Configuring the Kerberos-based authentication on the servers and the clients
You can configure the Kerberos-based authentication for NetBackup BYO, Flex media server, Flex WORM, and Flex Scale.
You must configure Kerberos-based authentication both on the servers and the clients.
For NetBackup BYO environment, before you configure Kerberos authentication on NetBackup servers and clients, check if the necessary krb5 package is installed on the system. Run the following commands to check if these packages are installed or not:
yum install krb5-workstation
pam_krb5 -f
To configure Kerberos-based authentication on the servers
- On the NetBackup server, run the
vpfs_nfs_krb.shscript to create keytab entries for Kerberos principals./usr/openv/pdde/vpfs/bin/vpfs_nfs_krb.sh
For NetBackup BYO, run the script in the command window. For Flex media server, you must log in to the media server instance and run the script with sudo.
Add the key entries.
./vpfs_nfs_krb.sh add --user nfs/storage-server.mydomain.com
Delete the key entries.
./vpfs_nfs_krb.sh delete --user nfs/storage-server.mydomain.com
Verify Kerberos principal login.
./vpfs_nfs_krb.sh verify --user nfs/storage-server.mydomain.com
Update the password for Kerberos principals.
./vpfs_nfs_krb.sh update --user nfs/storage-server.mydomain.com
Display the key entries.
./vpfs_nfs_krb.sh list
Display the configurations related to Kerberos authentication.
./vpfs_nfs_krb.sh status
For Flex WORM and Flex Scale, you must log in to the WORM or MSDP engine Restricted Shell to run these commands.
Add the key entries.
setting SecureNfs add-krb-user krbuser=nfs/storage-server.mydomain.com
Delete the key entries.
setting SecureNfs delete-krb-user krbuser=nfs/storage-server.mydomain.com
Verify Kerberos principal login.
setting SecureNfs verify-krb-user krbuser=nfs/storage-server.mydomain.com
Update the password for Kerberos principals.
setting SecureNfs update-krb-user krbuser=nfs/storage-server.mydomain.com
Display the key entries.
setting SecureNfs list-krb-users
Display the configurations related to Kerberos authentication.
setting SecureNfs nfs-secure-status
Both nfs/storage-server.mydomain.com and host/storage-server.mydomain.com principals must be added to the
/etc/krb5.keytabin the storage servers.For Flex Scale, you must create both nfs/storage-server.mydomain.com and host/storage-server.mydomain.com principals for every MSDP engine. Here, the storage-server is the MSDP engine host name configured in Flex Scale web UI. You can find these names in Monitor > NetBackup > Storage servers list on the NetBackup web UI. All these principals must be added to the
krb5.keytabfile by running the MSDP shell command. In every engine, the/etc/krb5.keytabfile contains key entries of all principals that are created for all engines in the cluster.For multi-VLAN environments, storage servers may have more than one IPs. If you need to mount the universal shares from the clients that are in the secondary VLAN, ensure that other FQDNs of the storage servers and clients are added in DNS, and corresponding Active Directory users are created and registered as Kerberos principals. The key entries also need to be added to the
/etc/krb5.keytabfile.
To configure Kerberos-based authentication on the universal share clients
- Create
/etc/krb5.conffile for the Kerberos authentication.You can copy the
/etc/krb5.conffile from a storage server where universal share is configured.Note:
If there is kdc section defined in
krb5.conffile. Copykdc.conffile along with/etc/krb5.conffile. - Enable SECURE_NFS in the
/etc/sysconfig/nfsfile.Add the line SECURE_NFS=yes in the
/etc/sysconfig/nfsconfiguration file.Then, run the following command to restart the service:
systemctl restart nfs-secure
Note:
This configuration is required only on Red Hat 7 or earlier versions. On Red Hat 8 and 9, this step is not required.
- Create keytab entries for Kerberos principals.
You can configure the keytab file by using one of the following two methods:
Copy
vpfs_nfs_krb.shscript from a storage server, then run the script to configure the keytab file.After the Active Directory user for a universal share client is created, run ktpass utility to generate the keytab for the Kerberos principal.
Then, copy the keytab file to the NFS client
/etcfolder and rename it to/etc/krb5.keytab.
Note:
If the universal share client has the existing
/etc/krb5.keytabfile, use thevpfs_nfs_krb.shscript to add the key entries.The script
vpfs_nfs_krb.shcan write logs about universal share configuration-related operations. The logs are available only for universal share servers.You can find the logs at the following location:
/<storage path>/log/vpfs/yymmdd_*_vpfs_nfs_krb.log