Before you configure Kerberos with NFS on the storage system, you must verify that certain items in your network and storage environment are properly configured.
For a detailed example of how to set up clustered Data ONTAP and Kerberos 5 with NFSv3 and NFSv4 in an environment using Windows Server 2008 R2 Active Directory and Linux hosts, see technical report 4073.
The following items should be configured first:
You must have a working Kerberos setup with a key distribution center (KDC), such as Windows Active Directory based Kerberos or MIT Kerberos.
NFS servers must use "nfs" as the primary component of their machine principal.
The domain controller must have DES encryption enabled if you are running Windows Active Directory.
You must have a working time server running NTP. This is necessary to prevent Kerberos authentication failure due to time skew.
Each UNIX client and each Vserver LIF must have a proper service record (SRV) registered with the KDC under forward and reverse lookup zones. All participants must be properly resolvable via DNS.
Each client must have a user account in the Kerberos realm. NFS servers must use "nfs" as the primary component of their machine principal.
Each client must be properly configured to communicate over the network using NFSv3 or NFSv4.
Clients must support RFC1964 and RFC2203. For more information, see the Interoperability Matrix at support.netapp.com/NOW/products/interoperability.
Each client must be properly configured to use Kerberos authentication, including the following details:
DES for Windows Active Directory based Kerberos or MIT Kerberos, or DES3 for MIT Kerberos only.
Each client must be properly configured to use DNS for correct name resolution.
Each client must be synchronizing with the NTP server.
Each client's /etc/hosts and /etc/resolv.conf files must contain the correct host name and DNS information, respectively.
Each client must have a keytab file from the KDC. The realm must be in uppercase letters. The encryption type must be DES-CBC-MD5 (for Windows Active Directory based Kerberos or MIT Kerberos) or DES3-CBC-SHA1 (for MIT Kerberos only). For Windows, you must allow weak cryptography to use DES.
You must have IPv4 network connectivity configured. Kerberos is not supported over IPv6.
The storage system must have a valid NFS license installed. For more information about managing feature licenses, see the Clustered Data ONTAP System Administration Guide for Cluster Administrators.
The CIFS license is optional. It is only required for checking Windows credentials when using multiprotocol name mapping. It is not required in a strict UNIX-only environment. For more information about managing feature licenses, see the Clustered Data ONTAP System Administration Guide for Cluster Administrators.
You must have at least one Vserver configured on the storage system. For more information about configuring Vservers, see the Data ONTAP Software Setup Guide for Cluster-Mode.
You must have configured DNS on each Vserver. For more information about configuring DNS on Vservers, see the Data ONTAP Software Setup Guide for Cluster-Mode.
You must have configured NFS on the Vserver.
If you are running a multiprotocol environment, you must have configured CIFS on the Vserver. The CIFS server is required for multiprotocol name mapping.
You must have a root volume and at least one data volume configured for use by the Vserver. For more information about configuring volumes, see the Clustered Data ONTAP Logical Storage Management Guide.
The root volume of the Vserver must have the following configuration:
|UID||root or ID 0|
|GID||root or ID 0|
In contrast to the root volume, data volumes can have either security style.
The Vserver must have the following UNIX groups configured:
|Group name||Group ID|
|pcuser||65534 (created automatically by Data ONTAP when you create a Vserver)|
The Vserver must have the following UNIX users configured:
|User name||User ID||Primary group ID||Comment|
|nfs||500||0||Required for GSS INIT phase
The first component of the server SPN is used as the user.
|pcuser||65534||65534||Required for NFS and CIFS multiprotocol use
Created and added to the pcuser group automatically by Data ONTAP when you create a Vserver.
|root||0||0||Required for mounting|
The nfs user is not required if a Kerberos-UNIX name mapping exists for the SPN that is bound to the data LIF.
You must have configured export policies with the necessary export rules for the root and data volumes. If all volumes of the Vserver are accessed over Kerberos, you can set the export rule for the root volume to anon=0, -rorule, -rwrule, -superuser, and -krb.
The Vserver must have the Kerberos principal nfs/fqdn@REALM mapped to the UNIX user root.