Home > Storage > PowerScale (Isilon) > Product Documentation > Protocols > PowerScale OneFS NFS Design Considerations and Best Practices > Authentication
OneFS can be configured to authenticate users with Kerberos by using Active Directory Kerberos or a stand-alone MIT Kerberos. The recommendation is to authenticate all users with Kerberos if high security level is required, but be aware of the performance impact by Kerberos. If you are using Kerberos, ensure both the OneFS cluster and your client use either Active Directory or the same NTP server as their time source. Kerberos is a protocol that relies on time synchronization between system components. A time drift among the system components will cause authentication failure. Kerberos on OneFS writes log messages to /var/log/lsassd.log and /var/log/lwiod.log. When Kerberos is used with NFS, Kerberos writes log messages to /var/log/nfs.log.
With NFSv3 and prior, when you authenticate the user using AUTH_SYS security flavor, the UID will be included in every NFS operation and checked by the server. Therefore, someone on a different computer can access the user Jane (UID 1000) file by creating a user Jane (UID 1000) on the computer. Using Kerberos authentication would mitigate this situation, but is still not completely secure, because Kerberos was only applied to the NFS packets and not the auxiliary services like NLM, NSM, and mountd.
NFSv4.x improved NFS security greatly by implementing a single port, ACLs, domain names and contains tightly integrated support for Kerberos, among other improvements. You must have an identical NFSv4.x domain name on OneFS cluster and NFSv4.x clients. With NFSv4.x domain, the NFSv4.x represents users and groups in the form of user@doamin or group@domain in the results of a get attribute (GETATTR) operation and in the arguments of a set attribute (SETATTR) operation. Figure 9 is a capture of NFSv4.x GETATTR operation. As Figure 9 shows, the user/group names have an NFSv4.x domain suffix @vlab.local in the GETATTR operation.
Therefore, in the environment that requires high security for NFS, use NFSv4.x instead of NFSv3 and integrate Kerberos authentication with NFS. Note that the configuration is different when using Active Directory Kerberos or MIT Kerberos. Before configuring Kerberos in your NFS environment, it is important to understand how it works. You can obtain a thorough explanation from the online documentation How Kerberos Authentication Works. For the configuration of OneFS NFS Kerberos, refer to white paper Integrating OneFS with Kerberos Environment for Protocols. Kerberos is tied to time synchronization, so whenever you use Kerberos in your environment, ensure your cluster and clients have an NTP server to synchronize time.
As OneFS supports Kerberos authentication for both NFSv3 and NFSv4.x. There are four types of security type supported by OneFS (UNIX, Kerberos5, Kerberos5 Integrity, Kerberos5 Privacy). You can use sec mount option on NFS client to enable Kerberos for a mount. Table 3 shows the types of security for sec option.
Options | Description |
sec=sys | The default setting, which uses local UNIX UIDs and GIDs by means of AUTH_SYS to authenticate NFS operations. |
sec=krb5 | Use Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users. |
sec=krb5i | Use Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering. |
sec=krb5p | Use Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also has the most performance overhead involved. |
Client configuration is required before you can mount a NFS using Kerberos, several key configurations are listed below:
The Kerberos will provide high secure authentication, integrity, privacy service while introducing extra cost on the computer resources, and it might affect your system performance. It is highly recommended to make enough measurement before applying Kerberos settings on your NFS environment.