|
|||||||||||||||||||
1. Security Services (Overview) Part II System, File, and Device Security 2. Managing Machine Security (Overview) 3. Controlling Access to Systems (Tasks) 4. Virus Scanning Service (Tasks) 5. Controlling Access to Devices (Tasks) 6. Using the Basic Audit Reporting Tool (Tasks) 7. Controlling Access to Files (Tasks) Part III Roles, Rights Profiles, and Privileges 8. Using Roles and Privileges (Overview) 9. Using Role-Based Access Control (Tasks) 10. Role-Based Access Control (Reference) Part IV Solaris Cryptographic Services 13. Solaris Cryptographic Framework (Overview) 14. Solaris Cryptographic Framework (Tasks) 15. Solaris Key Management Framework Part V Authentication Services and Secure Communication 16. Using Authentication Services (Tasks) 19. Using Solaris Secure Shell (Tasks) 20. Solaris Secure Shell (Reference) 21. Introduction to the Kerberos Service 22. Planning for the Kerberos Service 23. Configuring the Kerberos Service (Tasks) Configuring the Kerberos Service (Task Map) Configuring Additional Kerberos Services (Task Map) Configuring Cross-Realm Authentication Configuring Kerberos Network Application Servers Synchronizing Clocks Between KDCs and Kerberos Clients Swapping a Master KDC and a Slave KDC Administering the Kerberos Database Managing a KDC on an LDAP Directory Server Increasing Security on Kerberos Servers 24. Kerberos Error Messages and Troubleshooting 25. Administering Kerberos Principals and Policies (Tasks) 26. Using Kerberos Applications (Tasks) 27. The Kerberos Service (Reference) 28. Solaris Auditing (Overview) 29. Planning for Solaris Auditing 30. Managing Solaris Auditing (Tasks) |
Configuring Kerberos NFS ServersNFS services use UNIX user IDs (UIDs) to identify a user and cannot directly use GSS credentials. To translate the credential to a UID, a credential table that maps user credentials to UNIX UIDs might need to be created. See Mapping GSS Credentials to UNIX Credentials for more information on the default credential mapping. The procedures in this section focus on the tasks that are necessary to configure a Kerberos NFS server, to administer the credential table, and to initiate Kerberos security modes for NFS-mounted file systems. The following task map describes the tasks that are covered in this section. Table 23-2 Configuring Kerberos NFS Servers (Task Map)
How to Configure Kerberos NFS ServersIn this procedure, the following configuration parameters are used:
How to Create a Credential TableThe gsscred credential table is used by an NFS server to map Kerberos credentials to a UID. By default, the primary part of the principal name is matched to a UNIX login name. For NFS clients to mount file systems from an NFS server with Kerberos authentication, this table must be created if the default mapping is not sufficient.
How to Add a Single Entry to the Credential TableBefore You BeginThis procedure requires that the gsscred table has already been created on the NFS server. See How to Create a Credential Table for instructions.
Example 23-2 Adding a Multiple Component Principal to the Credential TableIn the following example, an entry is added for a principal named sandy/admin, which is mapped to UID 3736. # gsscred -m kerberos_v5 -n sandy/admin -u 3736 -a Example 23-3 Adding a Principal in a Different Domain to the Credential TableIn the following example, an entry is added for a principal named sandy/admin@EXAMPLE.COM, which is mapped to UID 3736. # gsscred -m kerberos_v5 -n sandy/admin@EXAMPLE.COM -u 3736 -a How to Provide Credential Mapping Between RealmsThis procedure provides appropriate credential mapping between realms that use the same password file. In this example, the realms CORP.EXAMPLE.COM and SALES.EXAMPLE.COM use the same password file. The credentials for bob@CORP.EXAMPLE.COM and bob@SALES.EXAMPLE.COM are mapped to the same UID.
Example 23-4 Mapping Credentials Between Realms Using the Same Password FileThis example provides appropriate credential mapping between realms that use the same password file. In this example, the realms CORP.EXAMPLE.COM and SALES.EXAMPLE.COM use the same password file. The credentials for bob@CORP.EXAMPLE.COM and bob@SALES.EXAMPLE.COM are mapped to the same UID. On the client system, add entries to the krb5.conf file. # cat /etc/krb5/krb5.conf [libdefaults] default_realm = CORP.EXAMPLE.COM . [realms] CORP.EXAMPLE.COM = { . auth_to_local_realm = SALES.EXAMPLE.COM . } TroubleshootingSee Observing Mapping from GSS Credentials to UNIX Credentials to help with the process of troubleshooting credential mapping problems. How to Set Up a Secure NFS Environment With Multiple Kerberos Security ModesThis procedure enables a NFS server to provide secure NFS access using different security modes or flavors. When a client negotiates a security flavor with the NFS server, the first flavor that is offered by the server that the client has access to is used. This flavor is used for all subsequent client requests of the file system shared by the NFS server.
Example 23-5 Sharing a File System With One Kerberos Security ModeIn this example, Kerberos authentication must succeed before any files can be accessed through the NFS service. # sharemgr share -F nfs -p -o sec=krb5 /export/home Example 23-6 Sharing a File System With Multiple Kerberos Security ModesIn this example, all three Kerberos security modes have been selected. Which mode is used is negotiated between the client and the NFS server. If the first mode in the command fails, then the next is tried. See the nfssec(5) man page for more information. # sharemgr share -F nfs -p -o sec=krb5:krb5i:krb5p /export/home |
||||||||||||||||||
|