Skip to main content

Secure client access with Kerberos using ONTAP System Manager

Contributors netapp-aherbin netapp-barbe netapp-thomi netapp-aaron-holt netapp-ahibbard netapp-forry
PDFs

Enable Kerberos to secure storage access for NAS clients.

This procedure configures Kerberos on an existing storage VM enabled for NFS or SMB.

Before beginning you should have configured DNS, NTP, and LDAP on the storage system.

Workflow summary: 1 Set UNIX permissions 2 Set user permissions 3 Set group permissions 4 Configure Kerberos 5 Add name mappings

Steps

  1. At the ONTAP command line, set UNIX permissions for the storage VM root volume.

    1. Display the relevant permissions on the storage VM root volume: volume show -volume root_vol_name-fields user,group,unix-permissions. Learn more about volume show in the ONTAP command reference.

      The root volume of the storage VM must have the following configuration:

      Name…​ Setting…​

      UID

      root or ID 0

      GID

      root or ID 0

      UNIX permissions

      755

    2. If these values are not shown, use the volume modify command to update them. Learn more about volume modify in the ONTAP command reference.

  2. Set user permissions for the storage VM root volume.

    1. Display the local UNIX users: vserver services name-service unix-user show -vserver vserver_name. Learn more about vserver services name-service unix-user show in the ONTAP command reference.

      The storage VM should have the following UNIX users configured:

      User name User ID Primary group ID

      nfs

      500

      0

      root

      0

      0

      Note: The NFS user is not required if a Kerberos-UNIX name mapping exists for the SPN of the NFS client user; see step 5.

    2. If these values are not shown, use the vserver services name-service unix-user modify command to update them. Learn more about vserver services name-service unix-user modify in the ONTAP command reference.

  3. Set group permissions for the storage VM root volume.

    1. Display the local UNIX groups: vserver services name-service unix-group show -vserver vserver_name. Learn more about vserver services name-service unix-group show in the ONTAP command reference.

      The storage VM should have the following UNIX groups configured:

      Group name Group ID

      daemon

      1

      root

      0

    2. If these values are not shown, use the vserver services name-service unix-group modify command to update them. Learn more about vserver services name-service unix-group modify in the ONTAP command reference.

  4. Switch to System Manager to configure Kerberos

  5. In System Manager, click Storage > Storage VMs and select the storage VM.

  6. Click Settings.

  7. Click Arrow icon under Kerberos.

  8. Click Add under Kerberos Realm, and complete the following sections:

    • Add Kerberos Realm

      Enter configuration details depending on KDC vendor.

    • Add Network Interface to Realm

      Click Add and select a network interface.

  9. If desired, add mappings from Kerberos principal names to local user names.

    1. Click Storage > Storage VMs and select the storage VM.

    2. Click Settings, and then click Arrow icon under Name Mapping.

    3. Under Kerberos to UNIX, add patterns and replacements using regular expressions.