Manualshelf

NFS Services Administrator's Guide (B1031-90072, March 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
21222324252627282930
Table 4 Security Modes of the share command (continued)
DescriptionSecurity Mode
Uses Kerberos V5 authentication, integrity checking, and privacy protection (encryption) on the
shared filesystems.
krb5p
Uses NULL authentication (AUTH_NONE). NFS clients using AUTH_NONE are mapped to the
anonymous user nobody by NFS.
none
You can combine the different security modes. However, the security mode specified in the host
must be supported by the client. If the modes on the client and server are different, the directory
cannot be accessed.
For example, an NFS server can combine the dh (Diffie-Hellman) and krb5 (Kerberos) security
modes as it supports both the modes. However, if the NFS client does not support krb5, the shared
directory cannot be accessed using krb5 security mode.
Consider the following points before you specify or combine security modes:
The share command uses the AUTH_SYS mode by default, if the sec=mode option is not
specified.
If your network consists of clients with differing security requirements, some using highly
restrictive security modes and some using less secure modes, use multiple security modes with
a single share command.
For example, consider an environment where all clients do not require same level of security.
This environment is usually difficult to secure and requires running various scripts. However,
if you use the share command, you can specify different security mechanisms for each
netgroup within your network.
If one or more explicit sec= options are specified, you must set the sys security mode to
continue to allow access to share directories, using the AUTH_SYS authentication method.
For example, if you are specifying multiple security options, such as Kerberos and
Diffie-Hellman, then specify the sys security option as well to enable users to access the shared
directories using the AUTH_SYS security method.
If ro and rw options are specified in a secclause, the order of the options rule is not enforced.
All hosts are granted read-only access, except those in the read-write list.
Secure NFS Setup with Kerberos
Configuring Secure NFS Server with Kerberos
Set up the NFS server as a Kerberos client before securing the NFS server.
To configure secure NFS server, follow these steps:
1. Set up the host as a Kerberos client. For more information on setting up the NFS server as a
Kerberos client, see Configuration Guide for Kerberos Client Products on HP-UX (5991-7685).
NOTE: In all of this section, the following systems will be used as examples:
Kerberos Server: onc52.ind.hp.com
NFS Server: onc20.ind.hp.com
NFS Client: onc36.ind.hp.com
2. Synchronize the date & time of server nodes with kerberos server. To change the current date
and time use date command followed by the current date and time. For example, enter date
06101130 to set the date to June 10th and time to 11:30 AM. The time difference between
the systems should not be more than 5 minutes.
Configuring and Administering an NFS Server 25