NFS Services Administrator's Guide (5900-1632, August 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

06101130 to set the date to June 10th and time to 11:30 AM. The time difference between

the systems should not be more than 5 minutes.

2. Add a principal for all the NFS client to the Kerberos database. For example, if our NFS client

is onc36.ind.hp.com then root principal should be added to the Kerberos database

before running the NFS applications.

To add principals use the Kerberos administration tool, kadminl,

onc52# /opt/krb5/admin/kadminl

Connecting as: K/M

Connected to krb5v01 in realm ONC52.IND.HP.COM.

Command: add root

Enter password:

Re-enter password for verification:

Enter policy name (Press enter key to apply default policy) :

Principal added.

3. Copy the /etc/krb5.conf file from the Kerberos server to the NFS client.

onc52# rcp /etc/krb5.conf onc36:/etc/

The following steps are to be configured in NFS client

1. To get the initial TGT to request a service from the application server, enter the following

command:

onc36# kinit root

Password for root@ONC52.IND.HP.COM:

The password prompt is displayed. Enter the password for the root principal that is added to

the Kerberos database.

2. To verify the TGT, enter the following command:

onc36# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: root@ONC52.IND.HP.COM

Valid starting Expires Service principal

02/12/09 10:46:33 02/12/09 20:46:31 krbtgt/ONC52.IND.HP.COM@ONC52.IND.HP.COM

3. Edit the /etc/nfssec.conf file and uncomment the entries for krb5, krb5i, or krb5p based on

the security protocol you want to choose.

onc36# cat /etc/nfssec.conf | krb5

krb5 390003 krb5_mech default - # RPCSEC_GSS

krb5i 390004 krb5_mech default integrity # RPCSEC_GSS

krb5p 390005 krb5_mech default privacy # RPCSEC_GSS

4. Edit the /etc/inetd.conf file and uncomment gssd entry.

onc36# cat /etc/inetd.conf | grep gssd

rpc xti ticotsord swait root /usr/lib/netsvc/gss/gssd 100234 1 gssd

5. Re-initialize inetd on the NFS servers.

onc36# inetd -c

6. To create a credential table, enter the following command:

onc36# gsscred -m krb5_mech -a

7. To mount, secure NFS file system, enter the following command:

mount -o sec=<Security flavor> <svr:/dir> </mount-point>

Where,

-o

Enables you to use some of the specific options of the share command, such as sec, async,

public, and others.

sec

Configuring and Administering an NFS Server 27