English

Secure client access with Kerberos

Contributors netapp-aherbin netapp-thomi netapp-barbe netapp-forry Download PDF of this topic

Enable Kerberos to secure storage access for NAS clients.

This procedure configures Kerberos on an existing storage VM enabled for NFS or SMB. It is assumed that you have already configured DNS, NTP, and LDAP on the storage system.

Workflow for securing client access with Kerberos

Steps
  1. At the ONTAP command line, set UNIX permissions for the storage VM root volume.

    1. Display the relevant permissions on the storage VM root volume: volume show -volume root_vol_name-fields user,group,unix-permissions

      The root volume of the storage VM must have the following configuration:

      Name…​ Setting…​

      UID

      root or ID 0

      GID

      root or ID 0

      UNIX permissions

      755

    2. If these values are not shown, use the volume modify command to update them.

  2. Set user permissions for the storage VM root volume.

    1. Display the local UNIX users: vserver services name-service unix-user show -vserver vserver_name

      The storage VM should have the following UNIX users configured:

      User name User ID Primary group ID

      nfs

      500

      0

      root

      0

      0

      Note: The NFS user is not required if a Kerberos-UNIX name mapping exists for the SPN of the NFS client user; see step 5.

    2. If these values are not shown, use the vserver services name-service unix-user modify command to update them.

  3. Set group permissions for the storage VM root volume.

    1. Display the local UNIX groups: vserver services name-service unix-group show -vserver vserver_name

      The storage VM should have the following UNIX groups configured:

      Group name Group ID

      daemon

      1

      root

      0

    2. If these values are not shown, use the vserver services name-service unix-group modify command to update them.

  4. Switch to System Manager and configure Kerberos: click Storage > Storage VMs, select the storage VM, click Settings, click arrow under Kerberos, click Add under Kerberos Realm, and complete the following sections:

    1. Add Kerberos Realm: enter configuration details depending on KDC vendor.

    2. Add Network Interface to Realm: click Add and select a network interface.

  5. If desired, add mappings from Kerberos principal names to local user names.

    1. Click Storage > Storage VMs, select the storage VM, click Settings, and then click arrow under Name Mapping.

    2. Under Kerberos to UNIX, add patterns and replacements using regular expressions.