Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
8.  Configuring SEAM (Tasks) Configuring SEAM NFS Servers How to Configure SEAM NFS Servers  Previous   Contents   Next 
   
 

How to Create a Credential Table

The gsscred credential table is used by an NFS server to map SEAM principals to a UID. In order for NFS clients to mount file systems from an NFS server with Kerberos authentication, this table must be created or made available.

  1. Edit /etc/gss/gsscred.conf and change the mechanism.

    Change the mechanism to files.

  2. Create the credential table by using gsscred.

    # gsscred -m kerberos_v5 -a

    The gsscred command gathers information from all sources that are listed with the passwd entry in the /etc/nsswitch.conf file. You might need to temporarily remove the files entry, if you do not want the local password entries included in the credential table. See the gsscred(1M) man page for more information.

How to Add a Single Entry to the Credential Table

This procedure requires that the gsscred table has already been created on the NFS server.

  1. Become superuser on a NFS server.

  2. Add an entry to the table by using gsscred.

    # gsscred -m mech [ -n name [ -u uid ]] -a

    mech

    Defines the security mechanism to be used.

    name

    Defines the principal name for the user, as defined in the KDC.

    uid

    Defines the UID for the user, as defined in the password database.

    -a

    Adds the UID to principal name mapping.

Example--Adding a Single Entry to the Credential Table

In the following example, an entry is added for the user named sandy, which is mapped to UID 3736. The UID is pulled from the password file if it is not included on the command line.

# gsscred -m kerberos_v5 -n sandy -u 3736 -a

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

  1. Become superuser on the NFS server.

  2. Verify that there is a NFS service principal in the keytab file.

    The klist command reports if there is a keytab file and displays the principals. If the results show that there is no keytab file or that there is no NFS service principal, you need to verify the completion of all of the steps in "How to Configure SEAM NFS Servers".

    # klist -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- ---------------------------------------------------------
       3 nfs/denver.example.com@EXAMPLE.COM
  3. Enable Kerberos security modes in the /etc/nfssec.conf file.

    Edit the /etc/nfssec.conf file and remove the "#" from in front of the Kerberos security modes.

    # cat /etc/nfssec.conf
     .
     .
    #
    # Uncomment the following lines to use Kerberos V5 with NFS
    #
    krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
    krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
    krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
  4. Edit the /etc/dfs/dfstab file and add the sec= option with the required security modes to the appropriate entries.

    share -F nfs -o sec=mode file-system

    mode

    Specifies the security modes to be used when sharing. When using multiple security modes, the first mode in the list is used as the default by the automounter.

    file-system

    Defines the path to the file system to be shared.

    All clients that attempt to access files from the named file system require Kerberos authentication. To access files, both the user principal and the root principal on the NFS client should be authenticated.

  5. Make sure that the NFS service is running on the server.

    If this command is the first share command or set of share commands that you have initiated, it is likely that the NFS daemons are not running. The following commands kill the daemons and restart them.

    # /etc/init.d/nfs.server stop
    # /etc/init.d/nfs.server start
  6. (Optional)

    If the automounter is being used, edit the auto_master database to select a security mode other than the default.

    You need not follow this procedure if you are not using the automounter to access the file system or if the default selection for the security mode is acceptable.

    file-system  auto_home  -nosuid,sec=mode
  7. (Optional)

    Manually issue the mount command to access the file system by using a non-default mode.

    Alternatively, you could use the mount command to specify the security mode, but this alternative does not take advantage of the automounter:

    # mount -F nfs -o sec=mode file-system

Example--Sharing a File System With One Kerberos Security Mode

In this example, the dfstab file line means that Kerberos authentication must succeed before any files can be accessed through the NFS service.

# grep krb /etc/dfs/dfstab
share -F nfs -o sec=krb5 /export/home

Example--Sharing a File System With Multiple Kerberos Security Modes

In this example, all three Kerberos security modes have been selected. If no security mode is specified when a mount request is made, the first mode that is listed is used on all NFS V3 clients (in this case, krb5). See the nfssec.conf(4) man page for more information.

# grep krb /etc/dfs/dfstab
share -F nfs -o sec=krb5:krb5i:krb5p /export/home

Configuring SEAM Clients

SEAM clients include any host, not a KDC server, on the network that needs to use SEAM services. This section provides a procedure for installing a SEAM client, as well as specific information about using root authentication to mount NFS file systems.

How to Configure a SEAM Client

In this procedure, the following configuration parameters are used:

  • Realm name = EXAMPLE.COM

  • DNS domain name = example.com

  • Master KDC = kdc1.example.com

  • Slave KDC = kdc2.example.com

  • Client = client.example.com

  • admin principal = kws/admin

  • User principal = mre

  • Online help URL = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956


    Note - Adjust the URL to point to the "SEAM Administration Tool" section, as described in the "Online Help URL".


  1. Become superuser.

  2. Edit the Kerberos configuration file (krb5.conf).

    To change the file from the SEAM default version, you need to change the realm names and the names of the servers. You also need to identify the path to the help files for gkadmin.

    kdc1 # cat /etc/krb5/krb5.conf
    [libdefaults]
            default_realm = EXAMPLE.COM
    
    [realms]
                    EXAMPLE.COM = {
                    kdc = kdc1.example.com
                    kdc = kdc2.example.com
                    admin_server = kdc1.example.com
            }
    
    [domain_realm]
            .example.com = EXAMPLE.COM
    #
    # if the domain name and realm name are equivalent, 
    # this entry is not needed
    #
    [logging]
            default = FILE:/var/krb5/kdc.log
            kdc = FILE:/var/krb5/kdc.log
    
    [appdefaults]
        gkadmin = {
            help_url = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956
  3. (Optional)

    Synchronize the client's clock with the master KDC's clock by using NTP or another clock synchronization mechanism.

    It is not required to install and use the Network Time Protocol (NTP). However, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file in order for authentication to succeed. See "Synchronizing Clocks between KDCs and SEAM Clients" for information about NTP.

  4. (Optional)

    Create a user principal if a user principal does not already exist.

    You need to create a user principal only if the user associated with this host does not have a principal assigned already. See "How to Create a New Principal" for instructions on using the SEAM Administration Tool. The following is a command-line example.

    client1 # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: addprinc mre
    Enter password for principal mre@EXAMPLE.COM: <type the password>
    Re-enter password for principal mre@EXAMPLE.COM: <type it again>
    kadmin: 
  5. Create a root principal.

    Note that when the principal instance is a host name, the FQDN must be entered in lowercase letters, regardless of the case of the domainname in the /etc/resolv.conf file.

    kadmin: addprinc root/client1.example.com
    Enter password for principal root/client1.example.com@EXAMPLE.COM: <type the password>
    Re-enter password for principal root/client1.example.com@EXAMPLE.COM: <type it again>
    kadmin: quit
  6. (Optional)

    To use Kerberos with NFS, enable Kerberos security modes in the /etc/nfssec.conf file.

    Edit the /etc/nfssec.conf file and remove the "#" from in front of the Kerberos security modes.

    # cat /etc/nfssec.conf
     .
     .
    #
    # Uncomment the following lines to use Kerberos V5 with NFS
    #
    krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
    krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
    krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
  7. (Optional)

    If you want a user on the SEAM client to automatically mount Kerberized NFS file systems that use Kerberos authentication, you must authenticate the root user.

    This process is done most securely by using the kinit command. However, users will need to use kinit as root every time they need to mount a file system that is secured by Kerberos. You can choose to use a keytab file instead. For detailed information about the keytab file requirement, see "Setting Up Root Authentication to Mount NFS File Systems".

    client1 # /usr/bin/kinit root/client1.example.com
    Password for root/client1.example.com@EXAMPLE.COM: <Type password>

    To use the keytab file option, add the root principal to the client's keytab by using kadmin:

    client1 # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: ktadd root/client1.example.com
    kadmin: Entry for principal root/client.example.com with
      kvno 3, encryption type DES-CBC-CRC added to keytab
      WRFILE:/etc/krb5/krb5.keytab
    kadmin: quit
  8. If you want the client to warn users about Kerberos ticket expiration, create an entry in the /etc/krb5/warn.conf file.

    See the warn.conf(4) man page for more information.

 
 
 
  Previous   Contents   Next