root@nfsclient ~]# tail -1 /etc/fstab nfsserver.example.com:/share/secured /nfs/secured nfs _netdev,rw,sync,sec=krb5p 0 0 [root@nfsclient ~]# ls -ldZ /nfs/secured/ drwxr-xr-x. nobody nobody system_u:object_r:nfs_t:s0 /nfs/secured/ [harry@nfsclient ~]$ klist Ticket cache: KEYRING:persistent:1003:1003 Default principal: harry@EXAMPLE.COM Valid starting Expires Service principal 10/25/2016… Read more »
Lisenet
Member

Yep, you are right, I get the same behaviour on RHEL 7.0.

ganastasiou
Member
ganastasiou

Hello,
First of all i would like to thank you for the material and how-to education you have shared. I would like to ask you if you are aware, if during the exam keytabs are shared or either admin password for Kerberos to “get” them locally.

wpDiscuz

RHCSA7: Task of the day

Allowed time: 10 minutes.
Archive and compress the content of the /opt directory (create files if none exists).
Uncompress and unarchive the resulting file in /root

RHCE7: Task of the day

Allowed time: 10 minutes.
Change the SSH process configuration to only listen on the 443 port.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...