This section describes additional Qumulo cluster configuration that can affect the behavior of NFSv4.1 with Kerberos.
When your Qumulo cluster is joined to AD, you must configure the NFSv4.1 server and NFSv4.1 security settings.
To Configure Security Settings by Using the qq CLI
Qumulo provides configuration for the permitted NFSv4.1 authentication flavors in the qq CLI or directly through the Qumulo REST API.
-
Run the
qq nfs_get_settingscommand to get the current settings.The following is example output.
$ qq nfs_get_settings { "auth_sys_enabled": true, "krb5_enabled": true, "krb5p_enabled": true, "krbi_enabled": true, "v4_enabled": false }This is the default configuration:
- NFSv4.1 is disabled by default.
AUTH_SYS,AUTH_KRB5,AUTH_KRB5P, andAUTH_KRB5Iare enabled by default (however, Qumulo Core doesn’t support Kerberos configuration on NFSv3).
-
To harden security, configure your cluster to use only Kerberos by disabling
AUTH_SYS(without changingAUTH_KRB5). For example:Important
Because it uses authentication based on a simple UID and GID passed over the wire in plain text, RPCAUTH_SYSis inherently insecure. In a trusted environment,AUTH_SYSmight be sufficient for enforcing basic permissions and preventing good-faith actors from making mistakes. In all other cases, you must treatAUTH_SYSas if it provides no security whatsoever.$ qq nfs_modify_settings --disable-auth-sys { "v4_enabled": false, "auth_sys_enabled": false, "auth_krb5_enabled": true, "auth_krb5p_enabled": true, "auth_krb5i_enabled": true } -
(Optional) You can also run the following commands.
Command Description qq nfs_modify_settings --enable-auth-sysEnables AUTH_SYSwithout changingAUTH_KRB5qq nfs_modify_settings --enable-krb5Enables AUTH_KRB5without changingAUTH_SYSqq nfs_modify_settings --enable-krb5pEnables AUTH_KRB5Pwithout changingAUTH_SYSqq nfs_modify_settings --enable-krb5iEnables AUTH_KRB5Iwithout changingAUTH_SYSqq nfs_modify_settings --enable-v4Enables NFSv4.1 qq nfs_modify_settings --disable-v4Disables NFSv4.1 qq nfs_modify_settings --disable-krb5Disables AUTH_KRB5without changingAUTH_SYSqq nfs_modify_settings --disable-krb5pDisables AUTH_KRB5Pwithout changingAUTH_SYSqq nfs_modify_settings --disable-krb5iDisables AUTH_KRB5Iwithout changingAUTH_SYS
- Security configuration options apply to all versions of NFS (NFSv3 and NFSv4.1). Thus, disabling
AUTH_SYSalso disables NFSv3, becauseAUTH_SYSis the only Kerberos security flavor that NFSv3 supports by design. - In a secure environment, where Kerberos is required,
AUTH_SYSNFSv3 connections aren't allowed. - These configuration options apply cluster-wide to all NFS exports and files.
Configuring Export Configuration
You can use NFSv4.1 exports to configure access to the Qumulo file system.
The user-mapping portion of the export configuration has no effect on Kerberos configuration. Specifying root or any user mapping for a particular export applies only to AUTH_SYS mounts that access this export.
Otherwise, exports and IP address restrictions (that you specify in exports) behave identically for all Kerberos security flavors: AUTH_SYS, AUTH_KRB5, AUTH_KRB5P, and AUTH_KRB5I.