Dell PowerStore 1200T EMC PowerStore Configuring NFS - Page 13

Create a custom realm for Kerberos, Configuring Kerberos for Secure NFS

Get Dell PowerStore 1200T PDF manuals and user guides View all Dell PowerStore 1200T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 13 highlights

Configuring Kerberos for Secure NFS If you are configuring Kerberos for Secure NFS, be aware of the following: ● If configuring the NAS server for NFS only, you must configure the NAS server with a custom realm. If you have configured the NAS server with NFS and SMB, you can use either the AD or custom realm. ● Using LDAPS or LDAP with Kerberos is recommended for increased security. ● A DNS server must be configured at the NAS-server level. All members of the Kerberos realm, including the KDC, NFS server, and NFS clients, must be registered in the DNS server. ● The NFS client's hostname FQDN and NAS server FQDN must be registered in the DNS server. Clients and servers must be able to resolve any member of the Kerberos realm's FQDNs to an IP address. ● The FQDN part of the NFS client's SPN must be registered in the DNS server. ● A keytab file must be uploaded to your NAS server when configuring Secure NFS. Create a custom realm for Kerberos You can configure a custom realm to use with Kerberos. A custom Kerberos realm lets you configure any kind of KDC (MIT/Heidmal or AD). Use this method when you do not have an SMB server domain that is configured on the NAS server or if you want to use a different Kerberos realm than the one configured for the SMB server. Create custom realm for pure NFS Server To use a Unix-based KDC, follow these steps before configuring Kerberos in PowerStore. The steps assume that you want to use myrealm in the Kerberos realm linux.dellemc.com as the hostname of the NFS server. 1. Run the kadmin.local tool. 2. Create the principals and their keys: kadmin.local: addprinc -randkey nfs/myrealm.linux.dellemc.com and/or kadmin.local: addprinc -randkey nfs/myrealm 3. Put the key of the principal into the keytab file myrealm.linux.dellemc.fr: kadmin.local: ktadd -k myrealm.linux.dellemc.com.keytab nfs/myrealm.linux.dellemc.fr Create custom realm for multiprotocol (NFS and SMB) NAS server To use a Windows-based KDC without using the SMB server account on the NAS server, follow these steps before configuring Kerberos in PowerStore. The steps assume that you want to use myrealm.windows.dellemc.com as the FQDN for the NFS server. 1. Create account myrealm for the NAS server in the Active Directory (AD) of the windows domain windows.dellemc.com. 2. Register the service SPN on the computer account you created: C:\setspn -S nfs/myrealm.windows.dellemc.com myrealm 3. Verify that the SPN was created. C:\setspn myrealm 4. Generate a keytab file for the SPN: C:\ktpass -princ nfs/[email protected] -mapuser WINDOWS\myrealm -crypto ALL +rndpass -ptype KRB5_NT_PRINCIPAL -out myrealm.windows.dellemc.com.keytab Create NAS servers 13

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Configuring Kerberos for Secure NFS
If you are configuring Kerberos for Secure NFS, be aware of the following:
If configuring the NAS server for NFS only, you must configure the NAS server with a custom realm. If you have configured
the NAS server with NFS and SMB, you can use either the AD or custom realm.
Using LDAPS or LDAP with Kerberos is recommended for increased security.
A DNS server must be configured at the NAS-server level. All members of the Kerberos realm, including the KDC, NFS
server, and NFS clients, must be registered in the DNS server.
The NFS client's hostname FQDN and NAS server FQDN must be registered in the DNS server. Clients and servers must be
able to resolve any member of the Kerberos realm's FQDNs to an IP address.
The FQDN part of the NFS client's SPN must be registered in the DNS server.
A keytab file must be uploaded to your NAS server when configuring Secure NFS.
Create a custom realm for Kerberos
You can configure a custom realm to use with Kerberos.
A custom Kerberos realm lets you configure any kind of KDC (MIT/Heidmal or AD). Use this method when you do not have
an SMB server domain that is configured on the NAS server or if you want to use a different Kerberos realm than the one
configured for the SMB server.
Create custom realm for pure NFS Server
To use a Unix-based KDC, follow these steps before configuring Kerberos in PowerStore. The steps assume that you want to
use myrealm in the Kerberos realm linux.dellemc.com as the hostname of the NFS server.
1.
Run the
kadmin.local
tool.
2.
Create the principals and their keys:
kadmin.local: addprinc -randkey nfs/myrealm.linux.dellemc.com
and/or
kadmin.local: addprinc -randkey nfs/myrealm
3.
Put the key of the principal into the keytab file myrealm.linux.dellemc.fr:
kadmin.local: ktadd -k myrealm.linux.dellemc.com.keytab nfs/myrealm.linux.dellemc.fr
Create custom realm for multiprotocol (NFS and SMB) NAS server
To use a Windows-based KDC without using the SMB server account on the NAS server, follow these steps before configuring
Kerberos in PowerStore. The steps assume that you want to use myrealm.windows.dellemc.com as the FQDN for the NFS
server.
1.
Create account myrealm for the NAS server in the Active Directory (AD) of the windows domain windows.dellemc.com.
2.
Register the service SPN on the computer account you created:
C:\setspn -S nfs/myrealm.windows.dellemc.com myrealm
3.
Verify that the SPN was created.
C:\setspn myrealm
4.
Generate a keytab file for the SPN:
C:\ktpass -princ nfs/[email protected] -mapuser
WINDOWS\myrealm
-crypto ALL +rndpass -ptype KRB5_NT_PRINCIPAL -out myrealm.windows.dellemc.com.keytab
Create NAS servers
13