Go to main content

Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.3

Exit Print View

» ...Documentation Home » Oracle Solaris 11.3 Information Library » Managing Kerberos and Other Authentication ... » Configuring the Kerberos Service » Configuring Kerberos Clients » How to Access a Kerberos Protected NFS File ...

Updated: May 2019

Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.3

Document Information

Using This Documentation

Chapter 1 Using Pluggable Authentication Modules

Chapter 2 Kerberos on Oracle Solaris

Chapter 3 Planning for the Kerberos Service

Chapter 4 Configuring the Kerberos Service

Configuring the Kerberos Service

Configuring KDC Servers

How to Install the KDC Package

How to Require Strong Encryption in Kerberos

How to Configure Kerberos to Run in FIPS 140-2 Mode

How to Use kdcmgr to Configure the Master KDC

How to Use kdcmgr to Configure a Slave KDC

Configuring KDC Servers on LDAP Directory Servers

Configuring a Master KDC on an OpenLDAP Directory Server

Configuring a Master KDC on an Oracle Unified Directory Server

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type on an OpenLDAP Server

How to Destroy a Kerberos Realm on an LDAP Directory Server

Configuring Kerberos Clients

How to Create a Kerberos Client Installation Profile

How to Use a Kerberos Client Profile

How to Use the kclient Utility Without an Installation Profile

How to Join a Kerberos Client to an Active Directory Server

Verifying Kerberos Clients Without a Host Principal

How to Access a Kerberos Protected NFS File System as the root User

How to Configure Automatic Migration of Users in a Kerberos Realm

Configuring Kerberos Network Application Servers

How to Configure a Kerberos Network Application Server

How to Use the Generic Security Service With Kerberos When Running FTP

Configuring Kerberos NFS Servers

How to Configure Kerberos NFS Servers

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

Configuring Delayed Execution for Access to Kerberos Services

How to Configure a cron Host for Access to Kerberos Services

Administering the Kerberos Database

How to Convert a Kerberos Database After a Server Upgrade

Observing Mapping From GSS Credentials to UNIX Credentials

Increasing Security on Kerberos Servers

Restricting Access to KDC Servers

Using a Dictionary File to Increase Password Security

Chapter 5 Users Using Kerberos

Chapter 6 Using Simple Authentication and Security Layer

Chapter 7 Using Smart Cards for Multifactor Authentication in Oracle Solaris

Chapter 8 Using One-Time Passwords for Multifactor Authentication in Oracle Solaris

Chapter 9 Configuring Network Services Authentication

Authentication Services Glossary

Language:

How to Access a Kerberos Protected NFS File System as the `root` User

This procedure enables a client to access an NFS file system that requires Kerberos authentication with the root principal and in particular, when the NFS file system is shared with options like: –o sec=krb5p,root=client1.example.com.

Run the kadmin command.

denver # /usr/sbin/kadmin -p kws/admin
Enter password: xxxxxxxx
kadmin:

Create a root principal for the NFS client.
This principal is used to provide root equivalent access to NFS-mounted file systems that require Kerberos authentication. The root principal should be a two-component principal. The second component should be the host name of the Kerberos client system to avoid the creation of a realm-wide root principal. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the naming service.
```
kadmin: addprinc -randkey root/client.example.com
Principal "root/client.example.com" created.
kadmin:
```

Add the root principal to the server's keytab file and quit kadmin.

This step is required for the client to have root access to NFS-mounted file systems. This step is also required for non-interactive root access, such as running cron jobs as root.

kadmin: ktadd root/client.example.com
Entry for principal root/client.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

Copyright © 2002, 2019, Oracle and/or its affiliates. All rights reserved.