This section describes additional Qumulo cluster configuration that can affect the behavior of NFSv4.1 with Kerberos.

When your Qumulo cluster is joined to AD, you must configure the NFSv4.1 server and NFSv4.1 security settings.

To Configure Security Settings by Using the qq CLI

Qumulo provides configuration for the permitted NFSv4.1 authentication flavors in the qq CLI or directly through the REST API.

  1. Use the qq CLI to get the current settings:

    $ qq nfs_get_settings
    {
      "auth_sys_enabled": true,
      "krb5_enabled": true,
      "krb5p_enabled": true,
      "v4_enabled": false
    }
    

    This is the default configuration:

    • NFSv4.1 is disabled by default.
    • AUTH_SYS, AUTH_KRB5, and AUTH_KRB5P are enabled by default (however, the AUTH_KRB5 configuration has no effect on NFSv3 because Qumulo Core doesn’t support Kerberos with NFSv3).
  2. To harden security, configure your cluster to use only Kerberos by disabling AUTH_SYS (without changing AUTH_KRB5). For example:

    $ qq nfs_modify_settings --disable-auth-sys  
    {
      "v4_enabled": false,
      "auth_sys_enabled": false,
      "auth_krb5_enabled": true
      "auth_krb5p_enabled": true
    }
    
  3. (Optional) You can also use the following commands.

    Command Description
    qq nfs_modify_settings --enable-auth-sys Enables AUTH_SYS without changing AUTH_KRB5
    qq nfs_modify_settings --enable-krb5 Enables AUTH_KRB5 without changing AUTH_SYS
    qq nfs_modify_settings --enable-krb5p Enables AUTH_KRB5P without changing AUTH_SYS
    qq nfs_modify_settings --enable-v4 Enables NFSv4.1
    qq nfs_modify_settings --disable-v4 Disables NFSv4.1
    qq nfs_modify_settings --disable-krb5 Disables AUTH_KRB5 without changing AUTH_SYS
    qq nfs_modify_settings --disable-krb5p Disables AUTH_KRB5P without changing AUTH_SYS

Configuring Export Configuration

You can use NFSv4.1 exports to configure access to the Qumulo file system.

In all other ways, exports behave the same for AUTH_KRB5 or AUTH_KRB5P as they do for AUTH_SYS. IP address restrictions that you specify in an export work as expected.