EX362 Objective 4 – Automated Home Directory

Next stop, time to get serious – let’s configure some Automated Home Directories


but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts



This is where things start getting tough, we are going to set up a Kerberos-aware NFS Server and configure NFS Clients to use Kerberos Authentication. This is an area where there is lots of variance in other guides. Use mine, it’s better.

We are going to do the following:

    1. Configure utility.blue.example.net to act as a NFS server with the following attributes:
      • The NFS service should run using a kerberos service principal nfs/utility.blue.example.net and be stored in /etc/krb5.keytab
      • The NFS service should be auto-start with the server at boot time
      • Create and export /export/home using security krb5 krb5i and krb5p options
    2. Configure client.blue.example.net to act as a NFS client
    3. On utility.blue.example.net do the following:
      • Create a user called nfsuser1 and password linuxbuff
      • Pre-Create it’s home directory in /export/home/nfsuser1
    4. Test on idm.blue.example.net (ensure there are no kerberos tickets) for nfsuser1 and then ssh across to client.blue.example.net – the user should login WITH a password and it’s home directory should be auto-mounted from utility.blue.example.net


Part 1 – Configure NFS Server

Get an admin ticket

kinit admin


Add the Service

ipa service-add nfs/utility.red.example.net


Pull the keytab into the standard location

ipa-getkeytab -s idm.red.example.net -p nfs/utility.red.example.net -k /etc/krb5.keytab 


Install NFS software

yum install -y nfs-utils


Make the export home directory

mkdir -p /export/home
echo "/export/home *(rw,sec=krb5:krb5i:krb5p)" >> /etc/exports

Note that I am using krb5, krb5i and krb5p options only – so use Kerberos or don’t get in


Configure all services

ipa-client-automount -U
systemctl enable nfs-secure nfs-server rpcbind rpcidmapd --now
exportfs -rav
exportfs -sv
showmount -e utility.red.example.net


Add the following firewall services

firewall-cmd --add-service=nfs --add-service=nfs3 --add-service=rpc-bind --add-service=mountd --permanent
firewall-cmd --reload

My tip here is enable more rather than less. Let’s better to lose a few points for a slightly less secure service than lose more points for in inaccessible system


Now we need to test from client

[root@client ~]# showmount -e utility
Export list for utility:
/export/home *



Part 2 – Configure IdM


Network Services –> Automount –> Default and click Add – select options as below


Then  click on auto.home and then Add – and enter details as below




Part 3 – Configure the client

ipa-client-automount -U
systemctl enable rpcidmapd --now
systemctl enable rpcgssd --now
systemctl enable nfs --now


Part 4 – Pre-create the users home directory on the NFS server and create it’s home directory

ipa user-add --first first --last user --password nfsuser01
mkhomedir_helper nfsuser01
mv /home/nfsuser01 /export/home


Part 5 – Test

on the idm server – remove all tickets

kdestroy -A

Now let’s test logging in (and changing password as needed)

[root@idm ~]# ssh nfsuser01@client.red.example.net
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
[nfsuser01@client ~]$ id
uid=432800009(nfsuser01) gid=432800009(nfsuser01) groups=432800009(nfsuser01) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[nfsuser01@client ~]$ pwd
[nfsuser01@client ~]$ df | grep nfs
utility.red.example.net:/export/home/nfsuser01 6486016 1736704 4749312 27% /home/nfsuser01


Verify it’s using Kerberos (look for sec=krb5 )

[nfsuser01@client ~]$ mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
utility.red.example.net:/export/home/nfsuser01 on /home/nfsuser01 type nfs4 (rw,relatime,vers=4.1,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=,local_lock=none,addr=



All done – we now have configured Automated Home Directories

2 thoughts on “EX362 Objective 4 – Automated Home Directory

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s