To configure Kerberos authentication with ECS NFS, you must configure both the ECS nodes and the NFS client, and create keytabs for the NFS server principal and for the NFS client principal.
Prerequisites
Depending on your internal IT setup, you can use a Key Distribution Center (KDC) or you can use Active Directory (AD) as your KDC.
Create the Kerberos configuration file (krb5.conf) on the ECS node as
/opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.conf. Unless HDFS has already been configured, you must create the
hdfs directory with 755 (drwxr-xr-x) permissions (chmod 755 hdfs) and make user with uid 444 and group with gid 444 as the owner (chown 444:444 hdfs).
Change the file permissions to 644 and make the user with id 444(storageos) the owner of the file.
In the example below, the following values are used and must be replaced with your own settings.
Kerberos REALM
Set to NFS-REALM in this example.
KDC
Set to
kdcname.yourco.com in this example.
KDC Admin Server
In this example, the KDC acts as the admin server.
If HDFS for Kerberos is already configured, instead of replacing
/opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.conf, merge the REALM information, if it is different, into the existing
krb5.conf file. Usually there is no change to this file as REALM has been configured by HDFS. In addition, the default permissions and owner should have already been configured by HDFS and should not require any change.
Add a host principal for the ECS node and create a keytab for the principal.
In this example, the FQDN of the ECS node is
ecsnode1.yourco.com
Copy the keytab (datanode.keytab) to
/opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.keytab. Unless HDFS has already been configured, you need to create the
hdfs directory with 755 (drwxr-xr-x) permissions (chmod 755 hdfs)and make user with uid 444 and group with gid 444 as the owner (chown 444:444 hdfs).
Change its file permissions to 644 and make the user with id 444(storageos) the owner of the file.
If HDFS is already configured, instead of replacing
/opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.keytab, merge the
datanode.keytab file into the existing keytab file using
ktutil. Default permissions and owner should already be configured by HDFS and should not require any change.
Download the
unlimited JCE policy archive from
oracle.com and extract it to the
/opt/emc/caspian/fabric/agent/services/object/data/jce/unlimited directory.
Kerberos may be configured to use a strong encryption type, such as AES-256. In that situation, the JRE within the ECS nodes must be reconfigured to use the 'unlimited' policy.
NOTE This step should be performed only if you are using a strong encryption type.
If HDFS is already configured, this step would have been completed by HDFS Kerberos configuration.
Run the following command from inside the object container.
service storageos-dataservice restarthdfs
To set up the client, begin by making sure that the hostname of the client can be resolved.
You can use the
hostname command to ensure that the FQDN of the ECS node is added to
/etc/HOSTNAME.
Mounting as the root user does not require you to use
kinit. However, when using root, authentication is done using the client machine's host principal rather than your Kerberos principal. Depending upon your operating system, you can configure the authentication module to fetch the Kerberos ticket when you login, so that there is no need to fetch the ticket manually using kinit and you can mount the NFS share directly.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\