AIX NFS Version 4 configuration over Kerberos inter-realm setup
AIX NFS Version 4 configuration over Kerberos inter-realm setup
Since security is one of the key aspects and selling features of Network File System Version 4 (NFS Version 4), it is widely being accepted as the next-generation distributed file system. The current implementation of NFS Version 4 makes use of Kerberos (RFC 4120) as its underlying security mechanism to achieve authentication, privacy, integrity, and non-repudiation. IBM® has its own implementation of NFS Version 4 for its AIX® operating system, which makes use of IBM Network Authentication Service Version 1.4 (IBM NAS—the IBM flavor of Kerberos) for kerberizing the file system.
Most of the customers deploying AIX NFS Version 4 (or migrating from an older distributed file system like DCE/DFS or AFS) have a hybrid environment with a mix of Windows® and UNIX® systems. In such a heterogeneous environment, some administrators prefer using Microsoft® Active Directory as the Kerberos server for their Windows environment and using IBM NAS for AIX as the Kerberos server for the rest, thus resulting in two different Kerberos realms. There are also scenarios where there is a need for AIX NFS Version 4 to operate across organizational boundaries. In such cases, there is a high chance that the Kerberos servers used within individual organizations are deployed using different flavors of Kerberos by different vendors (for example, some using IBM NAS and others using Microsoft Active Directory). In other scenarios that are similar, some administrators might be planning to migrate from Microsoft Active Directory to IBM NAS for AIX to act as the Kerberos server for their realm.
In order for AIX NFS Version 4 to work in the scenarios involving multiple Kerberos realms, you need to establish an inter-realm configuration between the Kerberos realms configured using IBM NAS Version 1.4 for AIX and Microsoft Active Directory. This article describes the necessary configuration steps to aid you in configuring a successful inter-realm setup between IBM NAS Version 1.4 and Microsoft Active Directory. It further details the changes required for AIX NFS Version 4 to work over such an inter-realm setup and illustrates its working through examples.
Kerberos inter-realm configuration
The Kerberos Version 5 protocol is implemented by various vendors for a variety of systems. Its basic use is to achieve centralized authentication over a distributed network. Kerberos interoperability provides a common protocol for various implementations to coexist and work together in a heterogeneous environment.
In the Kerberos world, all the users and applications that use Kerberos as the authentication medium and which are configured to a particular Kerberos server (say either IBM NAS Version 1.4 for AIX or Microsoft Active Directory) together compose a cell called realm. The name of the realm in which a Kerberos client (user or application) gets registered is part of the client's name and can be used by the kerberized application server to decide whether to honor a request. As a part of Kerberos interoperability, most of the Kerberos implementation supports a theory called inter-realm configuration. The basic concept behind inter-realm configuration is the establishment of inter-realm keys, which aid administrators of two different realms to allow clients authenticated in one realm to use its Kerberos credentials in other realm.
The following sections describe the configuration details on how to set up an inter-realm between two Kerberos realms, one configured to IBM NAS servers and the other to Microsoft Active Directory. It further explains the use of AIX NFS Version 4 as the kerberized application to test the working of inter-realm configuration.
AIX NFS Version 4 with IBM NAS and Microsoft Active Directory—The scenario
In order to set up and test the execution of AIX NFS Version 4 over the Kerberos inter-realm consisting of IBM NAS and Microsoft Active Directory, consider the following scenario. As shown in Figure 1, the scenario consists of two different Kerberos realms. One of the realms, ADFSAIX1.IN.IBM.COM, has IBM NAS for AIX acting as the Kerberos Key Distribution Center (KDC), while the other realm, MSKERBEROS.IN.IBM.COM, makes use of Microsoft Active Directory as the Kerberos KDC. The AIX NFS Version 4 server exporting the directories is configured to the IBM NAS realm, ADFSAIX1.IN.IBM.COM, while the AIX NFS Version 4 client, which mounts the exported directories by AIX NFS V4 server, is configured to both the ADFSAIX1.IN.IBM.COM and MSKERBEROS.IN.IBM.COM Kerberos realms. The final goal that defines the success of this scenario is that an administrator@ MSKERBEROS.IN.IBM.COM Kerberos principal, belonging to MSKERBEROS.IN.IBM.COM realm, should be able to successfully acquire Kerberos credentials on the AIX NFS Version 4 client machine and use those credentials to successfully access and mount the directories exported by the AIX NFS Version 4 nfs/adfsaix1.in.ibm.com@ ADFSAIX1.IN.IBM.COMserver, belonging to the ADFSAIX1.IN.IBM.COM realm.
The following definitions are used in the example in this article:
Listing 1. Definitions
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
NFS domain name: in.ibm.comAIX NAS 1.4 (KDC) and AIX NFS V4 server:Realm name : ADFSAIX1.IN.IBM.COMHostname : adfsaix1.in.ibm.comOperating system : AIX V5.3IBM NAS admin principal : admin/adminNFS V4 Server principal : nfs/adfsaix1.in.ibm.comMicrosoft Active Directory Server (KDC)Realm Name : MSKERBEROS.IN.IBM.COMHostname : windce20.in.ibm.comOperating system : Microsoft Windows Server 2003(Enterprise Edition, SP1)Active Directory adminPrincipal : administratorAIX NAS 1.4 client and AIX NFS V4 clientRealm name : ADFSAIX1.IN.IBM.COMHostname : nfsaix02.in.ibm.comOperating system : AIX V5.3Configured to ADFSAIX1.IN.IBM.COM and MSKERBEROS.IN.IBM.COM realms. |
Figure 1. Example setup
Configuration steps
For a better understanding, the configuration steps are divided into four distinct modules:
- Setting up IBM NAS KDC server and AIX NFS Version 4 server
- Setting up Microsoft Active Directory
- Inter-realm settings on IBM NAS KDC Server and Microsoft Active Directory
- Setting up IBM NAS client and AIX NFS Version 4 client—Testing the scenario
Setting up IBM NAS KDC server and AIX NFS Version 4 server
- Install krb5 and the modcrypt filesets on the AIX 5.3 machine.
The IBM NAS Version 1.4 filesets are shipped with the AIX Version 5.3 Expansion CD. The commands to install IBM NAS Version 1.4 server and the modcrypt.base fileset required by AIX NFS Version 4 are:
Listing 2. Fileset requirements
1234bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# installp -aqXgd . krb5.server modcrypt.baseWith the release of AIX 53L (TL 5300-07) and AIX 610, you need to also install the clic.rte fileset shipped with the AIX Expansion Pack CD, which is the prerequisite for the execution of the
gssddaemon. For more information, please refer to the AIX 53L or 610 documentation. - Configure the AIX NAS KDC server.
After successfully installing IBM NAS Version 1.4, configure the IBM NAS KDC on the AIX machine. To configure the NAS KDC server to use the legacy database, use the following command, as shown in Listing 3 . For detailed information on IBM NAS administration, please refer to the IBM NAS Version 1.4 Administration’s and User’s Guide, shipped with the AIX Version 5.3 Expansion Pack CD.
Listing 3. Configuration of the NAS KDC server
123456789101112131415161718192021222324252627282930bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# export PATH=/usr/krb5/bin/:/usr/krb5/sbin/:$PATHbash-2.05b# config.krb5 -S -r ADFSAIX1.IN.IBM.COM -d in.ibm.comInitializing configuration...Creating /etc/krb5/krb5_cfg_type...Creating /etc/krb5/krb5.conf...Creating /var/krb5/krb5kdc/kdc.conf...Creating database files...Initializing database '/var/krb5/krb5kdc/principal' for realm 'ADFSAIX1.IN.IBM.COM'master key name 'K/M@ADFSAIX1.IN.IBM.COM'You are prompted for the database Master Password.It is important that you DO NOT FORGET this password.Enter database Master Password:Re-enter database Master Password to verify:WARNING: no policy specified for admin/admin@ADFSAIX1.IN.IBM.COM;defaulting to no policy. Note that policy may be overridden byACL restrictions.Enter password for principal "admin/admin@ADFSAIX1.IN.IBM.COM":Re-enter password for principal "admin/admin@ADFSAIX1.IN.IBM.COM":Principal "admin/admin@ADFSAIX1.IN.IBM.COM" created.Creating keytable...Creating /var/krb5/krb5kdc/kadm5.acl...Starting krb5kdc...krb5kdc was started successfully.Starting kadmind...kadmind was started successfully.The command completed successfully.You can also configure the NAS KDC server using the AIX
mkkrb5srvcommand. For more information, please refer to mkkrb5srv man page.While running this command, the system asks for a master database password and a password for the administrative principal called admin. Record the name and chosen password in a secure place, as these principals are essential for your NAS environment.
- Set up the NFS domain name.
You must have the NFS domain name set before you can use NFS Version 4.
Listing 4. NFS setup server
1234567bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# chnfsdom in.ibm.combash-2.05b# chnfsdomCurrent local domain: in.ibm.com - Add NFS domain-to-realm mapping on the NFS Version 4 server.
In the AIX 5.3 implementation of NFS Version 4, you need to have a cross-relation definition between the NFS domain and the Kerberos realm that is used.
Listing 5. NFS domain-to-realm mapping
123456789bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# chnfsrtd -a ADFSAIX1.IN.IBM.COM in.ibm.combash-2.05b# chnfsrtd -a MSKERBEROS.IN.IBM.COM in.ibm.combash-2.05b# chnfsrtdadfsaix1.in.ibm.com in.ibm.commskerberos.in.ibm.com in.ibm.com - Create the NFS server principal on AIX KDC and then create the NFS server keytab file entry.
For each NFS server in your KDC environment, you must define a principal of type nfs/<full_qualified_hostname>@REALM, and then create the server keytab file entry, as follows:
Listing 6. Creating the NFS server principal
123456789101112131415161718192021222324252627282930313233bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# kadmin.localkadmin.local: ank nfs/adfsaix1.in.ibm.comWARNING: no policy specified for nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COM;defaulting to no policy. Note that policy may be overridden byACL restrictions.Enter password for principal "nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COM":Re-enter password for principal "nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COM":Principal "nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COM" created.kadmin.local:kadmin.local: ktadd nfs/adfsaix1.in.ibm.comEntry for principal nfs/adfsaix1.in.ibm.com with kvno 2, encryption type Triple DEScbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.Entry for principal nfs/adfsaix1.in.ibm.com with kvno 2, encryption type ArcFourwith HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.Entry for principal nfs/adfsaix1.in.ibm.com with kvno 2, encryption type AES-256CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.Entry for principal nfs/adfsaix1.in.ibm.com with kvno 2, encryption type DES cbcmode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.kadmin.local: qbash-2.05b# klist -kKeytab name: FILE:/etc/krb5/krb5.keytabKVNO Principal---- ---------2 nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COM2 nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COM2 nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COM2 nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COM - Set up the
gssddaemon on the NFS Version 4 server.To enable NFS Version 4 using RPCSEC_GSS, you have to create the map file between the server’s keytab file and the NFS server principal, as shown below:
Listing 7. Enabling NFS Version 4 using RPSEC-GSS
12345678bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# nfshostkey -p nfs/adfsaix1.in.ibm.com -f /etc/krb5/krb5.keytabbash-2.05b#bash-2.05b# nfshostkey -lnfs/adfsaix1.in.ibm.com/etc/krb5/krb5.keytab - Stop and restart the NFS daemons (
gssdandnfsrgyd) so that all changes take effect and the daemons get started on subsequent machine reboots.Listing 8. Stopping and restarting the NFS daemons
1234567891011121314bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# chnfs -s0513-004 The Subsystem or Group, gssd, is currently inoperative.bash-2.05b# chnfs -S -B0513-059 The gssd Subsystem has been started. Subsystem PID is 389192.bash-2.05b# chnfs -v0513-044 The nfsrgyd Subsystem was requested to stop.bash-2.05b# chnfs -V0513-059 The nfsrgyd Subsystem has been started. Subsystem PID is 413862.Enter
lssrc -g nfsto make sure all of the NFS daemons are active. - Export the directory from NFS server that can be accessed by Kerberos authenticated users or applications only.
Listing 9. Exporting the directory
123456bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# exportfs -i -o vers=4,sec=krb5 /home/guestbash-2.05b# exportfs/home/guest -vers=4,sec=krb5 - Mount the exported directory locally to test that it is accessible with Kerberos authentication.
Get the Kerberos credentials for the user and then mount the NFSv4 exported directory on ‘/mnt’.
Listing 10. Mounting the exported directory locally
1234567891011121314151617181920212223bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# kinit admin/adminPassword for admin/admin@ADFSAIX1.IN.IBM.COM:bash-2.05b# mount -o vers=4,sec=krb5 adfsaix1.in.ibm.com:/home/guest/ /mntbash-2.05b#bash-2.05b# cd /mntbash-2.05b# ls -ltotal 0bash-2.05b# touch file.txtbash-2.05b# lsfile.txtbash-2.05b# klistTicket cache: FILE:/var/krb5/security/creds/krb5cc_0Default principal: admin/admin@ADFSAIX1.IN.IBM.COMValid starting Expires Service principal08/24/07 01:25:11 08/25/07 01:24:56 krbtgt/ADFSAIX1.IN.IBM.COM@ADFSAIX1.IN.IBM.COM08/24/07 01:25:21 08/25/07 01:24:56nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COMFor further details on AIX NFS Version 4 configuration with Kerberos, please refer to the Securing NFS in AIX—An Introduction to NFS V4 in AIX 5L Version 5.3 Redbook (see Related topics).
Setting up Microsoft Active Directory
For setting up Microsoft Active Directory on Microsoft Windows Server 2003, refer to the relevant Microsoft Windows documentation available on Microsoft Developer Network Web site (see Related topics). For this scenario, we configured Active Directory on a machine with hostname windce20.in.ibm.com and named the Active Directory Domain MSKERBEROS.IN.IBM.COM, which we also refer it as Microsoft Kerberos Realm running on Microsoft Active Directory.
Inter-realm settings on IBM NAS KDC Server and Microsoft Active Directory
The following steps are required on both the KDC machines to set up an inter-realm between the two realms that have been configured so far.
- Add the
krbtgtservice principal to NAS KDC server.For a KDC of one realm to authenticate its Kerberos users in a different realm, it must share a key with the KDC in the other realm. So, you need to create
krbtgtservice principals for cross realms access. It is important that these principals all have the same passwords.Listing 11. Adding the
krbtgtservice principal to NAS KDC server12345678910111213141516bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# kadmin.localkadmin.local: ank -pw f1lesystem krbtgt/MSKERBEROS.IN.IBM.COM@ADFSAIX1.IN.IBM.COMWARNING: no policy specified for krbtgt/MSKERBEROS.IN.IBM.COM@ADFSAIX1.IN.IBM.COM;defaulting to no policy. Note that policy may be overridden byACL restrictions.Principal "krbtgt/MSKERBEROS.IN.IBM.COM@ADFSAIX1.IN.IBM.COM" created.kadmin.local:kadmin.local: ank -pw f1lesystem krbtgt/ADFSAIX1.IN.IBM.COM@MSKERBEROS.IN.IBM.COMWARNING: no policy specified for krbtgt/ADFSAIX1.IN.IBM.COM@MSKERBEROS.IN.IBM.COM;defaulting to no policy. Note that policy may be overridden byACL restrictions.Principal "krbtgt/ADFSAIX1.IN.IBM.COM@MSKERBEROS.IN.IBM.COM" created. - Edit the NAS KDC server
/etc/krb5/krb5.conffile, as follows:Change the Kerberos client file configuration to have entries of both the realms. In this case, we added MSKERBEROS.IN.IBM.COM stanza in the [realms] section and windce20.in.ibm.com = MSKERBEROS.IN.IBM.COM entry in the [domain_realm] section.
Listing 12. Editing the NAS KDC server
/etc/krb5/krb5.conffile1234567891011121314151617181920212223242526272829303132bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# cat /etc/krb5/krb5.conf[libdefaults]default_realm = ADFSAIX1.IN.IBM.COMdefault_keytab_name = FILE:/etc/krb5/krb5.keytabdefault_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crcdefault_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc[realms]ADFSAIX1.IN.IBM.COM = {kdc = adfsaix1.in.ibm.com:88admin_server = adfsaix1.in.ibm.com:749default_domain = in.ibm.com}MSKERBEROS.IN.IBM.COM = {kdc = windce20.in.ibm.com:88admin_server = windce20.in.ibm.com:749default_domain = in.ibm.com}[domain_realm]adfsaix1.in.ibm.com = ADFSAIX1.IN.IBM.COMwindce20.in.ibm.com = MSKERBEROS.IN.IBM.COM[logging]kdc = FILE:/var/krb5/log/krb5kdc.logadmin_server = FILE:/var/krb5/log/kadmin.logdefault = FILE:/var/krb5/log/krb5lib.logIf you have more than one AIX machine acting as NFS Version 4 server, make sure to add their hostname entry in the [domain_realm] section.
- Stop and restart the
krb5daemons so that all of the changes take effect.Listing 13. Stopping and restarting the
krb5daemons12345678910111213141516bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# stop.krb5Stopping /usr/krb5/sbin/krb5kdc.../usr/krb5/sbin/krb5kdc was stopped successfully.Stopping /usr/krb5/sbin/kadmind.../usr/krb5/sbin/kadmind was stopped successfully.The command completed successfully.bash-2.05b# start.krb5Starting krb5kdc...krb5kdc was started successfully.Starting kadmind...kadmind was started successfully.The command completed successfully. - Verify the Active Directory configuration on the Windows machine.
Figure 2 lists the existing setup of the Active Directory on windce20.in.ibm.com.
Figure 2. Existing setup of Active Directory on windce20.in.ibm.com
- Set up the configuration for the foreign Kerberos realm using the following command on Windows Active Directory machine.
Figure 3 lists the output of adding KDC in Active Directory on windce20.in.ibm.com.
Figure 3. KDC in Active Directory on windce20.in.ibm.com
- Create a trusted domain relationship with the AIX NAS realm on the Windows Active Directory.
Log on to the Windows 2003 Server machine (windce20.in.ibm.com) hosting the Active Directory and do the following:
- Start the Domain Tree Management tool. Click Programs, Administrative tools, and then Active Directory Domains and Trusts.
- Right-click on the Properties of your domain, and then select the Trusts tab and press New Trust. Enter your AIX NAS realm that you want to add in the ADS trust list.
- Select Realm trust as the trust type, Nontransitive as the trust transitivity, Two-way as the trust direction, and then in the Trust password, type the password you passed while creating
krbtgtservice principals above, for example,f1lesystem. - After this the entry is created for your trusted realm, verify the properties of it.
Figure 4 lists the final output after adding the trust between the Active Directory realm and NAS realm on the Active Directory.
Figure 4. Final output after adding the trust on the Active Directory
- Confirm that you are able to get the TGT for the ADS principal (administrator) from the NAS server machine.
Listing 14. Confirming that you are able to get the TGT for the ADS principal file
123456789101112131415bash-2.05b# hostnameadfsaix1.in.ibm.combash-2.05b# kinit administrator@MSKERBEROS.IN.IBM.COMPassword for administrator@MSKERBEROS.IN.IBM.COM:bash-2.05b# klistTicket cache: FILE:/var/krb5/security/creds/krb5cc_0Default principal: administrator@MSKERBEROS.IN.IBM.COMValid starting Expires Service principal08/24/07 01:26:44 08/24/07 11:27:04krbtgt/MSKERBEROS.IN.IBM.COM@MSKERBEROS.IN.IBM.COMRenew until 08/25/07 01:26:44
Setting up IBM NAS client and AIX NFS Version 4 client : Testing the scenario
- Install krb5 client and modcrypt filesets on the AIX 5.3 client machine.
The command we used to install was:
Listing 15. Installing krb5 client and modcrypt filesets
1234bash-2.05b# hostnamenfsaix02.in.ibm.combash-2.05b# installp -aqXgYd . krb5.client modcrypt.base - Configure the AIX NAS client, as follows:
Listing 16. Configuring the AIX NAS client
1234567891011bash-2.05b# hostnamenfsaix02.in.ibm.combash-2.05b# export PATH=/usr/krb5/bin/:/usr/krb5/sbin/:$PATHbash-2.05b# config.krb5 -C -r ADFSAIX1.IN.IBM.COM -d in.ibm.com -sadfsaix1.in.ibm.com -c adfsaix1.in.ibm.comInitializing configuration...Creating /etc/krb5/krb5_cfg_type...Creating /etc/krb5/krb5.conf...The command completed successfully.The AIX NAS client can also be configured using the AIX
Then modify the clientmkkrb5clntcommand. For more information, please refer to themkkrb5clntman page./etc/krb5/krb5.conffile, as previously mentioned for the NAS server. - Set up the NFS domain name and add the NFS domain-to-realm mapping on the NFSv4 client machine:
Listing 17. Setting up the NFS domain name and adding the NFS domain-to-realm mapping
1234567891011121314bash-2.05b# hostnamenfsaix02.in.ibm.combash-2.05b# chnfsdom in.ibm.combash-2.05b# chnfsdomCurrent local domain: in.ibm.combash-2.05b# chnfsrtd -a ADFSAIX1.IN.IBM.COM in.ibm.combash-2.05b# chnfsrtd -a MSKERBEROS.IN.IBM.COM in.ibm.combash-2.05b# chnfsrtdadfsaix1.in.ibm.com in.ibm.commskerberos.in.ibm.com in.ibm.com - Stop and restart the NFS daemons (
gssdandnfsrgyd) so that all changes take effect and the daemons get started on subsequent machine reboots.Listing 18. Stopping and restarting the NFS daemons
1234567891011121314bash-2.05b# hostnamenfsaix02.in.ibm.combash-2.05b# chnfs -s0513-004 The Subsystem or Group, gssd, is currently inoperative.bash-2.05b# chnfs -S -B0513-059 The gssd Subsystem has been started. Subsystem PID is 413932.bash-2.05b# chnfs -v0513-044 The nfsrgyd Subsystem was requested to stop.bash-2.05b# chnfs -V0513-059 The nfsrgyd Subsystem has been started. Subsystem PID is 258122.Make sure all of the NFS daemons are active now by running
lssrc -g nfs. Also ensure that all the machines are in sync with the same time. - Get the TGT for the user in Microsoft realm and use it to access the NFS exported data with
krb5security residing on IBM NAS realm.Listing 19. Getting the TGT for the user
1234567891011121314151617181920212223242526bash-2.05b# hostnamenfsaix02.in.ibm.combash-2.05b# kinit administrator@MSKERBEROS.IN.IBM.COMPassword for administrator@MSKERBEROS.IN.IBM.COM:bash-2.05b# mount -o vers=4,sec=krb5 adfsaix1.in.ibm.com:/home/guest/ /mntbash-2.05b# cd /mntbash-2.05b# touch new.txtbash-2.05b# lsfile.txt new.txtbash-2.05b# klistTicket cache: FILE:/var/krb5/security/creds/krb5cc_0Default principal: administrator@MSKERBEROS.IN.IBM.COMValid starting Expires Service principal08/24/07 01:26:44 08/24/07 11:27:04krbtgt/MSKERBEROS.IN.IBM.COM@MSKERBEROS.IN.IBM.COMRenew until 08/25/07 01:26:4408/24/07 01:26:44 08/24/07 11:27:04krbtgt/ADFSAIX1.IN.IBM.COM@MSKERBEROS.IN.IBM.COMRenew until 08/25/07 01:26:4408/24/07 01:27:25 08/24/07 11:27:04nfs/adfsaix1.in.ibm.com@ADFSAIX1.IN.IBM.COMRenew until 08/25/07 01:26:44
Conclusion
In this article, you have seen how you can configure Kerberos (IBM NAS and Microsoft Active Directory) to facilitate the use of AIX NFS Version 4 across organizational boundaries to work in a heterogeneous environment.
Article Number: 282
Posted: Wed, Jun 27, 2018 8:43 AM
Last Updated: Wed, Jun 27, 2018 8:43 AM
Online URL: http://kb.ictbanking.net/article.php?id=282