Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

This procedure enables an NFS server to provide secure NFS access by using several security modes. When a client negotiates a security mode with the NFS server, the client uses the first mode that is offered by the server. This mode is used for all subsequent client requests of the file system shared by that server.

Before You Begin

You must assume the root role on the NFS server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Verify that there is an NFS service principal in the keytab file.

    The klist command reports if there is a keytab file and displays the principals. If the results show that no keytab file exists or that no NFS service principal exists, you need to verify the completion of all the steps in How to Configure Kerberos NFS Servers.

    # klist -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- ---------------------------------------------------------
    3 nfs/
    3 nfs/
    3 nfs/
    3 nfs/

    For more information, see the klist(1) man page.

  2. Enable Kerberos security modes in the /etc/nfssec.conf file.

    In the /etc/nfssec.conf file, remove the “#” that comments out the Kerberos security modes.

    # pfedit /etc/nfssec.conf
    # Uncomment the following lines to use Kerberos V5 with NFS
    krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
    krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
    krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
  3. Share the file systems with the appropriate security modes.
    share -F nfs -o sec=mode file-system

    Specifies the security modes to be used when sharing the file system. When using multiple security modes, the first mode in the list is used as the default.


    Defines the path to the file system to be shared.

    All clients that attempt to access files from the named file system require Kerberos authentication. To access files, the user principal on the NFS client should be authenticated.

  4. (Optional) Mount a file system by using a security mode other than the default.

    Do not perform this procedure if the default security mode is acceptable.

    • If the automounter is being used, edit the auto_master database to enter a security mode other than the default.
      file-system  auto_home  -nosuid,sec=mode
    • Manually issue the mount command to access the file system by using a non-default mode.
      # mount -F nfs -o sec=mode file-system
Example 4-11  Sharing a File System With One Kerberos Security Mode

In this example, authentication with the krb5 security mode must succeed before any files can be accessed through the NFS service.

# share -F nfs -o sec=krb5 /export/home
Example 4-12  Sharing a File System With Multiple Kerberos Security Modes

In this example, all three Kerberos security modes have been selected. The mode that is used is negotiated between the client and the NFS server. If the first mode in the command fails, then the next is tried. For more information, see the nfssec(5) man page.

# share -F nfs -o sec=krb5:krb5i:krb5p /export/home