Adding sec=krb5
into /etc/exports
is not sufficient to get kerberos authentication to work.
All clients, pool nodes and node running
must have a valid kerberos
configuration. Each clients, pool node and node running NFSv4.1
door
must
have a NFSv4.1
door/etc/krb5.keytab
with nfs
service principal:
nfs/host.domain@<YOUR.REALM>
The /etc/dcache/dcache.conf
on pool nodes and
node running
must enable kerberos and RPCSEC_GSS:
NFSv4.1
door
nfs.rpcsec_gss=true
dcache.authn.kerberos.realm=<YOUR.REALM>
dcache.authn.jaas.config=/etc/dcache/gss.conf
dcache.authn.kerberos.key-distribution-center-list=your.kdc.server
The /etc/dcache/gss.conf
on pool nodes and node
running
must configure Java’s security module:
NFSv4.1
door
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useKeyTab=true keyTab="${/}etc${/}krb5.keytab" debug=false storeKey=true principal="nfs/host.domain@<YOUR.REALM>"; };
Now your NFS
client can securely access dCache.