Dell PowerStore 500T EMC PowerStore Configuring NFS Exports - Page 5

Overview, NFS support, About secure NFS, Security options, Configuring secure NFS

Get Dell PowerStore 500T PDF manuals and user guides View all Dell PowerStore 500T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 5 highlights

1 Overview This chapter includes the following information. Topics: • NFS support • About secure NFS • Planning considerations NFS support PowerStore T model supports NFSv3 and NFSv4. It also supports secure NFS with Kerberos, for strong authentication. While PowerStore T model supports most of the NFSv4 and v4.1 functionality described in the relevant RFCs, directory delegation and pNFS are not supported. NFS support is enabled on a NAS server during or after creation, enabling you to create NFS-enabled file systems on that NAS server. About secure NFS You can configure secure NFS when you create or modify a NAS server that supports UNIX shares. Secure NFS provides Kerberos-based user authentication, which can provide network data integrity and network data privacy. Kerberos is a distributed authentication service designed to provide strong authentication with secret-key cryptography. It works on the basis of "tickets" that allow nodes communicating over a non-secure network to prove their identity in a secure manner. When configured to act as a secure NFS server, the NAS server uses the RPCSEC_GSS security framework and Kerberos authentication protocol to verify users and services. Security options Secure NFS supports the following security options: ● krb5: Kerberos authentication ● krb5i: Kerberos authentication and data integrity by adding a signature to each NFS packet transmitted over the network ● krb5p: Kerberos authentication, data integrity, and data privacy by encrypting the data before sending it over the network Data encryption requires more resources for system processing and can lead to slower performance. In a secure NFS environment, user access to NFS file systems is granted based on Kerberos principal names. However, access control to shares within a file system is based on the UNIX UID and GID, or on ACLs. NOTE: Secure NFS supports NFS credentials with more than 16 groups, which is equivalent to the extended UNIX credentials option. Configuring secure NFS If you are implementing Secure NFS, configure the following: ● At least one NTP server must be configured on the PowerStore appliance to synchronize the date and time. It is recommended that you set up a minimum of two NTP servers per domain to avoid a single point of failure. ● A UNIX Directory Service (UDS) ● One or more DNS servers ● Either an AD or custom realm must be added for Kerberos authentication ● A keytab file must be uploaded to your NAS server when using a custom realm in a Kerberos configuration Overview 5

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
Overview
This chapter includes the following information.
Topics:
NFS support
About secure NFS
Planning considerations
NFS support
PowerStore T model supports NFSv3 and NFSv4. It also supports secure NFS with Kerberos, for strong authentication. While
PowerStore T model supports most of the NFSv4 and v4.1 functionality described in the relevant RFCs, directory delegation and
pNFS are not supported. NFS support is enabled on a NAS server during or after creation, enabling you to create NFS-enabled
file systems on that NAS server.
About secure NFS
You can configure secure NFS when you create or modify a NAS server that supports UNIX shares. Secure NFS provides
Kerberos-based user authentication, which can provide network data integrity and network data privacy.
Kerberos is a distributed authentication service designed to provide strong authentication with secret-key cryptography. It
works on the basis of "tickets" that allow nodes communicating over a non-secure network to prove their identity in a secure
manner. When configured to act as a secure NFS server, the NAS server uses the RPCSEC_GSS security framework and
Kerberos authentication protocol to verify users and services.
Security options
Secure NFS supports the following security options:
krb5: Kerberos authentication
krb5i: Kerberos authentication and data integrity by adding a signature to each NFS packet transmitted over the network
krb5p: Kerberos authentication, data integrity, and data privacy by encrypting the data before sending it over the network
Data encryption requires more resources for system processing and can lead to slower performance.
In a secure NFS environment, user access to NFS file systems is granted based on Kerberos principal names. However, access
control to shares within a file system is based on the UNIX UID and GID, or on ACLs.
NOTE:
Secure NFS supports NFS credentials with more than 16 groups, which is equivalent to the extended UNIX
credentials option.
Configuring secure NFS
If you are implementing Secure NFS, configure the following:
At least one NTP server must be configured on the PowerStore appliance to synchronize the date and time. It is
recommended that you set up a minimum of two NTP servers per domain to avoid a single point of failure.
A UNIX Directory Service (UDS)
One or more DNS servers
Either an AD or custom realm must be added for Kerberos authentication
A keytab file must be uploaded to your NAS server when using a custom realm in a Kerberos configuration
1
Overview
5