NFS services use UNIX user IDs (UIDs) to identify a user and cannot directly use principals. To translate the principal to a UID, a credential table that maps user principals to UNIX UIDs must be created. The procedures in this section focus on the tasks that are necessary to configure a SEAM NFS server, to administer the credential table, and to initiate Kerberos security modes for NFS-mounted file systems. The following task map describes the tasks that are covered in this section.
Table 9–3 Configuring SEAM NFS Servers (Task Map)
Task |
Description |
For Instructions |
---|---|---|
Configure a SEAM NFS server |
Enables a server to share a file system that requires Kerberos authentication. | |
Create a credential table |
Generates a credential table. | |
Change the credential table that maps user principles to UNIX UIDs |
Updates information in the credential table. | |
Share a file system with Kerberos authentication |
Shares a file system with security modes so that Kerberos authentication is required. |
How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes |
In this procedure, the following configuration parameters are used:
Realm name = EXAMPLE.COM
DNS domain name = example.com
NFS server = denver.example.com
admin principal = kws/admin
Complete the prerequisites for configuring a SEAM NFS server.
The master KDC must be configured. To fully test the process, you need several clients.
(Optional) Install the NTP client or other clock synchronization mechanism.
It is not required to install and use the Network Time Protocol (NTP). However, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file in order for authentication to succeed. See for information about NTP.
Start kadmin.
You can use the SEAM Administration Tool to add a principal, as explained in. To do so, you must log on with one of the admin principal names that you created when you configured the master KDC. However, the following example shows how to add the required principals by using the command line.
denver # /usr/sbin/kadmin -p kws/admin Enter password: <Type kws/admin password> kadmin: |
Create the server's NFS service principal.
Note that when the principal instance is a host name, the FQDN must be entered in lowercase letters, regardless of the case of the domainname in the /etc/resolv.conf file.
kadmin: addprinc -randkey nfs/denver.example.com Principal "nfs/denver.example.com" created. kadmin: |
(Optional) Create a root principal for the NFS server.
kadmin: addprinc root/denver.example.com Enter password for principal root/denver.example.com@EXAMPLE.COM: <type the password> Re-enter password for principal root/denver.example.com@EXAMPLE.COM: <type it again> Principal "root/denver.example.com@EXAMPLE.COM" created. kadmin: |
Add the server's NFS service principal to the server's keytab file.
kadmin: ktadd nfs/denver.example.com kadmin: Entry for principal nfs/denver.example.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab kadmin: |
Quit kadmin.
kadmin: quit |
Create the gsscred table.
See How to Create a Credential Table for more information.
Share the NFS file system with Kerberos security modes.
See How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes for more information.
On each client, authenticate both the user principal and the root principal.
The gsscred credential table is used by an NFS server to map SEAM principals to a UID. In order for NFS clients to mount file systems from an NFS server with Kerberos authentication, this table must be created or made available.
Edit /etc/gss/gsscred.conf and change the mechanism.
Change the mechanism to files.
Create the credential table by using gsscred.
# gsscred -m kerberos_v5 -a |
The gsscred command gathers information from all sources that are listed with the passwd entry in the /etc/nsswitch.conf file. You might need to temporarily remove the files entry, if you do not want the local password entries included in the credential table. See the gsscred(1M) man page for more information.
This procedure requires that the gsscred table has already been created on the NFS server.
Become superuser on a NFS server.
Add an entry to the table by using gsscred.
# gsscred -m mech [ -n name [ -u uid ]] -a |
mech |
Defines the security mechanism to be used. |
name |
Defines the principal name for the user, as defined in the KDC. |
uid |
Defines the UID for the user, as defined in the password database. |
-a |
Adds the UID to principal name mapping. |
In the following example, an entry is added for the user named sandy, which is mapped to UID 3736. The UID is pulled from the password file if it is not included on the command line.
# gsscred -m kerberos_v5 -n sandy -u 3736 -a |
Become superuser on the NFS server.
Verify that there is a NFS service principal in the keytab file.
The klist command reports if there is a keytab file and displays the principals. If the results show that there is no keytab file or that there is no NFS service principal, you need to verify the completion of all of the steps in How to Configure SEAM NFS Servers.
# klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- --------------------------------------------------------- 3 nfs/denver.example.com@EXAMPLE.COM |
Enable Kerberos security modes in the /etc/nfssec.conf file.
Edit the /etc/nfssec.conf file and remove the “#” from in front of the Kerberos security modes.
# cat /etc/nfssec.conf . . # # Uncomment the following lines to use Kerberos V5 with NFS # krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS |
Edit the /etc/dfs/dfstab file and add the sec= option with the required security modes to the appropriate entries.
share -F nfs -o sec=mode file-system |
mode |
Specifies the security modes to be used when sharing. When using multiple security modes, the first mode in the list is used as the default by the automounter. |
file-system |
Defines the path to the file system to be shared. |
All clients that attempt to access files from the named file system require Kerberos authentication. To access files, both the user principal and the root principal on the NFS client should be authenticated.
Make sure that the NFS service is running on the server.
If this command is the first share command or set of share commands that you have initiated, it is likely that the NFS daemons are not running. The following commands kill the daemons and restart them.
# /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start |
(Optional) If the automounter is being used, edit the auto_master database to select a security mode other than the default.
You need not follow this procedure if you are not using the automounter to access the file system or if the default selection for the security mode is acceptable.
file-system auto_home -nosuid,sec=mode |
(Optional) Manually issue the mount command to access the file system by using a non-default mode.
Alternatively, you could use the mount command to specify the security mode, but this alternative does not take advantage of the automounter:
# mount -F nfs -o sec=mode file-system |
In this example, the dfstab file line means that Kerberos authentication must succeed before any files can be accessed through the NFS service.
# grep krb /etc/dfs/dfstab share -F nfs -o sec=krb5 /export/home |
In this example, all three Kerberos security modes have been selected. If no security mode is specified when a mount request is made, the first mode that is listed is used on all NFS V3 clients (in this case, krb5). See the nfssec.conf(4) man page for more information.
# grep krb /etc/dfs/dfstab share -F nfs -o sec=krb5:krb5i:krb5p /export/home |