Setting Up NFS Server with Kerberos-based Authentication for Linux Clients

In order to offer Linux clients a secure file sharing environment, establishing security mechanisms in place to safeguard file integrity and credibility, an NFS server must be configured using Kerberos-based authentication. Installing and configuring the NFS server software comes first. After that, enabling Kerberos authentication on both the server and client sides enables secure connection and authentication. Keytabs and principals are created in order to achieve secure access to the NFS server. Then, in the NFS export settings, the shared directories are listed. By modifying the firewall rules, it is possible to accept NFS and Kerberos traffic and keep connectivity. In this setting, Linux clients can securely access and share files from the NFS server, and Kerberos authentication provides a dependable and secure setting for file sharing.

Methods Used

  • Automation with Configuration Management Tools

  • Manual Configuration Approach

Automation with Configuration Management Tools

The setup of an NFS server for Linux clients using Kerberos-based authentication can be made simpler by automation using configuration management tools. The optimum configurations for NFS server and client systems can be guaranteed by automating installation and setup tasks using scripted playbooks that make use of tools like Ansible, Puppet, or Chef.

These scripts or playbooks contain instructions for setting up NFS exports, Kerberos realms, principals, and keytabs, as well as installing the necessary NFS and Kerberos packages. They can also control how Kerberos authentication is activated on the server and client sides. Furthermore, by controlling firewall rules with configuration management tools, NFS and Kerberos traffic can be permitted.

With the help of setup management systems, the entire setup process may be automated, maintaining consistency and reducing manual labour. By simplifying quick deployment and simplifying maintenance of the NFS server and client configurations, it improves the efficiency and dependability of NFS file sharing with authentication via Kerberos in Linux systems.


  • Download NFS Server Software − Employ package management tools to set up the necessary NFS server software on the server.

sudo apt-get install nfs-kernel-server

sudo yum install nfs-utils
  • Download the Kerberos packages on the server.

  • Create the Kerberos client and server settings.

sudo apt-get install krb5-kdc krb5-admin-server

sudo yum install krb5-server krb5-libs krb5-workstation

sudo nano /etc/krb5.conf
  • Generate Keytabs and Kerberos Principals 

    To establish Kerberos principals for the NFS server and clients, use the Kerberos administration tool ('kadmin' or 'kadmin.local').

    Create keytabs for secure authentication.

sudo kadmin.local -q "addprinc -randkey nfs/"

sudo kadmin.local -q "addprinc -randkey nfs/"

sudo kadmin.local -q "ktadd nfs/"
sudo kadmin.local -q "ktadd nfs/"
  • Configure NFS Exports, this is essentially a method by which you alternate the NFS export configuration in the '/etc/exports' document to specify the directories to be shared with clients; furthermore, the command for NFS export configuration is noted below so you can assist yourself.

sudo nano /etc/exports
# Add entries like:
# /shared-directory,sync)

sudo exportfs -a
  • Setup Kerberos Authentication for the Server and Clients 

    Change the Kerberos authentication setting on the NFS server to "krb5".

    Configure Kerberos for NFS client authentication.

sudo nano /etc/default/nfs-kernel-server

sudo nano /etc/idmapd.conf
# Set "Domain ="
  • Begin NFS Services 

    Begin the NFS server as well as the nfs-server, rpcbind, and nfs-secure services.

sudo systemctl start nfs-server
sudo systemctl start rpcbind
sudo systemctl start nfs-secure
  • Modify the firewall rules to allow NFS and Kerberos traffic. Set Firewall Rules.

sudo ufw allow nfs
sudo ufw allow 2049
sudo ufw allow kerberos
  • Test and Verify − Determine whether the NFS server is accessible and operating.

    Use Kerberos authentication to ensure that Linux clients can access and share the NFS server with trust.

sudo systemctl status nfs-server

sudo mount -t nfs /mnt

Manual Configuration Approach

The Manual Configuration Approach requires physically setting up an NFS server with Kerberos-based verification for Linux clients. To begin with, devices for bundle administration are utilised to introduce the NFS server programme. The shared registries are at that point contained within the "/etc/exports" record, which records the NFS trades. On the server and clients, Kerberos has been set up and introduced. Programmes like "kadmin" or "kadmin.local" are utilised to form Kerberos principals and keytabs for secure verification. The settings record will have to be changed in order for the NFS server to back up Kerberos confirmation.

Moreover, the dispatch of noteworthy administrations like "nfs-server," "rpcbind," and "nfs-secure" is talked about. At long last, upgraded firewall rules presently allow NFS and Kerberos activity. This arrangement builds up a secure file-sharing environment where Linux clients can get to and trade records on the NFS server while defending the secrecy and keenness of the information by using Kerberos confirmation.


  • Installing NFS server software requires using package management tools.

sudo apt update
sudo apt install nfs-kernel-server

sudo yum install nfs-utils
  • To define shared directories and set up NFS exports, edit the "/etc/exports" file.

sudo nano /etc/exports

/path/to/shared/directory client_ip(rw,sync)
  • Set up and configure Kerberos on the client and server systems.

  • To create Kerberos principals and keytabs, use programmes like "kadmin" or "kadmin.local".

sudo kadmin.local -q "addprinc -randkey nfs/"

sudo kadmin.local -q "addprinc -randkey nfs/"

sudo kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/"
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/"
  • Change the "/etc/nfs.conf" or "/etc/sysconfig/nfs" set file for the NFS server to allow Kerberos authentication.

sudo nano /etc/nfs.conf

  • Another step involves the setting up of the required services, such as "rpcbind," "nfs-secure," and many more, following are the terminal command for the same.

sudo systemctl start nfs-server
sudo systemctl start rpcbind
sudo systemctl start nfs-secure
  • Modify firewall rules to allow traffic from Kerberos and NFS.

sudo ufw allow nfs
sudo ufw allow kerberos

sudo firewall-cmd --permanent --zone=public --add-service=nfs
sudo firewall-cmd --permanent --zone=public --add-service=kerberos
sudo firewall-cmd --reload
  • Clients get Kerberos tickets to authenticate with the NFS server.

sudo kinit -kt /etc/krb5.keytab nfs/

sudo kinit -kt /etc/krb5.keytab nfs/
  • To mount the NFS, you should share directories on the client computers and further use the proper mount instructions.

sudo mount -t nfs /mnt/nfs
  • By obtaining the access to the NFS server, client’s files furthermore, transferring files, you can verify the settings also.

echo "This is a test file" | sudo tee /mnt/nfs/test.txt

ls /path/to/shared/directory


Setup is required to form a secure NFS server with Kerberos client confirmation on Linux. By either computerising with arrangement administration devices or utilising the manual arrangement approach, chairmen can guarantee the privacy and astuteness of shared data. The establishment of the NFS server computer programme, actuating Kerberos verification, setting up keytabs and principals, building up NFS sends out, characterising firewall rules, and arranging NFS sends out are all critical steps in this preparation. Linux clients utilising Kerberos confirmation can share records on the NFS server securely, providing a reliable and secure environment for record sharing. This course of action not only advances productive communication over Linux clients but also guarantees information secrecy and security.

Updated on: 03-Aug-2023


Kickstart Your Career

Get certified by completing the course

Get Started