Secure NFS on HP-UX 11i v3

12
V. Configure the Secure NFS Server
Once the NFS clients and servers are able to successfully retrieve credentials from the Kerberos
server, there are a few remaining steps to configuring a Secure NFS server. Those steps include
extracting a copy of the “nfs” service principals from the Kerberos server and storing them in the NFS
server’s local keytab file and configuring the shared filesystems to use the desired type of Kerberos
security.
A. Extract “nfsPrincipals and Store them in the Server’s Keytab File
Back in section III, we created the following NFS service principals on the Kerberos server:
nfs/atcux12.rose.hp.com@ATC.VSSN.HP
nfs/atcux13.rose.hp.com@ATC.VSSN.HP
nfs/nfs-pkg1.rose.hp.com@ATC.VSSN.HP
Now that these NFS service credentials have been added to the realm, a copy of these credentials
needs to be extracted from the Kerberos server’s database and stored in the respective NFS server’s
local /etc/krb5.keytab file. The keytab file is an encrypted, local, on-disk copy of the host’s
keys. The keytab file should be readable only by the root user.
On my HP-UX 11i v3 Kerberos server, keys are extracted via the kadminl(1M) command. The keys
are stored in a file called /opt/krb5/v5srvtab by default. This file is then securely copied to the
NFS server system and stored as /etc/krb5.keytab with appropriate permissions. Figure 14
shows an example of extracting keys from the Kerberos server and copying the resulting keytab file to
my NFS server “atcux12.rose.hp.com” where it is stored as /etc/krb5.keytab.
Figure 14 Extract Kerberos Keys to keytab File