z/OS Network File System Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Configuring a secure z/OS NFS client

z/OS Network File System Guide and Reference
SC23-6883-00

In order for the z/OS NFS client to support the RPCSEC_GSS authentication flavor using the Kerberos V5 Security Mechanism, the following should be done. We are assuming that a properly configured KDC is already setup in your environment. If a KDC is not already configured, see Setting up NFS functions with Kerberos Support. This document assumes you will be using a KDC provided by “Security Server and Integrated Security Services” (RACF) provided by IBM but are not specific to a KDC provided by IBM. The following steps need to be run on the system that contains the KDC unless otherwise noted:

  1. Add the client principal "mvsnfsc" to the Kerberos database on the KDC with a defined password. This principal should not use randkey as the password. For example, for the z/OS NDBM type or SUN KDC, issue the command "addprinc mvsnfsc" in the kadmin interface, then enter the desired password in the prompt. For the z/OS SAF type KDC, the password can be defined in the "PASSWORD" field of the RACF "adduser" or "altuser" commands. Refer to Setting up a Kerberos Key Distribution Center for more information.
  2. Map the principal "mvsnfsc" in lower case to a RACF user. For example: 
    ADDUSER mvsnfsc OWNER(owner) OMVS(UID(0)) 
ALTUSER mvsnfsc PASSWORD(password) NOEXPIRED KERB(KERBNAME(‘mvsnfsc’))
PASSWORD USER(mvsnfsc) NOINTERVAL
    Note:
    1. If you are NOT using a SAF KDC skip the RACF commands in Step 1 and create a principal ‘mvsnfsc’ according to your venders KDC documentation.
    2. Change “pznfsc” to meet your installation requirements to refer to the user of the z/OS NFS Client.
    3. The RACF user ID “pznfsc” to whom the z/OS NFS client uses requires a unique UID in the OMVS segment.
    4. The NFS Client requires that the Kerberos segment use KERBNAME ‘mvsnfsc’ and it must be in lowercase.
    5. Including PASSWORD option “NOINTERVAL” prevents the password from expiring.
  3. From the omvs shell, the system administrator must add the principal "mvsnfsc" into the keytab. If /etc/skrb/krb5.keytab does not exist, create a new one. For example: 
    IBMUSER:/ :> keytab add mvsnfsc -p password -k /etc/skrb/krb5.keytab -v 1
    Note:
    1. The "password" in step 2 must match the "password" entered in step 1, when the principal was added to the SAF KDC Kerberos database. This principal "mvsnfsc" is used to perform mounts for all users. To gain access to a secure mount point, all users should perform a "kinit" to acquire their Kerberos credentials.
    2. The key version used to create the keytab must be the same key version as in the racf database. The “-v” option of the keytab command is used to specify the key version when adding a principal to a keytab. Issue the following RACF command to see the current key version: LU pznfsc NORACF KERB Or from a non SAF or NDBM KDC from kadmin interface issue: getprinc mvsnfsc
    3. The password used with the “keytab” command is case sensitive. If mixed case password support is not in effect you must enter the password in uppercase.
    4. SFTP, or Secure copy the new keytab to the z/OS NFS Client and place in “/etc/skrb/krb5.keytab".
  4. The z/OS NFS client requires the Kerberos configuration file “krb5.conf” be configured to match your sites Kerberos environment.
    Sample /etc/skrb/krb5.conf file to be put on the z/OS NFS client system: 
    [libdefaults] 
default_realm = KRB390.IBM.COM 
kdc_default_options = 0x40000010 
use_dns_lookup = 0 
default_tkt_enctypes = des-cbc-crc 
default_tgs_enctypes = des-cbc-crc 

[realms] 
KRB390.IBM.COM = { 
kdc = dcesec4.krb390.ibm.com:88 
kpasswd_server = dcesec4.krb390.ibm.com:464 
admin_server = dcesec4.krb390.ibm.com:749 
} 
KRB2000.IBM.COM = { 
kdc = sstone1.krb2000.ibm.com:88 
admin_server = sstone1.krb2000.ibm.com:749 
} 

[domain_realm] 
.krb390.ibm.com = KRB390.IBM.COM 
.krb2000.ibm.com = KRB2000.IBM.COM
    Note: If the z/OS NFS server will be supporting multiple platforms of NFS clients, IBM recommends using des-cbc-crc encryption types only for compatibility, as shown in this example.
  5. Most issues with kerberos are related to invalid keytabs. Once the keytab has been placed on the zNFS client's LPAR in "/etc/skrb/krb5.keytab", verify that the keytab is valid by issuing the following command: 
    kinit -k mvsnfsc
    1. This command should complete with out errors and you should not be prompted for a password.
    2. If this command fails, the keytab is invalid or the Kerberos configuration is incorrect.
Parent topic: Configuring the z/OS NFS client

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014