Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

This procedure enables an NFS server to provide secure NFS access by using several security modes. When a client negotiates a security mode with the NFS server, the client uses the first mode that is offered by the server. This mode is used for all subsequent client requests of the file system shared by that server.

Before You Begin

You must assume the root role on the NFS server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Verify that an NFS service principal entry is in the keytab file.

    The klist command reports if a keytab file exists and displays the principals. If the results show that no keytab file exists or that no NFS service principal exists, you need to verify the completion of all the steps in How to Configure Kerberos NFS Servers.

    # klist -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- ---------------------------------------------------------
    3 nfs/denver.example.com@EXAMPLE.COM
    3 nfs/denver.example.com@EXAMPLE.COM
    3 nfs/denver.example.com@EXAMPLE.COM
    3 nfs/denver.example.com@EXAMPLE.COM

    For more information, see the klist(1) man page.

  2. Enable Kerberos security modes in the /etc/nfssec.conf file.

    In the /etc/nfssec.conf file, remove the "#" that comments out the Kerberos security modes.

    # pfedit /etc/nfssec.conf
    .
    .
    #
    # Uncomment the following lines to use Kerberos V5 with NFS
    #
    krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
    krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
    krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
  3. Share the file systems with the appropriate security modes.
    • Choose krb5p to provide krb5 authentication, integrity and privacy protection for confidential data transmitted over NFS. Use this mode unless it strains the server's processing resources.

    • Choose krb5i to provide krb5 authentication and integrity protection in addition to the minimum protection that TCP/IP provides for NFS data.

    • Choose krb5 for krb5 authentication only. This security mode provides the least protection of the security modes but also has the smallest impact on the processor.

    share -F nfs -o sec=mode file-system
    mode

    Specifies the security modes to be used when sharing the file system. When using multiple security modes, the first mode in the list is used as the default.

    file-system

    Defines the path to the file system to be shared.

    All clients that attempt to access files from the named file system require Kerberos authentication. To access files, the user principal on the NFS client should be authenticated.

  4. (Optional) Mount a file system by using a security mode other than the default.

    Do not perform this procedure if the default security mode is acceptable.

    • If the automounter is being used, edit the auto_master database to enter a security mode other than the default.
      file-system  auto_home  -nosuid,sec=mode
    • Manually issue the mount command to access the file system by using a non-default mode.
      # mount -F nfs -o sec=mode file-system
Example 5  Sharing a File System With One Kerberos Security Mode

In this example, authentication with the krb5 security mode must succeed before any files can be accessed through the NFS service.

# share -F nfs -o sec=krb5p /export/home
Example 6  Sharing a File System With Multiple Kerberos Security Modes

In this example, all three Kerberos security modes have been selected. The mode that is used is negotiated between the client and the NFS server. If the first mode in the command fails, then the next mode is tried. For more information, see the nfssec(7) man page.

# share -F nfs -o sec=krb5p:krb5i:krb5 /export/home