Release notes
Enable Kerberos on a data LIF
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Data protection with the CLI
-
-
Collection of separate PDF docs
Creating your file...
You can use the vserver nfs kerberos interface enable command to enable Kerberos on a data LIF. This enables the SVM to use Kerberos security services for NFS.
If you are using an Active Directory KDC, the first 15 characters of any SPNs used must be unique across SVMs within a realm or domain.
-
Create the NFS Kerberos configuration:
vserver nfs kerberos interface enable -vserver vserver_name -lif logical_interface -spn service_principal_nameONTAP requires the secret key for the SPN from the KDC to enable the Kerberos interface.
For Microsoft KDCs, the KDC is contacted and a user name and password prompt are issued at the CLI to obtain the secret key. If you need to create the SPN in a different OU of the Kerberos realm, you can specify the optional
-ouparameter.For non-Microsoft KDCs, the secret key can be obtained using one of two methods:
If you… You must also include the following parameter with the command… Have the KDC administrator credentials to retrieve the key directly from the KDC
-admin-usernamekdc_admin_usernameDo not have the KDC administrator credentials but have a keytab file from the KDC containing the key
-keytab-uri{ftp|http}://uri -
Verify that Kerberos was enabled on the LIF:
vserver nfs kerberos-config show -
Repeat steps 1 and 2 to enable Kerberos on multiple LIFs.
The following command creates and verifies an NFS Kerberos configuration for the SVM named vs1 on the logical interface ves03-d1, with the SPN nfs/ves03-d1.lab.example.com@TEST.LAB.EXAMPLE.COM in the OU lab2ou:
vs1::> vserver nfs kerberos interface enable -lif ves03-d1 -vserver vs2
-spn nfs/ves03-d1.lab.example.com@TEST.LAB.EXAMPLE.COM -ou "ou=lab2ou"
vs1::>vserver nfs kerberos-config show
Logical
Vserver Interface Address Kerberos SPN
------- --------- ------- --------- -------------------------------
vs0 ves01-a1
10.10.10.30 disabled -
vs2 ves01-d1
10.10.10.40 enabled nfs/ves03-d1.lab.example.com@TEST.LAB.EXAMPLE.COM
2 entries were displayed.