To use the Secure NFS system, all the systems that you are responsible for must have a domain name. Typically, a domain is an administrative entity of several systems that is part of a larger network. If you are running a name service, you should also establish the name service for the domain. For information about name services, see Working With Oracle Solaris 11.3 Directory and Naming Services: DNS and NIS.
Kerberos V5 authentication is supported by the NFS service. For more information, see Chapter 2, Kerberos on Oracle Solaris in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
You can also configure the Secure NFS environment to use Diffie-Hellman authentication. For more information about Diffie-Hellman authentication, see Chapter 9, Configuring Network Services Authentication in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
Make the domain name known to each system in the domain. For information about setting up a machine's NIS domain name, see How to Set a Machine’s NIS Domain Name in Working With Oracle Solaris 11.3 Directory and Naming Services: DNS and NIS.
$ domainname domain-name
$ newkey -u username -s name-service
Users can establish personal secure RPC passwords by using the chkey command.
$ chkey -p -s name-service -m mechanism
When public keys and secret keys have been generated, the public keys and encrypted secret keys are stored in the publickey database.
If you are running NIS, verify that the ypbind daemon is running. For more information, see ypbind Not Running on NIS Client in Working With Oracle Solaris 11.3 Directory and Naming Services: DNS and NIS.
If you are running LDAP, verify that the ldap_cachemgr daemon is running. For more information, see Monitoring LDAP Client Status in Working With Oracle Solaris 11.3 Directory and Naming Services: LDAP.
$ ps -ef | grep keyserv root 100 1 16 Apr 11 ? 0:00 /usr/sbin/keyserv root 2215 2211 5 09:57:28 pts/0 0:00 grep keyserv
If the daemon is not running, type the following to start the key server:
$ svcadm enable network/rpc/keyserv
Usually, the login password is identical to the network password. In this situation, keylogin is not required. If the passwords are different, the users have to log in, and then run keylogin. You still need to use the keylogin -r command as root to store the decrypted secret key in /etc/.rootkey.
For Diffie-Hellman authentication add the –sec=dh option to the command line.
$ share -F nfs -o sec=dh /export/home
For more information about security modes, see the nfssec(5) man page.
If you are using Diffie-Hellman authentication, edit the auto_master data to include –sec=dh as a mount option in the appropriate entries.
/home auto_home -nosuid,sec=dh
When you reinstall, move, or upgrade a system, remember to save the /etc/.rootkey file if you do not establish new keys or change the keys for root. If you delete the /etc/.rootkey file, type the following command:
$ keylogin -r