Prerequisites for configuring Kerberos based NFS access

Certain requirements must be met to configure IBM Storage Scale for Kerberized NFS access.

General requirements

  • For Kerberized NFS access, time must be synchronized across the KDC server, the IBM Storage Scale cluster protocol nodes, and the NFS clients. Otherwise, access to an NFS export might be denied.
  • For Kerberized NFSv3 access, NFS clients must mount NFS exports by using one of the configured CES IP addresses.
  • For Kerberized NFSv4 access, NFS clients can mount NFS exports by using either "one of the configured CES IP addresses" or the "system account name" that is configured for FILE protocols authentication. The "system account name" is the value that is specified for the --netbios-name option in the mmuserauth CLI command during FILE protocols authentication configuration.
IBM Storage Scale NFS server configuration for Kerberos access
  • To enable NFS Kerberos access, update the NFS server configuration with the Kerberos realm name. Issue the following command to configure NFS configuration parameter LOCAL_REALMS:
    mmnfs config change "LOCAL_REALMS=MYREALM.COM"

    Set this attribute to the KDC REALM value.

    Note: Specify the realm name in capital letters.
  • Configure the same local realms value (for example, MYREALM.COM here) on all NFS Kerberos clients (for example, on RHEL NFS clients set Local-Realms attribute in the /etc/idmapd.conf file). This configuration file might be different on various client OS systems.
  • On NFS client, ID map configuration must also be updated to reflect the same realm name as defined on NFS server. Additionally, the service for establishing Kerberos access with NFS server must also be started. For example, on RHEL 7.X NFS clients, the ID map configuration file name is etc/idmapd.conf. Update the Local-Realms attribute in the file to reflect the Kerberos realm that is defined on NFS server and then start the nfs.secure service.
    Note: The ID map configuration file and service to establish secure access can differ on various OS platforms.
Considerations for LDAP-based authentication schemes:
  • In LDAP-based authentication schemes, administrators must generate keytab file before the FILE protocols authentication configuration. The keytab file must be generated on the KDC server and then copied to path /var/mmfs/tmp/ on the IBM Storage Scale node. The mmuserauth command must be initiated from the node where the keytab file is copied.
  • The keytab file must contain NFS service principals of short name and FQDN of the "system account name". The service principal name format is nfs/<system account name>@<KERBEROS REALM>. For example, if the "system account name" is FOO, "system account FQDN" is FOO.MYDOMAIN.COM and the "realm" is MYREALM.COM, then service principals that are required to be created must be nfs/FOO@MYREALM.COM and nfs/FOO.MYDOMAIN.COM@MYREALM.COM.
  • The realm name is the value that is specified for the --kerberos-realm-option in the mmuserauth command.
Considerations for AD-based authentication schemes:
  • In Active Directory based authentication schemes, administrators need not prepare a keytab file. The mmuserauth CLI command prepares keytab file during FILE protocols authentication configuration. It adds NFS service principals of short name and FQDN for "system account name" in the local keytab file that is placed at /var/mmfs/etc/krb5_scale.keytab on all the protocol nodes in the CES cluster.
  • User must specify the --enable-nfs-kerberos option in the mmuserauth command to activate the NFS Kerberized access to IBM Storage Scale.