Register an ECS node with Active Directory

To use Active Directory (AD) as the KDC for your NFS Kerberos configuration, you must create accounts for the client and server in AD and map the account to a principal. For the NFS server, the principal represents the NFS service accounts, for the NFS client, the principal represents the client host machine.

Prerequisites

You must have administrator credentials for the AD domain controller.

Steps

  1. Log in to AD.
  2. In Server Manager, go to Tools > Active Directory Users and Computers.
  3. Create a user account for the NFS principal using the format "nfs-<host>" , for example, "nfs-ecsnode1". Set a password and set the password to never expire.
  4. Create an account for yourself (optional and one time).
  5. Execute the following command to create a keytab file for the NFS service account.
    ktpass -princ nfs/<fqdn>REALM.LOCAL +rndPass -mapUser nfs-<host>@REALM.LOCAL -mapOp set -crypto All -ptype KRB5_NT_PRINCIPAL -out filename.keytab

    For example, to associate the nfs-ecsnode1 account with the principle nfs/ecsnode1.yourco.com@NFS-REALM.LOCAL, you can generate a keytab using:

    ktpass -princ nfs/ecsnode1.yourco.com@NFS-REALM.LOCAL +rndPass -mapUser nfs-ecsnode1@NFS-REALM.LOCAL -mapOp set -crypto All -ptype KRB5_NT_PRINCIPAL -out nfs-ecsnode1.keytab
  6. Import the keytab to the ECS node.
    ktutil
    ktutil> rkt <keytab to import>
    ktutil> wkt /etc/krb5.keytab
  7. Test registration by running.
    kinit -k nfs/<fqdn>@NFS-REALM.LOCAL
    
  8. See the cached credentials by running the klist command.
  9. Delete the cached credentials by running the kdestroy command.
  10. View the entries in the keytab file by running the klist command.
    Example:
     klist -kte /etc/krb5.keytab
    
  11. Follow steps 2, 4, and 5 from Configure ECS NFS with Kerberos security to place the Kerberos configuration files (krb5.conf, krb5.keytab and jce/unlimited) on the ECS node.