Configure ECS NFS with Kerberos security

To configure Kerberos authentication with ECS NFS, you must configure both the ECS nodes and the NFS client, and create keytabs for the NFS server principal and for the NFS client principal.

Before you begin

Depending on your internal IT setup, you can use a Key Distribution Center (KDC) or you can use Active Directory (AD) as your KDC.

To use AD, follow the steps in these tasks:

About this task

The following scenarios are supported:

  • ECS client to single ECS node. The keytab on each ECS that you want to use as the NFS server must be specific to that node.
  • ECS client to load balancer. The keytab on all ECS nodes is the same, and uses the hostname of the load balancer.

Procedure

  1. Ensure that the hostname of the ECS node can be resolved.
    You can use the hostname command to ensure that the FQDN of the ECS node is added to /etc/HOSTNAME.
    dataservice-10-247-142-112:~ # hostname ecsnode1.yourco.com
    dataservice-10-247-142-112:~ # hostname -i
    10.247.142.112 
    dataservice-10-247-142-112:~ # hostname -f
    ecsnode1.yourco.com
    dataservice-10-247-142-112:~ #
  2. Create the Kerberos configuration file (krb5.conf) on the ECS node as /opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.conf. Unless HDFS has already been configured, you must create the hdfs directory with 755 (drwxr-xr-x) permissions (chmod 755 hdfs) and make user with uid 444 and group with gid 444 as the owner (chown 444:444 hdfs).

    Change the file permissions to 644 and make the user with id 444(storageos) the owner of the file.

    In the example below, the following values are used and must be replaced with your own settings.
    Kerberos REALM
    Set to NFS-REALM in this example.
    KDC
    Set to kdcname.yourco.com in this example.
    KDC Admin Server
    In this example, the KDC acts as the admin server.
    [libdefaults]
            default_realm = NFS-REALM.LOCAL
    [realms]
            NFS-REALM.LOCAL = {
                    kdc = kdcname.yourco.com                    
                    admin_server = kdcname.yourco.com 
            }
    [logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

    If HDFS for Kerberos is already configured, instead of replacing /opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.conf, merge the REALM information, if it is different, into the existing krb5.conf file. Usually there is no change to this file as REALM has been configured by HDFS. In addition, the default permissions and owner should have already been configured by HDFS and should not require any change.

  3. Add a host principal for the ECS node and create a keytab for the principal.
    In this example, the FQDN of the ECS node is ecsnode1.yourco.com
    $ kadmin
    kadmin> addprinc -randkey nfs/ecsnode1.yourco.com
    kadmin> ktadd -k /datanode.keytab nfs/ecsnode1.yourco.com  
    kadmin> exit
    
  4. Copy the keytab (datanode.keytab) to /opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.keytab. Unless HDFS has already been configured, you need to create the hdfs directory with 755 (drwxr-xr-x) permissions (chmod 755 hdfs)and make user with uid 444 and group with gid 444 as the owner (chown 444:444 hdfs).
    Change its file permissions to 644 and make the user with id 444(storageos) the owner of the file.

    If HDFS is already configured, instead of replacing /opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.keytab, merge the datanode.keytab file into the existing keytab file using ktutil. Default permissions and owner should already be configured by HDFS and should not require any change.

  5. Download the unlimited JCE policy archive from oracle.com and extract it to the /opt/emc/caspian/fabric/agent/services/object/data/jce/unlimited directory.
    Kerberos may be configured to use a strong encryption type, such as AES-256. In that situation, the JRE within the ECS nodes must be reconfigured to use the 'unlimited' policy.
    This step should be performed only if you are using a strong encryption type.

    If HDFS is already configured, this step would have been completed by HDFS Kerberos configuration.

  6. Run the following command from inside the object container.
    service storageos-dataservice restarthdfs
  7. To set up the client, begin by making sure that the hostname of the client can be resolved.
    You can use the hostname command to ensure that the FQDN of the ECS node is added to /etc/HOSTNAME.
    dataservice-10-247-142-112:~ # hostname ecsnode1.yourco.com
    dataservice-10-247-142-112:~ # hostname -i
    10.247.142.112 
    dataservice-10-247-142-112:~ # hostname -f
    ecsnode1.yourco.com
    dataservice-10-247-142-112:~ #
  8. If your client is running SUSE Linux make sure that line NFS_SECURITY_GSS="yes" is uncommented in /etc/sysconfig/nfs.
  9. If you are on Ubuntu make sure to have line NEED_GSSD=yes in /etc/default/nfs-common.
  10. Install rpcbind and nfs-common.
    Use apt-get or zypper. On SUSE Linux, for nfs-common, use:
    zypper install yast2-nfs-common
    By default these are turned off in Ubuntu client.
  11. Set up your Kerberos configuration file.
    In the example below, the following values are used and you must replace them with your own settings.
    Kerberos REALM
    Set to NFS-REALM in this example.
    KDC
    Set to kdcname.yourco.com in this example.
    KDC Admin Server
    In this example, the KDC acts as the admin server.
    [libdefaults]
            default_realm = NFS-REALM.LOCAL
    [realms]
            NFS-REALM.LOCAL = {
                    kdc = kdcname.yourco.com                    
                    admin_server = kdcname.yourco.com 
            }
    [logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
  12. Add a host principal for the NFS client and create a keytab for the principal.
    In this example, the FQDN of the NFS client is nfsclient.yourco.com
    $kadmin
    kadmin> addprinc -randkey host/nfsclient.yourco.com
    kadmin> ktadd -k /nkclient.keytab host/nfsclient.yourco.com
    kadmin> exit
    
    
  13. Copy the keytab file (nfsclient.keytab) from the KDC machine to /etc/krb5.keytab on the NFS client machine.
    scp /nkclient.keytab root@nfsclient.yourco.com:/etc/krb5.keytab
    ssh root@nfsclient.yourco.com 'chmod 644 /etc/krb5.keytab'
  14. Create a principal for a user to access the NFS export.
    $kadmin
    kadmin> addprinc yourusername@NFS-REALM.LOCAL
    kadmin> exit
  15. Log in as root and add the following entry to your /etc/fstab file.
    HOSTNAME:MOUNTPOINT    LOCALMOUNTPOINT        nfs     rw,user,nolock,noauto,vers=3,sec=krb5 0       0
    For example:
    ecsnode1.yourco.com:/s3/b1     /home/kothan3/1b1       nfs     rw,user,nolock,noauto,vers=3,sec=krb5   0 0
  16. Log in as non root user and kinit as the non-root user that you created.
    kinit yourusername@NFS-REALM.LOCAL
  17. You can now mount the NFS export. For more information, see Mount an NFS export example and Best practices for mounting ECS NFS exports.

    Mounting as the root user does not require you to use kinit. However, when using root, authentication is done using the client machine's host principal rather than your Kerberos principal. Depending upon your operating system, you can configure the authentication module to fetch the Kerberos ticket when you login, so that there is no need to fetch the ticket manually using kinit and you can mount the NFS share directly.