Manualshelf

NFS Services Administrator's Guide (5900-1632, August 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
21222324252627282930
Re-enter password for verification:
Enter policy name (Press enter key to apply default policy) :
Principal added.
4. Copy the /etc/krb5.conf file from the Kerberos server to the NFS server node.
onc52# rcp /etc/krb5.conf onc20:/etc/
5. Extract the key for the NFS service principal on the Kerberos server and store it in the
/etc/krb5.keytab file on the NFS server. To extract the key, use the Kerberos administration
tool kadminl.
onc52# /opt/krb5/admin/kadminl
Connecting as: K/M
Connected to krb5v01 in realm ONC52.IND.HP.COM.
Command: ext
Name of Principal (host/onc52.ind.hp.com): nfs/onc20.ind.hp.com
Service Key Table File Name (/opt/krb5/v5srvtab): /etc/onc20.keytab
Principal modified.
Key extracted.
onc52# rcp /etc/onc20.keytab onc20:/etc/krb5.keytab
6. To verify the keys in NFS server, enter the following command in NFS server.
onc20# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 nfs/onc20.ind.hp.com@ONC52.IND.HP.COM
7. Edit the /etc/nfssec.conf file and uncomment the entries for krb5, krb5i, or krb5p based
on the security protocol you want to choose.
onc20# cat /etc/nfssec.conf | grep krb5
krb5 390003 krb5_mech default - # RPCSEC_GSS
krb5i 390004 krb5_mech default integrity # RPCSEC_GSS
krb5p 390005 krb5_mech default privacy # RPCSEC_GSS
8. Edit the /etc/inetd.conf file and uncomment gssd entry.
onc20# cat /etc/inetd.conf | grep gssd
rpc xti ticotsord swait root /usr/lib/netsvc/gss/gssd 100234 1 gssd
9. Re-initialize inetd on NFS servers.
inetd c
10. To create a credential table, enter the following command:
onc20# gsscred -m krb5_mech -a
11. Share a directory with the Kerberos security option.
onc20# share -F nfs -o sec=krb5,rw /share_krb5
If you have not uncommented the entries of krb5, krb5i or krb5p, an error similar to the
following error is displayed:
# share -o sec=krb5i /aaa
share_nfs: Invalid security mode "krb5i"
Secure NFS Client Configuration with Kerberos
To secure NFS client setup using Kerberos, follow these steps:
1. Synchronize the date & time of server nodes with kerberos server. To change the current date
and time use date command followed by the current date and time. For example, enter date
26 Configuring and Administering NFS Services