Requirements for configuring Kerberos with NFS
Before you configure Kerberos with NFS on your system, you must verify that certain items in your network and storage environment are properly configured.
The steps to configure your environment depend on what version and type of client operating system, domain controller, Kerberos, DNS, etc., that you are using. Documenting all these variables is beyond the scope of this document. For more information, see the respective documentation for each component.
For a detailed example of how to set up ONTAP and Kerberos 5 with NFSv3 and NFSv4 in an environment using Windows Server 2008 R2 Active Directory and Linux hosts, see technical report 4073.
The following items should be configured first:
Network environment requirements
You must have a working Kerberos setup with a key distribution center (KDC), such as Windows Active Directory based Kerberos or MIT Kerberos.
NFS servers must use
nfsas the primary component of their machine principal.
You must use a secure directory service in your environment, such as Active Directory or OpenLDAP, that is configured to use LDAP over SSL/TLS.
You must have a working time server running NTP. This is necessary to prevent Kerberos authentication failure due to time skew.
Domain name resolution (DNS)
Each UNIX client and each SVM LIF must have a proper service record (SRV) registered with the KDC under forward and reverse lookup zones. All participants must be properly resolvable via DNS.
Each client must have a user account in the Kerberos realm. NFS servers must use “nfs” as the primary component of their machine principal.
NFS client requirements
Each client must be properly configured to communicate over the network using NFSv3 or NFSv4.
Clients must support RFC1964 and RFC2203.
Each client must be properly configured to use Kerberos authentication, including the following details:
Encryption for TGS communication is enabled.
AES-256 for strongest security.
The most secure encryption type for TGT communication is enabled.
The Kerberos realm and domain are configured correctly.
GSS is enabled.
When using machine credentials:
Do not run
Do not run
kinitas the root user.
Each client must use the most recent and updated operating system version.
This provides the best compatibility and reliability for AES encryption with Kerberos.
Each client must be properly configured to use DNS for correct name resolution.
Each client must be synchronizing with the NTP server.
Host and domain information
/etc/resolv.conffiles must contain the correct host name and DNS information, respectively.
Each client must have a keytab file from the KDC. The realm must be in uppercase letters. The encryption type must be AES-256 for strongest security.
Optional: For best performance, clients benefit from having at least two network interfaces: one for communicating with the local area network and one for communicating with the storage network.
Storage system requirements
The storage system must have a valid NFS license installed.
The CIFS license is optional. It is only required for checking Windows credentials when using multiprotocol name mapping. It is not required in a strict UNIX-only environment.
You must have at least one SVM configured on the system.
DNS on the SVM
You must have configured DNS on each SVM.
You must have configured NFS on the SVM.
For strongest security, you must configure the NFS server to allow only AES-256 encryption for Kerberos.
If you are running a multiprotocol environment, you must have configured CIFS on the SVM. The CIFS server is required for multiprotocol name mapping.
You must have a root volume and at least one data volume configured for use by the SVM.
The root volume of the SVM must have the following configuration:
root or ID 0
root or ID 0
In contrast to the root volume, data volumes can have either security style.
The SVM must have the following UNIX groups configured:
Group name Group ID
65534 (created automatically by ONTAP when you create the SVM)
The SVM must have the following UNIX users configured:
User name User ID Primary group ID Comment
Required for GSS INIT phase The first component of the NFS client user SPN is used as the user.
Required for NFS and CIFS multiprotocol use Created and added to the pcuser group automatically by ONTAP when you create the SVM.
Required for mounting
The nfs user is not required if a Kerberos-UNIX name mapping exists for the SPN of the NFS client user.
Export policies and rules
You must have configured export policies with the necessary export rules for the root and data volumes and qtrees. If all volumes of the SVM are accessed over Kerberos, you can set the export rule options
-superuserfor the root volume to
Kerberos-UNIX name mapping
If you want the user identified by the NFS client user SPN to have root permissions, you must create a name mapping to root.