test

System Administration Guide, Volume 2

Configuring SEAM NFS Servers Task Map

NFS services use UNIX UIDs to identify a user and cannot directly use principals. To translate the principal to a UID, a credential table that maps user principals to UNIX UIDs must be created. The procedures below focus on the tasks necessary to configure a SEAM NFS server, administer the credential table, and to initiate Kerberos security modes for NFS-mounted file systems. The following table describes the tasks covered in this section.

Table 22-2 Configuring SEAM NFS Server Task Map

Task 

Description 

For Instructions, Go To ... 

Configure a SEAM NFS Server 

 Steps to enable a server to share a file system requiring Kerberos authentication."How to Configure SEAM NFS Servers"

Change the Back-end Mechanism for the Credential Table 

Steps to define the back-end mechanism that is used by gsscred."How to Change the Back-end Mechanism for the gsscred Table"

Create a Credential Table 

 Steps to generate a credential table."How to Create a Credential Table"

How to Change the Credential Table That Maps User Principles to UNIX UIDs. 

 Steps to update information in the credential table."How to Add a Single Entry to the Credential Table"

Share a File System With Kerberos Authentication 

 Steps to share a file system with security modes so that Kerberos authentication is required."How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes"

How to Configure SEAM NFS Servers

This procedure requires that the master KDC has been configured. To fully test the process you need several clients. The following configuration parameters are used:

  1. Prerequisites for configuring a SEAM NFS server.

    The SEAM client software must be installed.

  2. (Optional) Install NTP client or other clock synchronization mechanism.

    See "Synchronizing Clocks Between KDCs and SEAM Clients" for information about NTP.

  3. Add new principals.

    Using the administration tool provided with your KDC add new principals for the NFS server.

    1. Create the server's NFS service principal.

      Create a principal named: nfs/denver.acme.com.

    2. (Optional) Create a root principal for the NFS server.

      Create a principal named: root/denver.acme.com.

    3. Add the server's NFS service principal to the server's keytab.

      Make sure that the nfs/denver.acme.com principal is included in the keytab file.

  4. Create the gsscred table.

    See "How to Create a Credential Table" for more information.

  5. Share the NFS file system using Kerberos security modes.

    See "How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes" for more information.

  6. On each client, authenticate both the user and root principals.

How to Change the Back-end Mechanism for the gsscred Table

  1. Become superuser on the NFS server.

  2. Edit /etc/gss/gsscred.conf and change the mechanism.

    One of the following back-end mechanisms can be used: files, xfn_files, xfn_nis, xfn_nisplus, or xfn. The advantages of each of these mechanisms is covered in "Using the gsscred Table".

How to Create a Credential Table

The gsscred credential table is used by an NFS server to map SEAM principals to a UID. In order for NFS clients to be able to mount file systems from an NFS server using Kerberos authentication, this table must be created or made available.

  1. Become superuser on the appropriate server.

    Which server you run this command from and under what ID you run the command depends on the back-end mechanism that has been selected to support the gsscred table. For all mechanisms except xfn_nisplus, you must become root.

    If Your Back-end Mechanism Is ... 

    Then .... 

    files

    Run on the NFS server. 

    xfn

    Select host based on the default xfn file setting.

    xfn_files

    Run on the NFS server. 

    xfn_nis

    Run on the NIS master. 

    xfn_nisplus

    Run anywhere as long as the permissions to change the NIS+ data are in place.  

  2. (Optional) If /var/fn does not exist and you want to use one of the xfn options, create an initial XFN database.


    # fnselect files
# fncreate -t org -o org//

  3. Create the credential table using gsscred.

    The command gathers information from all of the sources listed with the passwd entry in /etc/nsswitch.conf. You might need to temporarily remove the files entry, if you do not want the local password entries included in the credential table. See the gsscred(1M) man page for more information.


    # gsscred -m kerberos_v5 -a

How to Add a Single Entry to the Credential Table

This procedure requires that the gsscred table has already been installed on the NFS server.

  1. Become superuser on a NFS server.

  2. Add an entry to the table using gsscred.


    # gsscred -m [mech] -n [name] -u [uid] -a

    mech

    The security mechanism to be used. 

    name

    The principal name for the user, as defined in the KDC. 

    uid

    The UID for the user, as defined in the password database. 

    -a

    Adds the UID to principal name mapping.  

Example--Changing a Single Entry to the Credential Table

The following example adds an entry for the user named sandy, which is mapped to UID 3736. The UID is pulled from the password file, if it is not included on the command line.


# gsscred -m kerberos_v5 -n sandy -u 3736 -a

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

  1. Become superuser on the NFS server.

  2. Edit the /etc/dfs/dfstab file and add the sec= option with the required security modes to the appropriate entries. 


    # share -F nfs -o sec=mode filesystem

    mode

    The security modes to be used when sharing. When using multiple security modes, the first mode in the list is used as the default by autofs. 

    filesystem

    The path to the file system to be shared. 

    All clients attempting to access files from the named file system require Kerberos authentication. To complete accessing files, both the user principal and the root principal on the NFS client should be authenticated.

  3. Check to be sure the NFS service is running on the server.

    If this is the first share command or set of share commands that you have initiated, it is likely that the NFS daemons are not running. The following set of commands kill the daemons and restart them.


    # /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start

  4. Optional: If autofs is being used, edit the auto_master data to select a security mode other than the default.

    You need not follow this procedure if you are not using autofs to access the file system or if the default selection for the security mode is acceptable.


    /home	  auto_home  -nosuid,sec=krbi

  5. Optional: Manually issue the mount command to access the file system using a non-default mode.

    Alternatively, you could use the mount command to specify the security mode, but this does not take advantage of the automounter:


    # mount -F nfs -o sec=krb5p /export/home

Example--Sharing a File System With One Kerberos Security Mode

This example will require Kerberos authentication before files can be accessed.


# share -F nfs -o sec=krb5 /export/home

Example--Sharing a File System With Multiple Kerberos Security Modes

In this example, all three Kerberos security modes have been selected. If no security mode is specified when a mount request is made, the first mode listed is used on all NFS V3 clients (in this case, krb5). Additional information can be found in "Changes to the share Command".


# share -F nfs -o sec=krb5:krb5i:krb5p /export/home