How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

This procedure enables a NFS server to provide secure NFS access using different security modes or flavors. When a client negotiates a security flavor with the NFS server, the first flavor that is offered by the server that the client has access to is used. This flavor is used for all subsequent client requests of the file system shared by the NFS server.

1. Become superuser on the NFS server.

2. Verify that there is an NFS service principal in the keytab file.

   The klist command reports if there is a keytab file and displays the principals. If the results show that no keytab file exists or that no NFS service principal exists, you need to verify the completion of all the steps in How to Configure Kerberos NFS Servers.

   # klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- --------------------------------------------------------- 3 nfs/denver.example.com@EXAMPLE.COM 3 nfs/denver.example.com@EXAMPLE.COM 3 nfs/denver.example.com@EXAMPLE.COM 3 nfs/denver.example.com@EXAMPLE.COM

3. Enable Kerberos security modes in the /etc/nfssec.conf file.

   Edit the /etc/nfssec.conf file and remove the “#” that is placed in front of the Kerberos security modes.

   # cat /etc/nfssec.conf . . # # Uncomment the following lines to use Kerberos V5 with NFS # krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS

4. Edit the /etc/dfs/dfstab file and add the sec= option with the required security modes to the appropriate entries.

   share -F nfs -o sec=mode file-system

   mode

   Specifies the security modes to be used when sharing the file system. When using multiple security modes, the first mode in the list is used as the default.

   file-system

   Defines the path to the file system to be shared.

   All clients that attempt to access files from the named file system require Kerberos authentication. To access files, the user principal on the NFS client should be authenticated.

5. Make sure that the NFS service is running on the server.

   If this command is the first share command or set of share commands that you have initiated, the NFS daemons are likely not running. The following command restarts the daemons:

   # svcadm restart network/nfs/server

6. (Optional) If the automounter is being used, edit the auto_master database to select a security mode other than the default.

   You need not follow this procedure if you are not using the automounter to access the file system or if the default selection for the security mode is acceptable.

   file-system auto_home -nosuid,sec=mode

7. (Optional) Manually issue the mount command to access the file system by using a non-default mode.

   Alternatively, you could use the mount command to specify the security mode, but this alternative does not take advantage of the automounter.

   # mount -F nfs -o sec=mode file-system

Example 23–5 Sharing a File System With One Kerberos Security Mode

In this example, the dfstab file line means that Kerberos authentication must succeed before any files can be accessed through the NFS service.

# grep krb /etc/dfs/dfstab
share -F nfs -o sec=krb5 /export/home

Example 23–6 Sharing a File System With Multiple Kerberos Security Modes

In this example, all three Kerberos security modes have been selected. Which mode is used is negotiated between the client and the NFS server. If the first mode in the command fails, then the next is tried. See the nfssec(5) man page for more information.

# grep krb /etc/dfs/dfstab
share -F nfs -o sec=krb5:krb5i:krb5p /export/home