Manualshelf

NFS Services Administrator's Guide (B.11.31.02) January 2008

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
21222324252627282930
Table 2-3 Security Modes of the share command (continued)
DescriptionSecurity Mode
Uses Kerberos V5 authentication, integrity checking, and privacy protection (encryption) on
the shared filesystems.
krb5p
Uses NULL authentication (AUTH_NONE). NFS clients using AUTH_NONE are mapped to
the anonymous user nobody by NFS.
none
You can combine the different security modes. However, the security mode specified in the host
must be supported by the client. If the modes on the client and server are different, the directory
cannot be accessed.
For example, an NFS server can combine the dh (Diffie-Hellman) and krb5 (Kerberos) security
modes as it supports both the modes. However, if the NFS client does not support krb5, the
shared directory cannot be accessed using krb5 security mode.
Consider the following points before you specify or combine security modes:
The share command uses the AUTH_SYS mode by default, if the sec=mode option is not
specified.
If your network consists of clients with differing security requirements, some using highly
restrictive security modes and some using less secure modes, use multiple security modes
with a single share command.
For example, consider an environment where all clients do not require same level of security.
This environment is usually difficult to secure and requires running various scripts. However,
if you use the share command, you can specify different security mechanisms for each
netgroup within your network.
If one or more explicit sec= options are specified, you must set the sys security mode to
continue to allow access to share directories, using the AUTH_SYS authentication method.
For example, if you are specifying multiple security options, such as Kerberos and
Diffie-Hellman, then specify the syssecurity option as well to enable users to access the
shared directories using the AUTH_SYS security method.
If ro and rw options are specified in a secclause, the order of the options rule is not enforced.
All hosts are granted read-only access, except those in the read-write list.
Secure NFS Setup with Kerberos
This section describes how to configure your secure NFS using Kerberos.
Configuring Secure NFS Server with Kerberos
You need to set up the NFS server as a Kerberos client before securing the NFS server.
To configure your secure NFS server, follow these steps:
1. Set up the host as a Kerberos client. For more information on setting up the NFS server as
a Kerberos client, see Configuration Guide for Kerberos Client Products on HP-UX
(5991-7685).
NOTE: Add a principal for all machines that are going to use the NFS Service. Also, add
a principal for all users who will access the data on the NFS server. For example, the
sample/krbsrv39.anyrealm.com principal should be added to the Kerberos database
before running the sample applications.
2. To get the initial Ticket Granting Ticket (TGT) to request a service from the application
server, enter the following command:
kinit username
Configuring and Administering an NFS Server 29