Overview

While for production we nowadays nearly exclusively see Object Storage based setup, for POC setups it is still convenient to use NFS as filestore. Smaller footprint, less efforts, functional and fast enough for some functional testing.

However one disadvantage is that all NFS client machines need to have synchronized system userIDs in order for access to work, which is often not accounted for during initial setup and cumbersome to fix later.

One possible approach is to use NFS4 with Kerberos as in that flavor access is not granted based on numerical userIDs, but rather symbolic usernames.

The drawback of this solution is a slightly more complicated setup, but, once figured out how it works, it is surprisingly robust in first tests.

KDC setup

Standard stuff, no special things.

Initialize the stash.

Create host keys for every host with host/hostname.fqdn and nfs/hostname.fqdn. Export to a keytab and transfer to NFS client as /etc/krb5.keytab.

Create a kerberos principal for the open-xchange user. Probably a high (unlimited) ticket lifetime will be helpful.

NFS Server Setup

Decide for a directory to export. In a standard setup with exported user homedirectories you can use the filestore/ subdirectory of the open-xchange users home directory.

Standard linux practice is to bindmount that under some /export toplevel export point.

/etc/exports file:

/export kclient.lan(rw,fsid=0,sec=krb5i)

CentOS 7:

yum install nfs-utils

systemctl restart nfs
systemctl enable nfs

systemctl restart nfs-secure
systemctl enable nfs-secure

NFS Client Setup

CentOS7:

systemctl restart nfs-secure
systemctl enable nfs-secure

mount -t nfs4 -o sec=krb5i knfs:/ /mnt

Service Setup

For accessing data, the OX service needs a kerberos ticket.

# su - open-xchange
$ kinit

That is somewhat clumsy (TODO: find out how to automate that).