Welcome

Dell Sites

Dell Technologies
Premier Sign In
Partner Program Sign In
Dell Financial Services
Support

Dell Sites

Dell Technologies
Premier Sign In
Partner Program Sign In
Dell Financial Services
Support

Sign Out

Welcome to Dell

My Account

Place orders quickly and easily
View orders and track your shipping status
Enjoy members-only rewards and discounts
Create and access a list of your products
Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

US/EN

Cart

Your Dell.com Carts

Products
Solutions
Services
Contact Us

Support
Product Support
Manuals

ECS 3.5.0.1 Administration Guide

Notes, cautions, and warnings
Overview
Getting Started with ECS
Storage Pools, VDCs, and Replication Groups
Authentication Providers
- Introduction to authentication providers
- Working with authentication providers in the ECS Portal
Namespaces
- Introduction to namespaces
  - Namespace tenancy
- Working with namespaces in the ECS Portal
Users and Roles
Identity and Access Management (S3)
Buckets
File Access
Maintenance
- Maintenance
- ECS Appliance CRU and FRU guide availability
Certificates
ECS Settings
ECS Outage and Recovery
Advanced Monitoring

PDF

Loading, Please wait

Configure ECS NFS with Kerberos security

To configure Kerberos authentication with ECS NFS, you must configure both the ECS nodes and the NFS client, and create keytabs for the NFS server principal and for the NFS client principal.

Prerequisites

Depending on your internal IT setup, you can use a Key Distribution Center (KDC) or you can use Active Directory (AD) as your KDC.

To use AD, follow the steps in these tasks:

About this task

The following scenarios are supported:

ECS client to single ECS node. The keytab on each ECS that you want to use as the NFS server must be specific to that node.
ECS client to load balancer. The keytab on all ECS nodes is the same, and uses the hostname of the load balancer.

Steps

Ensure that the hostname of the ECS node can be resolved.

You can use the hostname command to ensure that the FQDN of the ECS node is added to /etc/HOSTNAME.

dataservice-10-247-142-112:~ # hostname ecsnode1.yourco.com
dataservice-10-247-142-112:~ # hostname -i
10.247.142.112 
dataservice-10-247-142-112:~ # hostname -f
ecsnode1.yourco.com
dataservice-10-247-142-112:~ #

Create the Kerberos configuration file (krb5.conf) on the ECS node as /opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.conf. Unless HDFS has already been configured, you must create the hdfs directory with 755 (drwxr-xr-x) permissions (chmod 755 hdfs) and make user with uid 444 and group with gid 444 as the owner (chown 444:444 hdfs).

Change the file permissions to 644 and make the user with id 444(storageos) the owner of the file.

In the example below, the following values are used and must be replaced with your own settings.

Kerberos REALM

Set to NFS-REALM in this example.

KDC

Set to kdcname.yourco.com in this example.

KDC Admin Server

In this example, the KDC acts as the admin server.
```
[libdefaults]
        default_realm = NFS-REALM.LOCAL
[realms]
        NFS-REALM.LOCAL = {
                kdc = kdcname.yourco.com                    
                admin_server = kdcname.yourco.com 
        }
[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON
```
NOTE
If HDFS for Kerberos is already configured, instead of replacing /opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.conf, merge the REALM information, if it is different, into the existing krb5.conf file. Usually there is no change to this file as REALM has been configured by HDFS. In addition, the default permissions and owner should have already been configured by HDFS and should not require any change.
Add a host principal for the ECS node and create a keytab for the principal.
In this example, the FQDN of the ECS node is ecsnode1.yourco.com
```
$ kadmin
kadmin> addprinc -randkey nfs/ecsnode1.yourco.com
kadmin> ktadd -k /datanode.keytab nfs/ecsnode1.yourco.com  
kadmin> exit
```
Copy the keytab (datanode.keytab) to /opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.keytab. Unless HDFS has already been configured, you need to create the hdfs directory with 755 (drwxr-xr-x) permissions (chmod 755 hdfs)and make user with uid 444 and group with gid 444 as the owner (chown 444:444 hdfs).
Change its file permissions to 644 and make the user with id 444(storageos) the owner of the file.

If HDFS is already configured, instead of replacing /opt/emc/caspian/fabric/agent/services/object/data/hdfs/krb5.keytab, merge the datanode.keytab file into the existing keytab file using ktutil. Default permissions and owner should already be configured by HDFS and should not require any change.
Download the unlimited JCE policy archive from oracle.com and extract it to the /opt/emc/caspian/fabric/agent/services/object/data/jce/unlimited directory.
Kerberos may be configured to use a strong encryption type, such as AES-256. In that situation, the JRE within the ECS nodes must be reconfigured to use the 'unlimited' policy.
NOTE This step should be performed only if you are using a strong encryption type.

If HDFS is already configured, this step would have been completed by HDFS Kerberos configuration.
Run the following command from inside the object container.
```
service storageos-dataservice restarthdfs
```

To set up the client, begin by making sure that the hostname of the client can be resolved.

You can use the hostname command to ensure that the FQDN of the ECS node is added to /etc/HOSTNAME.

dataservice-10-247-142-112:~ # hostname ecsnode1.yourco.com
dataservice-10-247-142-112:~ # hostname -i
10.247.142.112 
dataservice-10-247-142-112:~ # hostname -f
ecsnode1.yourco.com
dataservice-10-247-142-112:~ #

If your client is running SUSE Linux make sure that line NFS_SECURITY_GSS="yes" is uncommented in /etc/sysconfig/nfs.
If you are on Ubuntu make sure to have line NEED_GSSD=yes in /etc/default/nfs-common.
Install rpcbind and nfs-common.
Use apt-get or zypper. On SUSE Linux, for nfs-common, use:
```
zypper install yast2-nfs-common
```
By default these are turned off in Ubuntu client.

Set up your Kerberos configuration file.

In the example below, the following values are used and you must replace them with your own settings.

Kerberos REALM: Set to NFS-REALM in this example.
KDC: Set to kdcname.yourco.com in this example.
KDC Admin Server: In this example, the KDC acts as the admin server.

[libdefaults]
        default_realm = NFS-REALM.LOCAL
[realms]
        NFS-REALM.LOCAL = {
                kdc = kdcname.yourco.com                    
                admin_server = kdcname.yourco.com 
        }
[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

Add a host principal for the NFS client and create a keytab for the principal.
In this example, the FQDN of the NFS client is nfsclient.yourco.com
```
$kadmin
kadmin> addprinc -randkey host/nfsclient.yourco.com
kadmin> ktadd -k /nkclient.keytab host/nfsclient.yourco.com
kadmin> exit
```

Copy the keytab file (nfsclient.keytab) from the KDC machine to /etc/krb5.keytab on the NFS client machine.

scp /nkclient.keytab root@nfsclient.yourco.com:/etc/krb5.keytab
ssh root@nfsclient.yourco.com 'chmod 644 /etc/krb5.keytab'

Create a principal for a user to access the NFS export.

$kadmin
kadmin> addprinc yourusername@NFS-REALM.LOCAL
kadmin> exit

HOSTNAME:MOUNTPOINT    LOCALMOUNTPOINT        nfs     rw,user,nolock,noauto,vers=3,sec=krb5 0       0

For example:

ecsnode1.yourco.com:/s3/b1     /home/kothan3/1b1       nfs     rw,user,nolock,noauto,vers=3,sec=krb5   0 0

Log in as non root user and kinit as the non-root user that you created.
```
kinit yourusername@NFS-REALM.LOCAL
```
You can now mount the NFS export. For more information, see Mount an NFS export example and Best practices for mounting ECS NFS exports.

NOTE
Mounting as the root user does not require you to use kinit. However, when using root, authentication is done using the client machine's host principal rather than your Kerberos principal. Depending upon your operating system, you can configure the authentication module to fetch the Kerberos ticket when you login, so that there is no need to fetch the ticket manually using kinit and you can mount the NFS share directly.

Data is not available for the Topic

Rate this content

All fields are required unless marked otherwise.

Accurate

not accurate

somewhat accurate

mostly accurate

accurate

very accurate

Useful

not useful

somewhat useful

mostly useful

useful

very useful

Easy to understand

not easy

somewhat easy

mostly easy

easy

very-easy

Was this article helpful?

Yes

Send us feedback (Optional)

0/3000 characters

Comments cannot contain these special characters: <>()\

Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.

Please provide ratings (1-5 stars).

Please select whether the article was helpful or not.

Comments cannot contain these special characters: <>()\

US/EN

Site Map

Account

My Account
Order Status
My Products
Make a Payment
Dell Rewards Balance

Support

Support Home
Contact Technical Support
Returns

Connect with Us

Community
Contact Us
X (Twitter)
LinkedIn
Instagram
YouTube

Site Map

US/EN

Our Offerings

Artificial Intelligence
Products
Solutions
Services
Deals

Our Company

Who We Are
Careers
Dell Technologies Capital
Investors
Newsroom
Perspectives
Recycling
ESG & Impact
Customer Stories

Our Partners

Find a Partner
Find a Reseller
OEM Solutions
Partner Program

Resources

Blog
Dell Rewards
Events
Email Sign-Up
Dell Learning Center
Glossary
Privacy Center
Resource Library
Security & Trust Center
Trial Software Downloads

Dell Technologies
Dell Premier
Dell Financial Services

Terms of Sale
Privacy Statement
Do Not Sell or Share My Personal Information
Cookies, Ads & Emails
Legal & Regulatory
Accessibility
Anti-Slavery & Human Trafficking