Using NIM to install clients with NIM resources that are exported with Kerberos authentication

Edit online

You can install NIM clients with NIM resources that are set with Kerberos security export.

This method provides added protection for NIM resources by preventing access from unacceptable hosts. To use this authentication method, the NIM master must be configured to be the Kerberos server.

Do the following:
  1. Set up and configure the Kerberos server by using one of the following methods.
    Note: To avoid a base image installation failure, you must run one of the following commands.
    • If the NIM master is not configured as a Kerberos server, use the sample script that NIM provides by running the following command:
      /usr/samples/nim/krb5/config_rpcsec_server –u <user> -p <password>

      The config_rpcsec_server script runs the /usr/lpp/bos.sysmgt/nim/methods/nimcrypt –u <user> -p <password> command to setup the credentials for Kerberos authentication.

    • If the NIM master is configured as a Kerberos server, run the nimcrypt command:
      /usr/lpp/bos.sysmgt/nim/methods/nimcrypt –u <user> -p <password>
  2. Set the nfs_domain attribute for the nim master by using one of the following methods.
    • Run the following command from the command line:
      nim –o change –a nfs_domain=”austin.ibm.com” master
    • Use the following SMIT fastpath command:
      fastpath smitty nim_global_nfs
  3. Set the NIM resources attributes for nfs_sec to krb5 and nfs_vers to 4 as follows:
    nim –o change –a nfs_sec=krb5 –a nfs_vers=4 <resource_object>
    Note: Setting nfs_sec=krb5 for the SPOT resource is not supported for the install environment.

After the nfs_sec and nfs_vers attributes are set for the NIM resources and a NIM network installation is initialized, NIM uses NFS to export the location for the resource set with krb5. The client uses Kerberos authentication and mounts NIM resources over Kerberos security.

Installing a client with a Kerberos protected mount is only supported for NIM installations where source=rte or source=mksysb. A Kerberos installation will only work for NIM resources that reside on the NIM master. After a client authenticates with the Kerberos server, there is usually a time lease for the exported location to be active. This time lease defaults to 24 hours. If an installation exceeds 24 hours because of a system or network error, the installation will hang. If a hang occurs, troubleshoot the installation and restart the installation process by rebooting the client to network boot. The time lease can also be extended.