NFS Services Administrator's Guide (762805-001, March 2014)

9. Re-initialize inetd on NFS servers.
inetd c
10. To create a credential table, enter the following command:
onc20# gsscred -m krb5_mech -a
11. Share a directory with the Kerberos security option.
onc20# share -F nfs -o sec=krb5,rw /share_krb5
If you have not uncommented the entries of krb5, krb5i or krb5p, an error similar to the
following error is displayed:
# share -o sec=krb5i /aaa
share_nfs: Invalid security mode "krb5i"
Secure NFS client configuration with Kerberos
To secure NFS client setup using Kerberos, follow these steps:
1. Synchronize the date & time of server nodes with kerberos server. To change the current date
and time use date command followed by the current date and time. For example, enter date
06101130 to set the date to June 10th and time to 11:30 AM. The time difference between
the systems should not be more than 5 minutes.
2. Add a principal for all the NFS client to the Kerberos database. For example, if our NFS client
is onc36.ind.hp.com then root principal should be added to the Kerberos database
before running the NFS applications.
To add principals use the Kerberos administration tool, kadminl,
onc52# /opt/krb5/admin/kadminl
Connecting as: K/M
Connected to krb5v01 in realm ONC52.IND.HP.COM.
Command: add root
Enter password:
Re-enter password for verification:
Enter policy name (Press enter key to apply default policy) :
Principal added.
3. Copy the /etc/krb5.conf file from the Kerberos server to the NFS client.
onc52# rcp /etc/krb5.conf onc36:/etc/
The following steps are to be configured in NFS client
1. To get the initial TGT to request a service from the application server, enter the following
command:
onc36# kinit root
Password for root@ONC52.IND.HP.COM:
The password prompt is displayed. Enter the password for the root principal that is added to
the Kerberos database.
2. To verify the TGT, enter the following command:
onc36# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ONC52.IND.HP.COM
Valid starting Expires Service principal
02/12/09 10:46:33 02/12/09 20:46:31 krbtgt/ONC52.IND.HP.COM@ONC52.IND.HP.COM
3. Edit the /etc/nfssec.conf file and uncomment the entries for krb5, krb5i, or krb5p based on
the security protocol you want to choose.
onc36# cat /etc/nfssec.conf | krb5
krb5 390003 krb5_mech default - # RPCSEC_GSS
krb5i 390004 krb5_mech default integrity # RPCSEC_GSS
krb5p 390005 krb5_mech default privacy # RPCSEC_GSS
28 Configuring and administering NFS services