This procedure enables a client to access an NFS file system that requires Kerberos authentication with the root principal and in particular, when the NFS file system is shared with options like: –o sec=krb5p,root=client1.example.com.
denver # /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin:
This principal is used to provide root equivalent access to NFS-mounted file systems that require Kerberos authentication. The root principal should be a two-component principal. The second component should be the host name of the Kerberos client system to avoid the creation of a realm-wide root principal. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the naming service.
kadmin: addprinc -randkey root/client.example.com Principal "root/client.example.com" created. kadmin:
This step is required for the client to have root access to NFS-mounted file systems. This step is also required for non-interactive root access, such as running cron jobs as root.
kadmin: ktadd root/client.example.com Entry for principal root/client.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal root/client.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal root/client.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit