Nfs Secure - EMC Unity Family Security Configuration Manual

Access Control

NFS secure

EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide
26
credential is retrieved from the Windows DC or LGDB. If the mapping is not found, the
Windows credential of the default Windows user is used instead or the access is
denied.
NFS secure is the use of Kerberos for authenticating users with NFSv3 and NFSv4.
Kerberos provides integrity (signing) and privacy (encryption). Integrity and privacy
are not required to be enabled, they are NFS export options.
Without Kerberos, the server relies entirely on the client to authenticate users: the
server trusts the client. With Kerberos this is not the case, the server trusts the Key
Distribution Center (KDC). It is the KDC which handles the authentication and
manages accounts (principals) and password. Moreover, no password in any forms is
sent on the wire.
Without Kerberos, the credential of the user is sent on the wire un-encrypted and thus
can easily be spoofed. With Kerberos, the identity (principal) of the user is included in
the encrypted Kerberos ticket, which can only be read by the target server and KDC.
They are the only ones to know the encryption key.
In conjunction with NFS secure, AES128 and AES256 encryption in Kerberos is
supported. Along with NFS secure, this also impacts SMB and LDAP. These
encryptions are now supported by default by Windows and Linux. These new
encryptions are much more secure; however, it is up to the client whether they are
used. From that user principal, the server builds the credential of that user by querying
the active UDS. Since NIS is not secured, it is not recommended to use it with NFS
secure. It is recommended to use Kerberos with LDAP or LDAPS.
NFS secure can be configured either through Unisphere or the UEM CLI.
File protocol relationships
With Kerberos the following is required:
DNS - You must use DNS name in place of IP addresses
l
NTP - All participants must be timely synchronized
l
UDS - To build credentials
l
Hostname - Kerberos works with names and not IP addresses
l
NFS secure uses one or two SPNs depending on the value of the hostname. If the
hostname is in FQDN format host.domain:
The short SPN: nfs/host@REALM
l
The long SPN: nfs/host.domainFQDN@REALM
l
If the hostname is not in FQDN format, only the short SPN will be used.
Similarly to SMB, where a SMB server can be joined to a domain, a NFS server can be
joined to a realm (the Kerberos equivalent term for domain). There are two options for
this:
Use the configured windows domain if any
l
Entirely configure a UNIX KDC based Kerberos realm
l
If the administrator selects to use the configured windows domain, there is nothing
else to do. Every SPN used by the NFS service is automatically added/removed into
the KDC when joining/unjoining the SMB server. Note that the SMB server cannot be
destroyed if NFS secure is configured to use the SMB configuration.
If the administrator selects to use a UNIX based Kerberos realm, more configuration is
needed: