I assume this is 7mode. In cDOT there is no need to have a CIFS license when using Windows KDC.

 

When doing this in 7mode, you get 2 options for KDC types – Windows and non-Windows.

 

filer> nfs setup

Enable Kerberos for NFS? y

The filer supports these types of Kerberos Key Distribution Centers (KDCs):

 

         1 - UNIX KDC

         2 - Microsoft Active Directory KDC

 

Enter the type of your KDC (1-2):

 

When you use Windows as the KDC type, it wants to leverage the CIFS account/krb5.conf file for Kerberos. Thus, the need for a CIFS license.

 

If you don’t have a CIFS license, choose the UNIX style KDC. Then you would need to set Kerberos up manually like you would with a MIT KDC.

http://www.netapp.com/us/media/tr-3481.pdf

 

1)      Ensure DNS is correct (filer has correct info, DNS server has hostname with forward/reverse lookup)

2)      KDC info will be the windows domain name, etc.

3)      SPN gets created/added to KDC (and only DES and RC4 is allowed – see TR-4073 on how to do that http://www.netapp.com/us/media/tr-4073.pdf - 7 would be the value for msDs-SupportedEnctypes)

4)      Keytab file created on KDC and ported over to the 7mode filer and the krb5.conf is properly populated

 

Example:

parisi-7mode> nfs setup

Enable Kerberos for NFS? y

The filer supports these types of Kerberos Key Distribution Centers (KDCs):

 

         1 - UNIX KDC

         2 - Microsoft Active Directory KDC

 

Enter the type of your KDC (1-2):  1

Enter the Kerberos realm name: DOMAIN.WIN2K8.NETAPP.COM            

Enter the host instance of the NFS server principal name [default: parisi-7mode.domain.win2k8.netapp.com]: nfskrb-7mode.domain.win2k8.netapp.com

NFS setup complete.

 

parisi-7mode*> options kerberos

kerberos.file_keytab.enable  on        

kerberos.file_keytab.principal nfskrb-7mode.domain.win2k8.netapp.com

kerberos.file_keytab.realm   DOMAIN.WIN2K8.NETAPP.COM

kerberos.multirealm.enable   on        

kerberos.replay_cache.enable off 

 

[root@centos64 /]# nslookup nfskrb-7mode

Server:                10.228.225.120

Address:     10.228.225.120#53

 

Name:        nfskrb-7mode.domain.win2k8.netapp.com

Address: 10.63.9.69

 

[root@centos64 /]# nslookup 10.63.9.69

Server:                10.228.225.120

Address:     10.228.225.120#53

 

69.9.63.10.in-addr.arp

 

parisi-7mode> exportfs          

/vol/vol0/home    -sec=sys,rw,nosuid

/vol/vol0     -sec=sys,rw,anon=0,nosuid

/vol/nfs       -sec=sys,rw,nosuid

/vol/vfiler1  -sec=sys,rw,nosuid

/vol/cifs      -sec=sys,rw,nosuid

/vol/krb5          -sec=krb5,rw,root=10.228.225.140,nosuid

 

 

[root@centos64 etc]# mount -o sec=krb5 nfskrb-7mode:/vol/krb5 /krb5

 

sh-4.1$ cd /krb5

sh-4.1$ klist

Ticket cache: FILE:/tmp/krb5cc_1107

Default principal: ldapuser@DOMAIN.WIN2K8.NETAPP.COM

 

Valid starting     Expires            Service principal

03/27/15 16:47:44  04/26/15 16:47:44  krbtgt/DOMAIN.WIN2K8.NETAPP.COM@DOMAIN.WIN2K8.NETAPP.COM

         renew until 04/26/15 16:47:44

03/27/15 16:49:46  04/26/15 16:47:44  nfs/nfskrb-7mode.domain.win2k8.netapp.com@DOMAIN.WIN2K8.NETAPP.COM

            renew until 04/26/15 16:47:44

 

sh-4.1$ mount | grep krb5

nfskrb-7mode:/vol/krb5 on /krb5 type nfs (rw,sec=krb5,vers=4,addr=10.63.9.69,clientaddr=10.228.225.140)

 

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Edward Rolison
Sent: Friday, March 27, 2015 11:03 AM
To: toasters@teaparty.net
Subject: NFSv4/krb against an AD without a CIFS license