projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Projects: NFS Version 4 Open Source Reference Implementation

Kerberos 5 setup for NFSv4

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
  1. We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server.
  2. Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab.

    Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add only this type of key.

    kadmin: addprinc -randkey nfs/myclient.mydomain
    kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
  3. Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
  4. Repeat steps 2 and 3 for the server, this time adding a key for nfs/ to the keytab on the server.

Things to be aware of when using Kerberos:

  1. The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
  2. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
  3. The /etc/services file must list the nfs service (port 2049). Something like the following:
    nfs             2049/tcp        nfsd		# Network File System
    nfs             2049/udp        nfsd		# Network File System projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan