This procedure uses the following configuration parameters:
Realm name = EXAMPLE.COM
DNS domain name = example.com
NFS server = denver.example.com
admin principal = kws/admin
Before You Begin
You must assume the root role on the NFS server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
Make sure the master KDC is configured and the clocks are synchronized as described in Synchronizing Clocks Between KDCs and Kerberos Clients. To fully test the process, you need several clients.
Follow the instructions in Configuring Kerberos Clients.
Use the kadmin command.
denver # /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin:
Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the naming service.
Repeat this step for each unique interface on the host that might be used to access NFS data. If a host has multiple interfaces with unique names, each unique name must have its own NFS service principal.
kadmin: addprinc -randkey nfs/denver.example.com Principal "nfs/denver.example.com" created. kadmin:
Repeat this step for each unique service principal that you created in Step 2.a.
kadmin: ktadd nfs/denver.example.com Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/denver.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit
For more information, see How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes.