This section provides an overview of how NFSv4.1 works with Kerberos in Qumulo Core.
- Prerequisites for Joining a Qumulo Cluster to Active Directory
- Configuring Active Directory for Use With Kerberos
- Performing Additional Cluster Configuration after Joining Active Directory
- Using Kerberos Permissions in the Qumulo Filesystem
- Configuring a Linux Client for NFSv4.1 with Kerberos
- Configuring Cross-Domain Active Directory Trusts
- Troubleshooting NFSv4.1 with Kerberos
Kerberos is a network authentication protocol that works by using a three-way trust between a key distribution center (KDC), a service server (for example, NFSv4.1 on Qumulo Core), and a client system (for example, a Linux system). This section of the Qumulo Administrator Guide explains how to configure and use the three entities involved in the trust and provides troubleshooting directions. For more information, see Kerberos on Wikipedia and the MIT Kerberos documentation.
Active Directory (AD) simplifies Kerberos requirements by providing a globally unique security identifier for every user and group (SID) and a KDC implementation with a ticket-granting service (TGS) and an authentication service (AS).
Configuring Kerberos for Qumulo Core
Qumulo Core 5.1.5 (and higher) supports Kerberos for authenticating AD users over NFSv4.1. The following is an overview of the Kerberos configuration process following the configuration of your AD domain.
- Join your Qumulo cluster to your AD domain.
- Join Linux systems to your AD domain.
- Log in to a Linux system and mount the Qumulo cluster by using the
-o sec=krb5mount option.
Known Kerberos Limitations for Qumulo Core
Qumulo Core supports only the following features:
Currently, Qumulo Core doesn’t support
krb5i(integrity, or signing).
AES-128 and AES-256 encryption algorithms—for more information, see Network security: Configure encryption types allowed for Kerberos in the Microsoft documentation
Microsoft Windows Active Directory (Windows Server 2008 and higher)