NFS v4 Client/Server and Kerberos

The NFS v4 Client/Server environment includes LDAP for maintaining authentication data and Kerberos for establishing trusted channel between NFS v4 clients and servers. The evaluated configuration supports NAS v1.4 for Kerberos and IBM® Tivoli® Directory Server v6.0 (LDAP server) for the user database.

NAS v1.4 (Kerberos Version 5 Server) must be configured to use LDAP for its database. Kerberos tickets previously granted by the Kerberos server are valid until they expire.

When you are using Kerberos authentication, the credential used in remote procedure calls initiated by a user are associated with the current Kerberos ticket held by the user and is not influenced by the real or effective UID of the process. When you are accessing an NFS remote file system using Kerberos authentication while running a setuid program, the UID seen at the server is based on the Kerberos identity, not the UID that owns the setuid program being run.

The evaluated configuration involves setting up NFS to use RPCSEC-GSS security. For more information, see Network File System, Configuring an NFS server, and Configuring an NFS client. When setting up the server, choose Kerberos authentication and enable enhanced security on the server. You can enable this through SMIT using the chnfs command. The chnfs command has the option to enable RPCSEC_GSS security. When you are setting up the client, follow the instructions to use Kerberos in Configuring an NFS client. See Setting up a network for RPCSEC-GSS for the instructions to set up the Kerberos data server with DES3 encryption for security. The evaluated configuration supports only des3 encryption.