NFS Services Administrator's Guide (B.11.31.03) August 2008
NOTE: Add a principal for all machines that are going to use the NFS Service.
Also, add a principal for all users who will access the data on the NFS server. For
example, the sample/krbsrv39.anyrealm.com principal should be added to
the Kerberos database before running the sample applications.
2. To get the initial TGT to request a service from the application server, enter the
following command: # kinit username The password prompt is displayed.
Enter the password for the root principal that is added to the Kerberos database.
3. To verify the TGT, enter the following command:
klist
An output similar to the following output is displayed:
Ticket cache: /tmp/krb5cc_0
Default principal: root@krbhost.anyrealm.com
Valid starting Expires Service principal
Fri 16 Jan 2007 01:44:08 PM PDT Sat 17 Jan 2007 01:44:08 PM
PDT
krbtgt/krbhost.anyrealm.COM@krbhost.anyrealm.com
4. To verify that the system is set up as a Kerberos client, enter the following
command:
ps -ef |grep kr
An output similar to the following output is displayed:
root 1156 1139 0 Feb 9 ? 0:30
/opt/krb5/sbin/kdcd
root 1139 1 0 Feb 9 ? 0:00
/opt/krb5/sbin/kdcd
root 1154 1 0 Feb 9 ? 15:33
/opt/krb5/sbin/kadmind
This indicates that the Kerberos daemons are running.
5. To verify that the underlying GSS-API framework is working properly, run the
sample program /usr/contrib/gssapi/sample.
In this example, the following setup was used to run the program:
GSS-API Server Host: krbsrv39
GSS-API Client Host: krbcl145
The output generated is similar to the one displayed for the Configuring Secure
NFS server with Kerberos procedure.
6. Modify the /etc/nfssec.conf file and uncomment the entries for krb5, krb5i,
and krb5p based on the security protocol you choose. You can decide to choose
all the versions as shown in the example in the Secure NFS server configuration.
7. To mount a directory or filesystem with the Kerberos security option, enter the
following command:
Configuring and Administering an NFS Server 41