How to Configure SEAM NFS Servers

This procedure requires that the master KDC has been configured. To fully test the process you need several clients. The following configuration parameters are used:

realm name = ACME.COM




DNS domain name = acme.com




NFS server = denver.acme.com




admin principle = kws/admin

1. Prerequisites for configuring a SEAM NFS server.

   The SEAM client software must be installed.

2. Optional: Install NTP client or other clock synchronization mechanism.

   See "Synchronizing Clocks between KDCs and SEAM Clients" for information about NTP.

3. Start kadmin.

   Using the SEAM Administration Tool to add a principal is explained in "How to Create a New Principal". The example below shows how to add the required principals using the command line. You must log on with one of the admin principal names that you created when configuring the master KDC.

   denver # /usr/krb5/sbin/kadmin -p kws/admin Enter password: <Enter kws/admin password> kadmin:

   1. Create the server's NFS service principal.

      kadmin: addprinc -randkey nfs/denver.acme.com Principal "nfs/denver.acme.com" created. kadmin:

   2. Optional: Create a root principal for the NFS server.

      kadmin: addprinc root/denver.acme.com Enter password for principal root/denver.acme.com@ACME.COM: <type the password> Re-enter password for principal root/denver.acme.com@ACME.COM: <type it again> Principal "root/denver.acme.com@ACME.COM" created. kadmin:

   3. Add the server's NFS service principal to the server's keytab.

      kadmin: ktadd nfs/denver.acme.com kadmin: Entry for principal nfs/denver.acme.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab kadmin: quit

   4. Quit kadmin

      kadmin: quit

4. Create the gsscred table.

   See "How to Create a Credential Table" for more information.

5. Share the NFS file system using Kerberos security modes.

   See "How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes" for more information.

6. On each client: authenticate both the user and root principals.

   See "Setting Up Root Authentication to Mount NFS File Systems" for more information.