In addition to the appliance's capability to use Kerberos to authenticate users for administrative login and for access to services, Kerberos can also be used to set security for individual shares that use the NFS protocol.
NFS shares are allocated with AUTH_SYS RPC authentication by default. You can also configure them to be shared with Kerberos security. Using AUTH_SYS authentication, the client’s UNIX User ID (UID) and Group ID (GID) are passed unauthenticated on the network by the NFS server. This authentication mechanism is easily defeated by anyone with root access on a client; therefore, it is best to use one of the other available security modes.
Additional access controls can be specified on a per-share basis to allow or disallow access to the shares for specific hosts, DNS domains, or networks.
Security modes are set on a per-share basis. The following list describes the available Kerberos security settings:
krb5 - End-user authentication through Kerberos V5
krb5i - krb5 plus integrity protection (data packets are tamper proof)
krb5p - krb5i plus privacy protection (data packets are tamper proof and encrypted)
Combinations of Kerberos types may also be specified in the security mode setting. The combination security modes let clients mount with any Kerberos types listed.
sys - System Authentication
krb5 - Kerberos v5 only, clients must mount using this type
krb5:krb5i - Kerberos v5, with integrity, clients may mount using any type listed
krb5i - Kerberos v5 integrity only, clients must mount using this type
krb5:krb5i:krb5p - Kerberos v5, with integrity or privacy, clients may mount using any type listed
krb5p - Kerberos v5 privacy only, clients must mount using this type