Secure client access with Kerberos
-
PDF of this doc site
- Cluster administration
-
Volume administration
- Logical storage management with the CLI
-
NAS storage management
- Configure NFS with the CLI
- Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
- Security and data encryption
- Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
Enable Kerberos to secure storage access for NAS clients.
Before beginning you should have configured DNS, NTP, and LDAP on the storage system.
-
At the ONTAP command line, set UNIX permissions for the storage VM root volume.
-
Display the relevant permissions on the storage VM root volume:
volume show -volume root_vol_name-fields user,group,unix-permissions
The root volume of the storage VM must have the following configuration:
Name… Setting… UID
root or ID 0
GID
root or ID 0
UNIX permissions
755
-
If these values are not shown, use the
volume modify
command to update them.
-
-
Set user permissions for the storage VM root volume.
-
Display the local UNIX users:
vserver services name-service unix-user show -vserver vserver_name
The storage VM should have the following UNIX users configured:
User name User ID Primary group ID nfs
500
0
root
0
0
Note: The NFS user is not required if a Kerberos-UNIX name mapping exists for the SPN of the NFS client user; see step 5.
-
If these values are not shown, use the
vserver services name-service unix-user modify
command to update them.
-
-
Set group permissions for the storage VM root volume.
-
Display the local UNIX groups:
vserver services name-service unix-group show -vserver vserver_name
The storage VM should have the following UNIX groups configured:
Group name Group ID daemon
1
root
0
-
If these values are not shown, use the
vserver services name-service unix-group modify
command to update them.
-
-
Switch to System Manager to configure Kerberos
-
In System Manager, click Storage > Storage VMs and select the storage VM.
-
Click Settings.
-
Click under Kerberos.
-
Click Add under Kerberos Realm, and complete the following sections:
-
Add Kerberos Realm
Enter configuration details depending on KDC vendor.
-
Add Network Interface to Realm
Click Add and select a network interface.
-
-
If desired, add mappings from Kerberos principal names to local user names.
-
Click Storage > Storage VMs and select the storage VM.
-
Click Settings, and then click under Name Mapping.
-
Under Kerberos to UNIX, add patterns and replacements using regular expressions.
-