NFS is a widely used protocol to access any local file system across network. OFS makes use of this protocol and enables access to any DBFS file system that is mounted on the compute node.
NFS enables the compute node to be accessible across all nodes that are authorized to access the file system.
22.2.1 Prerequisites to Access Storage Through NFS Server
Learn about the prerequisites to access storage through NFS server.
Following are the prerequisites:
DBFS file system must be created before using OFS.
You should be able to mount the file systems exported by the database.
NFS server must be configured with
KERNELmodule is supported through
FUSEdriver for Linux.
22.2.2 NFS Security
OFS uses the OS authentication model to authorize NFS client users. If the user is accessing a local node (where the Oracle instance is running), the access to each file in the file system is controlled through Unix Access Control List set for each object.
On Linux, OFS uses FUSE to receive file system requests from the OS kernel or NFS
client. This requires
user_allow_other parameter to be set in
/etc/fuse.conf configuration file if an OS user other than the
root user and oracle user need to access the file system.
Note:Users can also be configured with an Oracle password to log into Oracle client tools like
SQL* Plusto execute SQL statements.
If the network is not secure, the customer is advised to setup Kerberos to authenticate the user using OS NFS.
The Kerberos authentication is available from NFS version 4 onwards. If the OFS is exported via NFS version 3, then the authentication is performed using
For local node, the authentication is performed using
AUTH_SYSirrespective of how the OFS is exported (NFS version 3 or NFS version 4).
Kerberos uses encryption technology, Key Distribution Center(KDC), and an arbitrator to perform secure authentication on open networks.
Kerberos is the widely used security mechanism that provides all three flavors of security:
Kerberos Infrastructure consists of Kerberos software, secured authentication servers, centralized account and password store, and systems configured to authenticate through the Kerberos protocol. The OS NFS server handles the complete authentication and integrity checks by using kerberos principal name as the user name. Once the authentication is performed, the requests passed to the Oracle kernel are handled based on the user name passed through the VFS I/O request.
Configuring Kerberos Server in Linux
The steps to configure Kerberos server in a Linux system is as follows:
Install Kerberos software in the Linux system.
Check if the daemons are running using the following commands.
# /sbin/chkconfig krb5kdc on # /sbin/chkconfig kadmin on
If the daemons are not running use the following commands to start the daemons manually:
# /etc/rc.d/init.d/krb5kdc start # /etc/rc.d/init.d/kadmin start
Add user principal using the
kadmin.local: addprinc <scott>