Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014
 
 

How to Access a Kerberos Protected NFS File System as the root User

This procedure allows a client to access an NFS file system that requires Kerberos authentication with the root ID privilege. In particular, when the NFS file system is shared with options like: –o sec=krb5,root=client1.example.com.

  1. Run the kadmin command.
    denver # /usr/sbin/kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: 
  2. Create a root principal for the NFS client.

    This principal is used to provide root equivalent access to NFS mounted file systems that require Kerberos authentication. The root principal should be a two-component principal. The second component should be the host name of the Kerberos client system to avoid the creation of a realm-wide root principal. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service.

    kadmin: addprinc -randkey root/client.example.com
    Principal "root/client.example.com" created.
    kadmin:
  3. Add the root principal to the server's keytab file.

    This step is required for the client to have root access to file systems mounted using the NFS service. This step is also required for non-interactive root access, such as running cron jobs as root.

    kadmin: ktadd root/client.example.com
    Entry for principal root/client.example.com with kvno 3, encryption type AES-256 CTS mode
    with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal root/client.example.com with kvno 3, encryption type AES-128 CTS mode
    with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal root/client.example.com with kvno 3, encryption type Triple DES cbc
    mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    kadmin: 
  4. Quit kadmin.
    kadmin: quit