In order for the z/OS NFS client to support the RPCSEC_GSS authentication
flavor using the Kerberos V5 Security Mechanism, the following should
be done. We are assuming that a properly configured KDC is already
setup in your environment. If a KDC is not already configured, see Setting up NFS functions with Kerberos Support. This document assumes you will be using a KDC provided
by “Security Server and Integrated Security Services” (RACF)
provided by IBM but are not specific to a KDC provided by IBM. The
following steps need to be run on the system that contains the KDC
unless otherwise noted:
- Add the client principal "mvsnfsc" to the Kerberos database
on the KDC with a defined password. This principal should not use
randkey as the password. For example, for the z/OS NDBM type or SUN
KDC, issue the command "addprinc mvsnfsc" in the kadmin interface,
then enter the desired password in the prompt. For the z/OS SAF type
KDC, the password can be defined in the "PASSWORD" field
of the RACF "adduser" or "altuser" commands. Refer
to Setting up a Kerberos Key Distribution Center for more information.
- Map the principal "mvsnfsc" in lower case to a RACF user.
For example:
ADDUSER mvsnfsc OWNER(owner) OMVS(UID(0))
ALTUSER mvsnfsc PASSWORD(password) NOEXPIRED KERB(KERBNAME(‘mvsnfsc’))
PASSWORD USER(mvsnfsc) NOINTERVAL
Note: - If you are NOT using a SAF KDC skip the RACF commands in Step
1 and create a principal ‘mvsnfsc’ according to your venders
KDC documentation.
- Change “pznfsc” to meet your installation requirements
to refer to the user of the z/OS NFS Client.
- The RACF user ID “pznfsc” to whom the z/OS NFS client
uses requires a unique UID in the OMVS segment.
- The NFS Client requires that the Kerberos segment use KERBNAME ‘mvsnfsc’
and it must be in lowercase.
- Including PASSWORD option “NOINTERVAL” prevents the password
from expiring.
- From the omvs shell, the system administrator must add the principal
"mvsnfsc" into the keytab. If /etc/skrb/krb5.keytab does
not exist, create a new one. For example:
IBMUSER:/ :> keytab add mvsnfsc -p password -k /etc/skrb/krb5.keytab -v 1
Note: - The "password" in step 2 must match the "password"
entered in step 1, when the principal was added to the SAF KDC Kerberos
database. This principal "mvsnfsc" is used to perform mounts
for all users. To gain access to a secure mount point, all users
should perform a "kinit" to acquire their Kerberos credentials.
- The key version used to create the keytab must be the same key
version as in the racf database. The “-v” option of the
keytab command is used to specify the key version when adding a principal
to a keytab. Issue the following RACF command to see the current key
version: LU pznfsc NORACF KERB Or from a non SAF or NDBM KDC from
kadmin interface issue: getprinc mvsnfsc
- The password used with the “keytab” command is case sensitive.
If mixed case password support is not in effect you must enter the
password in uppercase.
- SFTP, or Secure copy the new keytab to the z/OS NFS Client and
place in “/etc/skrb/krb5.keytab".
- The z/OS NFS client requires the Kerberos configuration file “krb5.conf”
be configured to match your sites Kerberos environment.
Sample /etc/skrb/krb5.conf
file to be put on the z/OS NFS client system:
[libdefaults]
default_realm = KRB390.IBM.COM
kdc_default_options = 0x40000010
use_dns_lookup = 0
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
KRB390.IBM.COM = {
kdc = dcesec4.krb390.ibm.com:88
kpasswd_server = dcesec4.krb390.ibm.com:464
admin_server = dcesec4.krb390.ibm.com:749
}
KRB2000.IBM.COM = {
kdc = sstone1.krb2000.ibm.com:88
admin_server = sstone1.krb2000.ibm.com:749
}
[domain_realm]
.krb390.ibm.com = KRB390.IBM.COM
.krb2000.ibm.com = KRB2000.IBM.COM
Note: If the
z/OS NFS server will be supporting multiple platforms of NFS clients,
IBM recommends using des-cbc-crc encryption types only for compatibility,
as shown in this example.
- Most issues with kerberos are related to invalid
keytabs. Once the keytab has been placed on the zNFS client's LPAR
in "/etc/skrb/krb5.keytab", verify that the keytab is valid by issuing
the following command:
kinit -k mvsnfsc
- This command should complete with out errors and you should not
be prompted for a password.
- If this command fails, the keytab is invalid or the Kerberos configuration
is incorrect.