Configuring a Kerberos realm creates certain service principals and adds the necessary keys to the system's local keytab. The NTP service must be configured before configuring Kerberized NFS. The following service principals are created and updated to support Kerberized NFS:
If you clustered your appliances, principals and keys are generated for each cluster node:
host/node1.example.com@EXAMPLE.COM nfs/node1.example.com@EXAMPLE.COM host/node2.example.com@EXAMPLE.COM nfs/node2.example.com@EXAMPLE.COM
If these principals have already been created, configuring the realm resets the password for each of those principals. If you configured your appliance to join an Active Directory domain, you cannot configure it to be part of a Kerberos realm.
For information on setting up KDCs and Kerberized clients, see http://docs.oracle.com/cd/E26502_01/html/E29015/index.html. After setting NFS properties for Kerberos, change the Security mode on the Shares->Filesystem->Protocols screen to a mode using Kerberos.
The following ports are used by the appliance for Kerberos.
Kerberos V authentication: 88
Kerberos V change and set password SET_CHANGE: 464
Kerberos V change and set password RPCSEC_GSS: 749
Note: Kerberized NFS clients must access the appliance using an IP address that resolves to an FQDN for those principals. For example, if an appliance is configured with multiple IP addresses, only the IP address that resolves to the appliance's FQDN can be used by its Kerberized NFS clients.