This section provides an overview of how NFSv4.1 works with Kerberos in Qumulo Core.
Kerberos is a network authentication protocol that works by using a three-way trust between a key distribution center (KDC), a service server (for example, NFSv4.1 on Qumulo Core), and a client system (for example, a Linux system). This section explains how to configure and use the three entities involved in the trust and provides troubleshooting directions. For more information, see Kerberos on Wikipedia and the MIT Kerberos documentation.
Active Directory (AD) simplifies Kerberos requirements by providing a globally unique security identifier for every user and group (SID) and a KDC implementation with a ticket-granting service (TGS) and an authentication service (AS).
Choosing a Kerberos Security Flavor
Qumulo Core supports three flavors of Kerberos security that NFSv4.1 clients can use by specifying the following mount options:
sec=krb5
: Provides user authentication only.sec=krb5i
: Provides authentication and message integrity by performing message signing for protection against man-in-the-middle attacks and message tampering.sec=krb5bp
: Provides privacy by encrypting all traffic between the client and server. This is the most secure mount option.
Configuring Kerberos for Qumulo Core
Qumulo Core 5.1.5 (and higher) supports Kerberos for authenticating AD users over NFSv4.1. The following is an overview of the Kerberos configuration process following the configuration of your AD domain.
- Join your Qumulo cluster to your AD domain.
- Join Linux systems to your AD domain.
- Log in to a Linux system and mount the Qumulo cluster by using one of the available mount options.
Known Kerberos Limitations for Qumulo Core
Qumulo Core supports only the following features:
-
NFSv4.1
-
Linux clients
-
AES-128 and AES-256 encryption algorithms—for more information, see Network security: Configure encryption types allowed for Kerberos in the Microsoft documentation
-
Microsoft Windows Active Directory (Windows Server 2008 and higher)