Dell PowerStore 3000X EMC PowerStore Configuring NFS Exports - Page 12

Con Kerberos for NAS server Security, Create a custom realm for Kerberos

Get Dell PowerStore 3000X PDF manuals and user guides View all Dell PowerStore 3000X manuals
Add to My Manuals
Save this manual to your list of manuals

Page 12 highlights

3. Select or clear Enable SFTP. If either FTP, or SFTP is enabled, continue with the following steps: 4. Select which type of users have access to the files. 5. Show the Home Directory and Audit options. 6. Optionally, disable or enable the Home directory restrictions. • If disabled, enter the default home directory. • Optionally, leave the default or enter a new Maximum size of audit files. 7. Select or clear Enable FTP/SFTP Auditing. If enabled, enter the directory to save the audit files. 8. Optionally, Show Messages, and enter a default welcome message, and message of the day. 9. Show the Access Control List. 10. Optionally, add a list of users, groups, and hosts that are allowed, or denied FTP access. 11. Click Apply. Configure Kerberos for NAS server Security You can configure the NAS Server with Kerberos. Kerberos is a distributed authentication service designed to provide strong authentication with secret-key cryptography. It works on the basis of "tickets" that allow nodes communicating over a non-secure network to prove their identity in a secure manner. When configured to act as a secure NFS server, the NAS server uses the RPCSEC_GSS security framework and Kerberos authentication protocol to verify users and services. If the NAS server has been configured with NFS only, and you are configuring Secure NFS, or LDAP with Kerberos, you must configure Kerberos with a custom realm before configuring security in PowerStore. If the NAS server has been configured with both the NFS and SMB protocol, you have the option of using Kerberos that is inherited with AD since the domain joined SMB server exists on the NAS server. The storage system must be configured with an NTP server. Kerberos relies on the correct time synchronization between the KDC, servers, and client on the network. Configuring Kerberos for Secure NFS If you are configuring Kerberos for Secure NFS, be aware of the following: • If configuring the NAS server for NFS only, you must configure the NAS server with a custom realm. If you have configured the NAS server with NFS and SMB, you can use either the AD or custom realm. • Using LDAPS or LDAP with Kerberos is recommended for increased security. • A DNS server must be configured at the NAS-server level. All members of the Kerberos realm, including the KDC, NFS server, and NFS clients, must be registered in the DNS server. • The NFS client's hostname FQDN and NAS server FQDN must be registered in the DNS server. Clients and servers must be able to resolve any member of the Kerberos realm's FQDNs to an IP address. • The FQDN part of the NFS client's SPN must be registered in the DNS server. • A keytab file must be uploaded to your NAS server when configuring Secure NFS. Create a custom realm for Kerberos You can configure a custom realm to use with Kerberos. A custom Kerberos realm lets you configure any kind of KDC (MIT/Heidmal or AD). Use this method when you do not have an SMB server domain that is configured on the NAS server or if you want to use a different Kerberos realm than the one configured for the SMB server. Create custom realm for pure NFS Server To use a Unix-based KDC, follow these steps before configuring Kerberos in PowerStore. The steps assume that you want to use myrealm in the Kerberos realm linux.dellemc.com as the hostname of the NFS server. 1. Run the kadmin.local tool. 12 Create NAS servers

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
3.
Select or clear
Enable SFTP
.
If either FTP, or SFTP is enabled, continue with the following steps:
4.
Select which type of users have access to the files.
5.
Show the
Home Directory and Audit
options.
6.
Optionally, disable or enable the
Home directory restrictions
.
If disabled, enter the default home directory.
Optionally, leave the default or enter a new
Maximum size of audit files
.
7.
Select or clear
Enable FTP/SFTP Auditing
.
If enabled, enter the directory to save the audit files.
8.
Optionally,
Show Messages
, and enter a default welcome message, and message of the day.
9.
Show the
Access Control List
.
10.
Optionally, add a list of users, groups, and hosts that are allowed, or denied FTP access.
11.
Click
Apply
.
Configure Kerberos for NAS server Security
You can configure the NAS Server with Kerberos.
Kerberos is a distributed authentication service designed to provide strong authentication with secret-key cryptography. It works on the
basis of "tickets" that allow nodes communicating over a non-secure network to prove their identity in a secure manner. When configured
to act as a secure NFS server, the NAS server uses the RPCSEC_GSS security framework and Kerberos authentication protocol to verify
users and services.
If the NAS server has been configured with NFS only, and you are configuring Secure NFS, or LDAP with Kerberos, you must configure
Kerberos with a custom realm before configuring security in PowerStore.
If the NAS server has been configured with both the NFS and SMB protocol, you have the option of using Kerberos that is inherited with
AD since the domain joined SMB server exists on the NAS server.
The storage system must be configured with an NTP server. Kerberos relies on the correct time synchronization between the KDC,
servers, and client on the network.
Configuring Kerberos for Secure NFS
If you are configuring Kerberos for Secure NFS, be aware of the following:
If configuring the NAS server for NFS only, you must configure the NAS server with a custom realm. If you have configured the NAS
server with NFS and SMB, you can use either the AD or custom realm.
Using LDAPS or LDAP with Kerberos is recommended for increased security.
A DNS server must be configured at the NAS-server level. All members of the Kerberos realm, including the KDC, NFS server, and
NFS clients, must be registered in the DNS server.
The NFS client's hostname FQDN and NAS server FQDN must be registered in the DNS server. Clients and servers must be able to
resolve any member of the Kerberos realm's FQDNs to an IP address.
The FQDN part of the NFS client's SPN must be registered in the DNS server.
A keytab file must be uploaded to your NAS server when configuring Secure NFS.
Create a custom realm for Kerberos
You can configure a custom realm to use with Kerberos.
A custom Kerberos realm lets you configure any kind of KDC (MIT/Heidmal or AD). Use this method when you do not have an SMB server
domain that is configured on the NAS server or if you want to use a different Kerberos realm than the one configured for the SMB server.
Create custom realm for pure NFS Server
To use a Unix-based KDC, follow these steps before configuring Kerberos in PowerStore. The steps assume that you want to use myrealm
in the Kerberos realm linux.dellemc.com as the hostname of the NFS server.
1.
Run the
kadmin.local
tool.
12
Create NAS servers