Kerberos principal formats

File Service Administration Guide for Hitachi NAS Platform

Version
14.9.x
Audience
anonymous
Part Number
MK-92HNAS006-31

A Kerberos principal can take different forms, containing a varying number of components.

For the purposes of this feature, a principal can contain the following parts:

  • Primary - this would typically be a username.
  • Instance - this is an optional part which qualifies the primary. It can be a user role or a host name.
  • Realm - this is the Kerberos realm which is usually a domain name.

In your environment, a principal could take the following form:

primary@REALM

For example:

user@EXAMPLE.COM

This user could operate on multiple clients.

Alternatively, your principal could take the following form:

primary/instance@REALM

For example:

user/machine1.example.com@EXAMPLE.COM

user/machine2.example.com@EXAMPLE.COM

Here, you could have different Kerberos principals that map to a single user.

To support these environments, the NAS server provides the krb5-nfs-principal-format command. By default, the Kerberos principal is unchanged before being mapped onto a user. For multiple Kerberos principals that are mapped to a single user, the only-primary option changes the Kerberos principal to primary@REALM before mapping it to a user. By using this setting, the principals in the second example above are interpreted as user@EXAMPLE.COM and so would require only a one-to-one mapping.

Important: It is expected that the only-primary configuration option is only selected when first configuring a security context and care should be taken when modifying the setting for an existing security context. If the setting is changed after Kerberos authentication for NFS has been used with the security context, this can result in a mixture of Kerberos Principal formats being stored in on-disk security. This is likely to result in users being unable to access files, which would need to be remedied by manually correcting the on-disk security.