Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

How to Configure Kerberos NFS Servers

    This procedure uses the following configuration parameters:

  • Realm name = EXAMPLE.COM

  • DNS domain name = example.com

  • NFS server = denver.example.com

  • admin principal = kws/admin

Before You Begin

You must assume the root role on the NFS server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

Make sure the master KDC is configured and the clocks are synchronized as described in Synchronizing Clocks Between KDCs and Kerberos Clients. To fully test the process, you need several clients.

  1. Configure the NFS server as a Kerberos client.

    Follow the instructions in Configuring Kerberos Clients.

  2. Add the NFS service principal.

    Use the kadmin command.

    denver # /usr/sbin/kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: 
    1. Create the NFS service principal.

      Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the naming service.

      Repeat this step for each unique interface on the host that might be used to access NFS data. If a host has multiple interfaces with unique names, each unique name must have its own NFS service principal.

      kadmin: addprinc -randkey nfs/denver.example.com
      Principal "nfs/denver.example.com" created.
      kadmin:
    2. Add the server's NFS service principal to the server's keytab file and quit kadmin.

      Repeat this step for each unique service principal that you created in Step 2.a.

      kadmin: ktadd nfs/denver.example.com
      Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-256 CTS mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-128 CTS mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal nfs/denver.example.com with kvno 3, encryption type Triple DES cbc
      mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      kadmin: quit
  3. Share the NFS file system with Kerberos security modes.

    For more information, see How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes.