Manualshelf

Secure NFS on HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
12345678910
7
III. Add Required Kerberos Credentials to the Realm
This step involves populating the Kerberos server with the credentials required by NFS as well as any
users who will use the Secure NFS services. From a Kerberos perspective, NFS is considered a
service. It is therefore necessary to create Kerberos service principals for each NFS server. A copy of
these service principals will need to be stored in each server’s local keytab file. This extracting and
storing of keys is explained in greater detail in section V.A “Extract “nfs” Principals and Store them in
the Server’s Keytab File” on page 12.
A Kerberos credential must be added to the database for any non-root users on the NFS client systems
who will be accessing Secure NFS filesystems. If your applications require the root users on NFS
clients to access Secure NFS filesystems with root privileges then a unique root user credential needs
to be created for every NFS client system that will be configured in a filesystems’ “root=” access list.
A. Create Credentials for NFS Services
Using the NFS server systems identified earlier (atcux12.rose.hp.com and atcux13.rose.hp.com) and
the Kerberos realm previously established (ATC.VSSN.HP) the NFS service credentials for these two
servers would look like this:
nfs/atcux12.rose.hp.com@ATC.VSSN.HP
nfs/atcux13.rose.hp.com@ATC.VSSN.HP
The kadminl(1M) command was used on the Kerberos Server to create these credentials as shown in
Figure 5. The “addrnd” option is used to add these credentials with a randomly generated password.
Figure 5 Adding NFS Service Credentials via kadminl(1M)
B. Create Credentials for Users
A credential for the non-root user “dolker” is added to the realm in Figure 6 as well as a unique root
user credential for NFS client system “atcux10.rose.hp.com. The “root/atcux10.rose.hp.com”
credential is only needed if applications or the root user on NFS client system “atcux10.rose.hp.com”
will require root privileges on the shared Secure NFS filesystems. In that case, the NFS servers would
need to share their filesystems using the “-root=” option and include client “atcux10.rose.hp.com” in
this access list. The subject of share(1M) syntax with Secure NFS is discussed in section V.B –
Configure Shared Filesystems with Desired Security Modes” on page 13.