Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

How to Access a Kerberos Protected NFS File System as the root User

This procedure enables a client to access an NFS file system that requires Kerberos authentication with the root principal and in particular, when the NFS file system is shared with options like: –o sec=krb5p,root=client1.example.com.

  1. Run the kadmin command.
    denver # /usr/sbin/kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: 
  2. Create a root principal for the NFS client.

    This principal is used to provide root equivalent access to NFS-mounted file systems that require Kerberos authentication. The root principal should be a two-component principal. The second component should be the host name of the Kerberos client system to avoid the creation of a realm-wide root principal. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the naming service.

    kadmin: addprinc -randkey root/client.example.com
    Principal "root/client.example.com" created.
    kadmin:
  3. Add the root principal to the server's keytab file and quit kadmin.

    This step is required for the client to have root access to NFS-mounted file systems. This step is also required for non-interactive root access, such as running cron jobs as root.

    kadmin: ktadd root/client.example.com
    Entry for principal root/client.example.com with kvno 3, encryption type AES-256 CTS mode
    with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal root/client.example.com with kvno 3, encryption type AES-128 CTS mode
    with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal root/client.example.com with kvno 3, encryption type Triple DES cbc
    mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    kadmin: quit