Manualshelf

NFS Services Administrator's Guide (B.11.31.02) January 2008

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
31323334353637383940
Ticket cache: /tmp/krb5cc_0
Default principal: root@krbhost.anyrealm.com
Valid starting Expires Service principal
Fri 16 Jan 2007 01:44:08 PM PDT Sat 17 Jan 2007 01:44:08 PM
PDT
krbtgt/krbhost.anyrealm.COM@krbhost.anyrealm.com
4. To verify that the system is set up as a Kerberos client, enter the following command:
ps -ef |grep kr
An output similar to the following output is displayed:
root 1156 1139 0 Feb 9 ? 0:30
/opt/krb5/sbin/kdcd
root 1139 1 0 Feb 9 ? 0:00
/opt/krb5/sbin/kdcd
root 1154 1 0 Feb 9 ? 15:33
/opt/krb5/sbin/kadmind
This indicates that the Kerberos daemons are running.
5. To verify that the underlying GSS-API framework is working properly, run the sample
program /usr/contrib/gssapi/sample.
In this example, the following setup was used to run the program:
GSS-API Server Host: krbsrv39
GSS-API Client Host: krbcl145
The output generated is similar to the one displayed for the Configuring Secure NFS server
with Kerberos procedure.
6. Modify the /etc/nfssec.conf file and uncomment the entries for krb5, krb5i, and krb5p
based on the security protocol you choose. You can decide to choose all the versions as
shown in the example in the Secure NFS server configuration.
7. To mount a directory or filesystem with the Kerberos security option, enter the following
command:
mount o sec=<Kerberos protocol version> <svr:/dir> </mount-point>
Where,
-o Enables you to use some of the specific options of the share
command, such as sec, async, public, and others.
sec Enables you to specify the security mode to be used. Specify krb5
as the Kerberos protocol version.
<svr:/dir> Enables you to specify the location of the directory.
</mount-point> Enables you to specify the mount-point location where the filesystem
is mounted.
An initial ticket grant is carried out when the user accesses the mounted filesystem.
Accessing Shared NFS Directories across a Firewall
To access shared NFS directories across a firewall, you must configure the firewall based on the
ports that the NFS service daemons listen on. To access NFS directories, the following daemons
are required: rpcbind, nfsd, rpc.lockd, rpc.statd, and rpc.mountd. The rpcbind
daemon uses a fixed port, 111, and the nfsd daemon uses 2049 as its default port. To configure
the firewall, you must know the port numbers of the other NFS daemons, to ensure that the NFS
client requests are not denied.
Configuring and Administering an NFS Server 33