Kerberos configuration

File Services Administration Guide for Hitachi NAS Platform

Version
14.7.x
14.6.x
Audience
anonymous
Part Number
MK-92HNAS006-29
Note: The Kerberos implementation has been updated with the Advanced Encryption Standard (AES). The Data Encryption Standard (DES) has been deprecated and is insufficiently secure. AES pre-requisites are:
  • Windows Server 2008 or higher is required to deploy a Microsoft Windows KDC that supports AES encryption.
  • Configuration may be required on the clients. The configuration of the KDC and clients may vary depending on their operating systems.
  • The Kerberos Principle accounts on the KDC may need to be configured to support AES.
  • Supported AES encryption types are
    • AES256: HMAC-SHA1-96
    • AES128: HMAC-SHA1-96
Configuring the server requires the following steps:
  1. Create the principal and key of the service (the EVS) on the KDC (Key Distribution Center).
    The keytab file must contain the service principal for the NFS service for the EVS. Once the NFS service principal for the EVS has been added, you can then create a keytab file specifically for the EVS. The type of key is critical.
    • AES: To use AES, the keytab must contain an AES key to enable AES by default. If an AES only keytab is imported, DES is disabled. If an AES only keytab is imported, all clients must be configured to support AES and have an AES key in their keytabs.
    • DES:
      • To use DES, the client must perform the Kerberos authentication with any of the supported encryption types except AES.
      • The server must have a key that corresponds to whatever encryption type the client used.
    • AES and DES: The keytab must contain
      • An AES key and
      • Any old supported encryption type key (it does not have to be DES), provided that it is supported by the client as well.

    For example, with an EVS named "man" in the Kerberos realm AESIR.EXAMPLE.COM, the keytab file for the NFS service on "man" should contain a principal nfs/man.aesir.example.com@AESIR.EXAMPLE.COM. The format of the principal starts with the service (nfs), followed by a slash, then the fully-qualified-domain name of the EVS, then the symbol @, and finally the Kerberos realm. Note that case is significant. Kerberos realms are always in uppercase. Also, there must be no trailing period after the Kerberos realm.

  2. Export a keytab file from the KDC.
    Typically you will use the kadmin utility run from the master KDC to export a keytab file. For details on creating an appropriate keytab file, refer to the documentation for the tools supplied with your version of Kerberos.
  3. Import the keytab file into the server.

    Transfer the keytab file to the flash of the server.

    For example: securely move the keytab file to the NAS Manager and transfer it to the NAS server. Log on with ssc, and do the following:

    SERVER:$ ssput man.nfs.keytab man.nfs.keytab

    The first name is the local file name on the NAS Manager, the second name is the name to use on the server. Once the file has been placed on the server, import the keytab in the context of the EVS with:

    SERVER:$ krb5-keytab import man.nfs.keytab

    After the keytab has been imported, the uploaded keytab file can be safely removed with:

    SERVER:$ ssrm man.nfs.keytab

  4. Set the Kerberos realm for the server.

    Set the realm by using the command krb5-realm. For example:

    SERVER:$ krb5-realm AESIR.EXAMPLE.COM

    The server's NFS hostname must be set, per EVS, using the command nfs-hostname <hostname>.

    After performing these steps, the NAS server is able to complete the configuration. However, you may choose to create mappings between the Kerberos users/groups and the Active Directory users/groups.