Realm name = EXAMPLE.COM
DNS domain name = example.com
NFS server = denver.example.com
admin principal = kws/admin
Complete the prerequisites for configuring a SEAM NFS server.
The master KDC must be configured. To fully test the process, you need several clients.
(Optional) Install the NTP client or other clock synchronization mechanism.
It is not required to install and use the Network Time Protocol (NTP). However, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file in order for authentication to succeed. See for information about NTP.
You can use the SEAM Administration Tool to add a principal, as explained in. To do so, you must log on with one of the admin principal names that you created when you configured the master KDC. However, the following example shows how to add the required principals by using the command line.
denver # /usr/sbin/kadmin -p kws/admin Enter password: <Type kws/admin password> kadmin:
Create the server's NFS service principal.
Note that when the principal instance is a host name, the FQDN must be entered in lowercase letters, regardless of the case of the domainname in the /etc/resolv.conf file.
kadmin: addprinc -randkey nfs/denver.example.com Principal "nfs/denver.example.com" created. kadmin:
(Optional) Create a root principal for the NFS server.
kadmin: addprinc root/denver.example.com Enter password for principal root/denver.example.com@EXAMPLE.COM: <type the password> Re-enter password for principal root/denver.example.com@EXAMPLE.COM: <type it again> Principal "root/denver.example.com@EXAMPLE.COM" created. kadmin:
Add the server's NFS service principal to the server's keytab file.
kadmin: ktadd nfs/denver.example.com kadmin: Entry for principal nfs/denver.example.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab kadmin:
Create the gsscred table.
See How to Create a Credential Table for more information.
Share the NFS file system with Kerberos security modes.
See How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes for more information.
On each client, authenticate both the user principal and the root principal.