Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > Dell PowerScale: Integrating OneFS with Kerberos Environment for Protocols > Appendix B: Sample configuration for Kerberizing CentOS 7
In this sample configuration, we use the System Security Services Daemon (SSSD) to connect a CentOS client to external identity and authentication providers, including an LDAP directory, an Active Directory (AD), or a Kerberos realm. The SSSD service accesses remote identity and authentication providers through a common framework which provides local cache and offline authentication support to the system. This is a recommended solution with the following advantages:
When it comes to introducing a Linux system to an AD environment, the most convenient deployment method is to use the realmd service. The realmd service provides a standard method to configure authentication and domain membership. It automatically discovers available domain information and joins a domain without complicated manual configuration.
NFS mount uses rpc.gssd for the Kerberos authentication process; the rpc.gssd uses the keys found in keytab (/etc/krb5.keytab) to obtain machine credentials. In the old version of rpc.gssd, it used only nfs/<hostname>@<REALM> SPN keys found within the keytab. In newer versions of rpc.gssd, host/<hostname>@<REALM> SPN keys can also be used. Therefore, it is recommended to add both host SPN and nfs SPN when configuring Kerberos authentication for NFS. (For details, see the rpc.gssd man page.) When the user accesses resources on the mount, their TGT will be used to get a TGS for the NFS service which will be used for access checks. Note that the NFS mount does not use the users TGT or TGS. The client machine’s credentials are used for mount.