This procedure enables an NFS server to provide secure NFS access by using several security modes. When a client negotiates a security mode with the NFS server, the client uses the first mode that is offered by the server. This mode is used for all subsequent client requests of the file system shared by that server.
Before You Begin
You must assume the root role on the NFS server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
The klist command reports if a keytab file exists and displays the principals. If the results show that no keytab file exists or that no NFS service principal exists, you need to verify the completion of all the steps in How to Configure Kerberos NFS Servers.
# klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- --------------------------------------------------------- 3 nfs/denver.example.com@EXAMPLE.COM 3 nfs/denver.example.com@EXAMPLE.COM 3 nfs/denver.example.com@EXAMPLE.COM 3 nfs/denver.example.com@EXAMPLE.COM
For more information, see the klist(1) man page.
In the /etc/nfssec.conf file, remove the "#" that comments out the Kerberos security modes.
# pfedit /etc/nfssec.conf . . # # Uncomment the following lines to use Kerberos V5 with NFS # krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
Choose krb5p to provide krb5 authentication, integrity and privacy protection for confidential data transmitted over NFS. Use this mode unless it strains the server's processing resources.
Choose krb5i to provide krb5 authentication and integrity protection in addition to the minimum protection that TCP/IP provides for NFS data.
Choose krb5 for krb5 authentication only. This security mode provides the least protection of the security modes but also has the smallest impact on the processor.
share -F nfs -o sec=mode file-system
Specifies the security modes to be used when sharing the file system. When using multiple security modes, the first mode in the list is used as the default.
Defines the path to the file system to be shared.
All clients that attempt to access files from the named file system require Kerberos authentication. To access files, the user principal on the NFS client should be authenticated.
Do not perform this procedure if the default security mode is acceptable.
file-system auto_home -nosuid,sec=mode
# mount -F nfs -o sec=mode file-system
In this example, authentication with the krb5 security mode must succeed before any files can be accessed through the NFS service.
# share -F nfs -o sec=krb5p /export/homeExample 11 Sharing a File System With Multiple Kerberos Security Modes
In this example, all three Kerberos security modes have been selected. The mode that is used is negotiated between the client and the NFS server. If the first mode in the command fails, then the next mode is tried. For more information, see the nfssec(5) man page.
# share -F nfs -o sec=krb5p:krb5i:krb5 /export/home