NFS Services Administrator's Guide (B.11.31.02) January 2008

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

NOTE: Step 6 and Step 7 are to be performed on the Kerberos Server.

6. To add the NFS service principal to the NFS server, such as nfs/krbsrv39.anyrealm.com,

in the Kerberos database of the Kerberos server, first run the kadmin command-line

administrator command and then add a new principal using the add command.

Command: add

Name of Principal to Add: nfs/krbsrv39.anyrealm.com

Enter password:

Re-enter password for verification:

Principal added.

NOTE: The server hostname in the service principal must be a fully qualified name.

7. To extract the key for the added NFS service principal, use the Kerberos administration tool,

kadminl_ui, and store it in a file called machine_name.keytab. Then, copy this file to

/etc/krb5.keytab on the NFS server.

8. To verify the keys, enter the following command :

klist -k

An output similar to the following output is displayed:

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

--------------------------------------------------------

1 nfs/krbsrv39.anyrealm.com@krbhost.anyrealm.com

If you did not add the NFS service principal with the fully qualified hostname, an error

similar to the following error is displayed:

share -o sec=krb5i /export_krb5

share_nfs: /export_krb5: Invalid argument

9. Modify the /etc/nfssec.conf file. Uncomment the entries for either krb5, krb5i, or

krb5p based on the security protocol you want to choose. You can choose all the versions

as shown in this example:

#ident "@(#)nfssec.conf 1.5 07/11/09 SMI"

# The NFS Security Service Configuration File.

# Each entry is of the form:

# <NFS_security_mode_name> <NFS_security_mode_number>

# <GSS_mechanism_name>

<GSS_quality_of_protection> <GSS_services>

# The "-" in <GSS_mechanism_name> signifies that this is not

a GSS mechanism.

# A string entry in <GSS_mechanism_name> is required for usi

ng RPCSEC_GSS

# services. <GSS_quality_of_protection> and <GSS_services>

are optional.

# White space is not an acceptable value.

# default security mode is defined at the end. It should be

one of the flavor numbers defined above it.

none 0 - - - #

AUTH_NONE

sys 1 - - - #

AUTH_SYS

dh 3 - - - #

AUTH_DH

krb5 390003 krb5_mech default - #

RPCSEC_GSSkrb5i 390004 krb5_mech default integrity #

RPCSEC_GSS

krb5p 390005 krb5_mech default privacy #

RPCSEC_GSS

Configuring and Administering an NFS Server 31