Overview of using Kerberos with NFS for strong security

Contributors

If Kerberos is used in your environment for strong authentication, you need to work with your Kerberos administrator to determine requirements and appropriate storage system configurations, and then enable the SVM as a Kerberos client.

Your environment should meet the following guidelines:

  • Your site deployment should follow best practices for Kerberos server and client configuration before you configure Kerberos for ONTAP.

  • If possible, use NFSv4 or later if Kerberos authentication is required.

    NFSv3 can be used with Kerberos. However, the full security benefits of Kerberos are only realized in ONTAP deployments of NFSv4 or later.

  • To promote redundant server access, Kerberos should be enabled on several data LIFs on multiple nodes in the cluster using the same SPN.

  • When Kerberos is enabled on the SVM, one of the following security methods must be specified in export rules for volumes or qtrees depending on your NFS client configuration.

    • krb5 (Kerberos v5 protocol)

    • krb5i (Kerberos v5 protocol with integrity checking using checksums)

    • krb5p (Kerberos v5 protocol with privacy service)

In addition to the Kerberos server and clients, the following external services must be configured for ONTAP to support Kerberos:

  • Directory service

    You should use a secure directory service in your environment, such as Active Directory or OpenLDAP, that is configured to use LDAP over SSL/TLS. Do not use NIS, whose requests are sent in clear text and are hence not secure.

  • NTP

    You must have a working time server running NTP. This is necessary to prevent Kerberos authentication failure due to time skew.

  • Domain name resolution (DNS)

    Each UNIX client and each SVM LIF must have a proper service record (SRV) registered with the KDC under forward and reverse lookup zones. All participants must be properly resolvable via DNS.