Considerations for Kerberized NFS with MIT Kerberos
When configuring NFS on OneFS with MIT Kerberos, consider the following items:
- The time must be synchronized across NFS clients, OneFS cluster nodes, and Kerberos server. It is recommended to use an NTP server in a Kerberos environment.
- Kerberos relies on being able to resolve host names. Thus, it requires a DNS for host resolution.
- Use consistent UID/GID information for users from NFS clients and OneFS. It is recommended to use a central identity store, such as an LDAP server for this purpose.
- Add the MIT Kerberos authentication provider to an access zone.
- Configure SmartConnect for the access zone in advance. SPN for SmartConnect zone names must be created.
- Enable OneFS NFS exports with the Kerberos security type.
- Clients should use a SmartConnect zone name and Kerberos user for accessing NFS export.
- SPNs for NFS for OneFS and client must exist.
Configurations for Kerberized NFS with MIT Kerberos
The following configurations illustrate key steps to use NFS Kerberos authentication.
- Create the realm using the following command:
# isi auth krb5 realm create --realm=EXAMPLE.COM --kdc=kdc.example.com -admin-server=kdc.example.com
- Create domains for the realm. This step configures the domain to realm mapping described in the section Kerberos and OneFS. It is recommended to add both the following two domain-realm mappings for a domain. The first one specifies that any system in the example.com domain belongs to the EXAMPLE.COM realm. The second specifies that a system with the exact name example.com is also in the realm. (The distinction between a domain and a specific host is marked by the presence or lack of an initial "."). Note that the realm is case sensitive and must always be used with the same case.
# isi auth krb5 domain create --realm=EXAMPLE.COM --domain=.example.com
# isi auth krb5 domain create --realm=EXAMPLE.COM --domain=example.com
- Create the actual MIT Kerberos provider with the user who has the permission to create SPNs in the Kerberos realm, for example, root/admin. This command will add SPNs for OneFS cluster into the Kerberos server.
# isi auth krb5 create --realm=EXAMPLE.COM --user=kadmin/admin -groupnet=groupnet
- Add the LDAP provider to OneFS. Kerberos user accounts are followed by realm name, for example, user01@EXAMPLE.COM. To make OneFS recognize the user from LDAP followed by realm name, we need to specify the --provider-domain option with the Kerberos realm name. If you configure the option incorrectly, OneFS will map all incoming Kerberized NFS requests to a special nobody user, resulting in permission issues.
# isi auth ldap create --name=ldap01 --server-uris=ldap://ldap_fqdn -base-dn=dc=example,dc=com --bind-dn=cn=admin,dc=example,dc=com -groupnet=groupnet0 --provider-domain=EXAMPLE.COM --authentication=false
- Add the LDAP and MIT Kerberos authentication provider to the access zone. The NFS file permission is tightly associated with users' UID and GID information; inconsistent mapping between user name and UID/GID will cause unexpected file access issues. Thus, when integrating OneFS cluster into an MIT Kerberos environment, it is recommended to prepare a MIT Kerberos server with the LDAP backend and add both the LDAP server and MIT Kerberos server as OneFS authentication providers. In this way, administrators can maintain a central identity and authentication source to provide consistent user information (UID/GID) between NFS clients and the OneFS cluster.
# isi zone zones modify --name=zone01 --add-auth-providers=lsa-ldapprovider:ldap01,lsa-krb5-provider:EXAMPLE.COM
- Configure SmartConnect on the OneFS cluster and DNS server.
- Check whether SmartConnect zone name SPNs are created on the MIT Kerberos server using the isi CLI command as follows. Fix it if there are any missing SPNs. This is similar to AD Kerberos.
# isi auth krb5 spn check –provider-name=EXAMPLE.COM
# isi auth krb5 spn fix –provider-name=EXAMPLE.COM --user=root/admin
- For NFSv4, enable the NFSv4 service and configure the NFSv4 domain name in the specific access zone.
# isi nfs settings global modify --nfsv4-enabled=true
# isi nfs settings global view
NFSv3 Enabled: Yes
NFSv4 Enabled: Yes
NFS Service Enabled: Yes
# isi nfs settings zone modify --zone=mitZone --nfsv4-domain=example.com
# isi nfs settings zone view --zone=mitZone
NFSv4 Domain: example.com
NFSv4 Replace Domain: Yes
NFSv4 No Domain: No
NFSv4 No Domain UIDs: Yes
NFSv4 No Names: No
NFSv4 Allow Numeric Ids: Yes
- Create an NFS export with the Kerberos security type enabled on the OneFS cluster. The following command enables all supported security types. See Table 1 for details about security types.
# isi nfs exports create --paths=/ifs/nfs --zone=mitZone --securityflavors=unix,krb5,krb5i,krb5p
- Kerberize the NFS client by integrating with LDAP and MIT Kerberos, and mount the NFS export with Kerberos authentication using the sec option as shown in Table 1. See the section Kerberize CentOS 7 with MIT Kerberos for a CentOS 7 sample configuration.