Manage Kerberos realm services with System Manager - ONTAP 9.7 and earlier

Contributors netapp-aoife

You can use ONTAP System Manager classic (available in ONTAP 9.7 and earlier) to create and manage Kerberos realm services.

Create a Kerberos realm configuration

If you want to use Kerberos authentication for client access, you must configure the storage virtual machine (SVM) to use an existing Kerberos realm. You can use System Manager to create a Kerberos realm configuration, which enables SVMs to use Kerberos security services for NFS.

Before you begin
  • The CIFS license must be installed if CIFS shares are used, and the NFS license must be installed if an LDAP server is used.

  • Active Directory (Windows 2003 or Windows 2008) with DES MD5 encryption capability must be available.

  • You must have set the time zone and synchronized the time across the cluster by configuring NTP.

    This prevents authentication errors, and ensures that the timestamps in log files are consistent across the cluster.

About this task

While creating a Kerberos realm, you must set the following attributes in the Create Kerberos Realm wizard:

  • Kerberos realm

  • KDC IP address and port number

    The default port number is 88.

  • Kerberos Key Distribution Center (KDC) vendor

  • Administrative server IP address if the KDC vendor is not Microsoft

  • Password server IP address

  • Active Directory server name and IP address if the KDC vendor is Microsoft

Steps
  1. Click Storage > SVMs.

  2. Select the SVM, and then click SVM Settings.

  3. In the Services pane, click Kerberos Realm.

  4. In the Kerberos Realm window, click Create.

  5. Type or select information as prompted by the wizard.

  6. Confirm the details, and then click Finish to complete the wizard.

Edit a Kerberos realm configuration

You can use System Manager to edit a Kerberos realm configuration at the storage virtual machine (SVM) level.

About this task

You can modify the following attributes by using the Kerberos Realm Edit wizard:

  • The KDC IP address and port number

  • The IP address of the administrative server if the KDC vendor is not Microsoft

  • The IP address of the password server

  • The Active Directory server name and IP address if the KDC vendor is Microsoft

Steps
  1. Click Storage > SVMs.

  2. Select the SVM, and then click SVM Settings.

  3. In the Services pane, click Kerberos Realm.

  4. In the Kerberos Realm window, select the Kerberos realm configuration that you want to modify, and then click Edit.

  5. Type or select information as prompted by the wizard.

  6. Confirm the details, and then click Finish to complete the wizard.

Delete Kerberos realm configurations

You can use System Manager to delete a Kerberos realm configuration.

Steps
  1. Click Storage > SVMs.

  2. Select the SVM, and then click SVM Settings.

  3. In the Services pane, click Kerberos Realm.

  4. In the Kerberos Realm window, select one or more Kerberos realm configurations that you want to delete, and then click Delete.

  5. Select the confirmation check box, and then click Delete.

Use Kerberos with NFS for strong security

You can use Kerberos to provide strong authentication between SVMs and NFS clients to provide secure NFS communication. Configuring NFS with Kerberos increases the integrity and security of NFS client communications with the storage system.

Kerberos authentication for CIFS

With Kerberos authentication, upon connection to your CIFS server, the client negotiates the highest possible security level. However, if the client cannot use Kerberos authentication, Microsoft NTLM or NTLM V2 is used to authenticate with the CIFS server.

Kerberos Realm window

You can use the Kerberos Realm window to provide authentication between storage virtual machines (SVMs) and NFS clients to ensure secure NFS communication.

Command buttons

  • Create

    Opens the Kerberos Realm Create wizard, which enables you to configure a Kerberos realm to retrieve user information.

  • Edit

    Opens the Kerberos Realm Edit wizard, which enables you to edit a Kerberos realm configuration based on the requirement for SVM authentication and authorization.

  • Delete

    Opens the Delete Kerberos Realm(s) dialog box, which enables you to delete Kerberos realm configuration.

  • Refresh

    Updates the information in the window.

Kerberos Realm list

Provides details about the Kerberos realms, in tabular format.

  • Realm

    Specifies the name of the Kerberos realm.

  • KDC Vendor

    Specifies the name of the Kerberos Distribution Center (KDC) vendor.

  • KDC IP Address

    Specifies the KDC IP address used by the configuration.

Details area

The details area displays information such as the KDC IP address and port number, KDC vendor, administrative server IP address and port number, Active Directory server and server IP address of the selected Kerberos realm configuration.

Related information