To use Active Directory (AD) as the KDC for your NFS Kerberos configuration, you must create accounts for the client and server in AD and map the account to a principal. For the NFS server, the principal represents the NFS service accounts, for the NFS client, the principal represents the client host machine.
Before you begin
You must have administrator credentials for the AD domain controller.
Procedure
-
Log in to AD.
-
In Server Manager, go to
.
-
Create a computer account for the client machine (for example, "nfsclient"). Set the password to never expire.
-
Create an account for a user (optional and one time)
-
Execute the following command to create a keytab file for the NFS service account.
ktpass -princ host/<fqdn>@REALM.LOCAL +rndPass -mapUser <host>@REALM.LOCAL -mapOp set -crypto All -ptype KRB5_NT_PRINCIPAL -out filename.keytab
For example, to associate the nfs-ecsnode1 account with the principle host/nfsclient.yourco.com@NFS-REALM.LOCAL, you can generate a keytab using:
ktpass -princ host/nfsclient.yourco.com@NFS-REALM.LOCAL +rndPass -mapUser nfsclient$@NFS-REALM.LOCAL -mapOp set -crypto All -ptype KRB5_NT_PRINCIPAL -out nfsclient.keytab
-
Import the keytab to the client node.
ktutil
ktutil> rkt <keytab to import>
ktutil> wkt /etc/krb5.keytab
-
Test registration by running.
kinit -k host/<fqdn>@NFS-REALM.LOCAL
-
See the cached credentials by running the
klist command.
-
Delete the cached credentials by running the
kdestroy
command.
-
View the entries in the keytab file by running the
klist command.
klist -kte /etc/krb5.keytab
-
Follow steps
2,
4, and
5 from
Configure ECS NFS with Kerberos security to place the Kerberos configuration files (krb5.conf,
krb5.keytab
and
jce/unlimited) on the ECS node.