test

System Administration Guide, Volume 2

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

  1. Become superuser on the NFS server.

  2. Edit the /etc/dfs/dfstab file and add the sec= option with the required security modes to the appropriate entries. 


    # share -F nfs -o sec=mode filesystem

    mode

    The security modes to be used when sharing. When using multiple security modes, the first mode in the list is used as the default by autofs. 

    filesystem

    The path to the file system to be shared. 

    All clients attempting to access files from the named file system require Kerberos authentication. To complete accessing files, both the user principal and the root principal on the NFS client should be authenticated.

  3. Check to be sure the NFS service is running on the server.

    If this is the first share command or set of share commands that you have initiated, it is likely that the NFS daemons are not running. The following set of commands kill the daemons and restart them.


    # /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start

  4. Optional: If autofs is being used, edit the auto_master data to select a security mode other than the default.

    You need not follow this procedure if you are not using autofs to access the file system or if the default selection for the security mode is acceptable.


    /home	  auto_home  -nosuid,sec=krbi

  5. Optional: Manually issue the mount command to access the file system using a non-default mode.

    Alternatively, you could use the mount command to specify the security mode, but this does not take advantage of the automounter:


    # mount -F nfs -o sec=krb5p /export/home

Example--Sharing a File System With One Kerberos Security Mode

This example will require Kerberos authentication before files can be accessed.


# share -F nfs -o sec=krb5 /export/home

Example--Sharing a File System With Multiple Kerberos Security Modes

In this example, all three Kerberos security modes have been selected. If no security mode is specified when a mount request is made, the first mode listed is used on all NFS V3 clients (in this case, krb5). Additional information can be found in "Changes to the share Command".


# share -F nfs -o sec=krb5:krb5i:krb5p /export/home