NFS Services Administrator's Guide (B1031-90072, March 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

3. Add a principal for all the NFS server to the Kerberos database. For example, if our NFS

server is onc20.ind.hp.com then nfs/onc20.ind.hp.com principal should be added

to the Kerberos database before running the NFS applications.

To add principals use the Kerberos administration tool, kadminl

onc52# /opt/krb5/admin/kadminl

Connecting as: K/M

Connected to krb5v01 in realm ONC52.IND.HP.COM.

Command: add nfs/onc20.ind.hp.com

Enter password:

Re-enter password for verification:

Enter policy name (Press enter key to apply default policy) :

Principal added.

4. Copy the /etc/krb5.conf file from the Kerberos server to the NFS server node.

onc52# rcp /etc/krb5.conf onc20:/etc/

5. Extract the key for the NFS service principal on the Kerberos server and store it in the

/etc/krb5.keytab file on the NFS server. To extract the key, use the Kerberos administration

tool kadminl.

onc52# /opt/krb5/admin/kadminl

Connecting as: K/M

Connected to krb5v01 in realm ONC52.IND.HP.COM.

Command: ext

Name of Principal (host/onc52.ind.hp.com): nfs/onc20.ind.hp.com

Service Key Table File Name (/opt/krb5/v5srvtab): /etc/onc20.keytab

Principal modified.

Key extracted.

onc52# rcp /etc/onc20.keytab onc20:/etc/krb5.keytab

6. To verify the keys in NFS server, enter the following command in NFS server.

onc20# klist -k

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

1 nfs/onc20.ind.hp.com@ONC52.IND.HP.COM

7. Edit the /etc/nfssec.conf file and uncomment the entries for krb5, krb5i, or krb5p based

on the security protocol you want to choose.

onc20# cat /etc/nfssec.conf | grep krb5

krb5 390003 krb5_mech default - # RPCSEC_GSS

krb5i 390004 krb5_mech default integrity # RPCSEC_GSS

krb5p 390005 krb5_mech default privacy # RPCSEC_GSS

8. Edit the /etc/inetd.conf file and uncomment gssd entry.

onc20# cat /etc/inetd.conf | grep gssd

rpc xti ticotsord swait root /usr/lib/netsvc/gss/gssd 100234 1 gssd

9. Re-initialize inetd on NFS servers.

inetd –c

10. To create a credential table, enter the following command:

onc20# gsscred -m krb5_mech -a

11. Share a directory with the Kerberos security option.

onc20# share -F nfs -o sec=krb5,rw /share_krb5

If you have not uncommented the entries of krb5, krb5i or krb5p, an error similar to the

following error is displayed:

26 Configuring and Administering NFS Services