Skip to main content

Secure client access with Kerberos

Contributors netapp-thomi netapp-barbe netapp-ahibbard netapp-forry
PDFs

Enable Kerberos to secure storage access for NAS clients.

This procedure configures Kerberos on an existing storage VM enabled for NFS or SMB.

Before beginning you should have configured DNS, NTP, and LDAP on the storage system.

Workflow summary: 1 Set UNIX permissions 2 Set user permissions 3 Set group permissions 4 Configure Kerberos 5 Add name mappings

Steps

  1. At the ONTAP command line, set UNIX permissions for the storage VM root volume.

    1. Display the relevant permissions on the storage VM root volume: volume show -volume root_vol_name-fields user,group,unix-permissions

      The root volume of the storage VM must have the following configuration:

      Name…​ Setting…​

      UID

      root or ID 0

      GID

      root or ID 0

      UNIX permissions

      755

    2. If these values are not shown, use the volume modify command to update them.

  2. Set user permissions for the storage VM root volume.

    1. Display the local UNIX users: vserver services name-service unix-user show -vserver vserver_name

      The storage VM should have the following UNIX users configured:

      User name User ID Primary group ID

      nfs

      500

      0

      root

      0

      0

      Note: The NFS user is not required if a Kerberos-UNIX name mapping exists for the SPN of the NFS client user; see step 5.

    2. If these values are not shown, use the vserver services name-service unix-user modify command to update them.

  3. Set group permissions for the storage VM root volume.

    1. Display the local UNIX groups: vserver services name-service unix-group show -vserver vserver_name

      The storage VM should have the following UNIX groups configured:

      Group name Group ID

      daemon

      1

      root

      0

    2. If these values are not shown, use the vserver services name-service unix-group modify command to update them.

  4. Switch to System Manager to configure Kerberos

  5. In System Manager, click Storage > Storage VMs and select the storage VM.

  6. Click Settings.

  7. Click Arrow icon under Kerberos.

  8. Click Add under Kerberos Realm, and complete the following sections:

    • Add Kerberos Realm

      Enter configuration details depending on KDC vendor.

    • Add Network Interface to Realm

      Click Add and select a network interface.

  9. If desired, add mappings from Kerberos principal names to local user names.

    1. Click Storage > Storage VMs and select the storage VM.

    2. Click Settings, and then click Arrow icon under Name Mapping.

    3. Under Kerberos to UNIX, add patterns and replacements using regular expressions.