This procedure uses the following configuration parameters:
Realm name = EXAMPLE.COM
DNS domain name = example.com
NFS server = denver.example.com
admin principal = kws/admin
Before You Begin
You must assume the root role on the NFS server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
The master KDC is configured. Clocks are synchronized, as described in Synchronizing Clocks Between KDCs and Kerberos Clients. To fully test the process, you need several clients.
Follow the instructions in Configuring Kerberos Clients.
Use the kadmin command.
denver # /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin:
Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service.
Repeat this step for each unique interface on the system that might be used to access NFS data. If a host has multiple interfaces with unique names, each unique name must have its own NFS service principal.
kadmin: addprinc -randkey nfs/denver.example.com Principal "nfs/denver.example.com" created. kadmin:
Repeat this step for each unique service principal that you created in Step a.
kadmin: ktadd nfs/denver.example.com Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/denver.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin:
kadmin: quit
Normally, the Kerberos service generates appropriate maps between the GSS credentials and the UNIX UIDs. The default mapping is described in Map GSS Credentials to UNIX Credentials. If the default mapping is not sufficient, see How to Create and Modify a Credential Table for more information.
For more information, see How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes.