Secure NFS on HP-UX 11i v3
11
F. Synchronize Clocks with the Kerberos Server (Optional)
While not a required step, HP strongly recommends all NFS client and server systems’ clocks be
synchronized not only with each other, but also with the system clock of any Kerberos servers.
Kerberos authentication relies heavily on accurate timestamps and will often reject credentials if the
system times are not kept to within 5 minutes of each other. It is therefore recommended to use a time
protocol such as NTP to keep the NFS and Kerberos systems’ clocks synchronized.
Configuring NTP on HP-UX systems is discussed in the “HP-UX Internet Services Administrator's Guide
(B2355-91060)” manual located here:
http://docs.hp.com/en/B2355-91060/B2355-91060.pdf.
G. Test the Kerberos Credentials
Once the Kerberos realm is established and the proper credentials have been added, it’s a good idea
to test whether these credentials can be retrieved successfully by the NFS client and server systems.
The kinit(1) command is used to initialize Kerberos credentials for users and the klist(1) command is
used to display any current or cached Kerberos credentials. These commands can be used to verify
whether users can successfully retrieve their credentials from the Kerberos server.
Figure 13 below shows an example of the non-root user “dolker” issuing an initial klist command and
seeing no credentials. After issuing the kinit command and providing the correct password for the
dolker@ATC.VSSN.HP Kerberos credential, a second klist command shows the Kerberos server has
successfully provided the proper principal for the “dolker” user.
Figure 13 Test Kerberos Credentials via kinit(1)
The klist output is also useful for troubleshooting problems with Kerberos authentication as it shows
when the principal was initially retrieved as well as when the principal is set to expire and must be
refreshed.