This section provides an overview of how NFSv4.1 works with Kerberos in Qumulo Core.
Kerberos is a network authentication protocol that works by using a three-way trust between a key distribution center (KDC), a service server (for example, NFSv4.1 on Qumulo Core), and a client system (for example, a Linux system). This section explains how to configure and use the three entities involved in the trust and provides troubleshooting directions. For more information, see Kerberos on Wikipedia and the MIT Kerberos documentation.
Active Directory (AD) simplifies Kerberos requirements by providing a globally unique security identifier for every user and group (SID) and a KDC implementation with a ticket-granting service (TGS) and an authentication service (AS).
Configuring Kerberos for Qumulo Core
Qumulo Core 5.1.5 (and higher) supports Kerberos for authenticating AD users over NFSv4.1. The following is an overview of the Kerberos configuration process following the configuration of your AD domain.
- Join your Qumulo cluster to your AD domain.
- Join Linux systems to your AD domain.
- Log in to a Linux system and mount the Qumulo cluster by using the
-o sec=krb5mount option.
Known Kerberos Limitations for Qumulo Core
Qumulo Core supports only the following features:
AES-128 and AES-256 encryption algorithms—for more information, see Network security: Configure encryption types allowed for Kerberos in the Microsoft documentation
Microsoft Windows Active Directory (Windows Server 2008 and higher)