This section describes additional Qumulo cluster configuration that can affect the behavior of NFSv4.1 with Kerberos.
When your Qumulo cluster is joined to AD, you must configure the NFSv4.1 server and NFSv4.1 security settings.
To Configure Security Settings by Using the qq CLI
Qumulo provides configuration for the permitted NFSv4.1 authentication flavors in the qq
CLI or directly through the Qumulo REST API.
-
Run the
qq nfs_get_settings
command to get the current settings.The following is example output.
$ qq nfs_get_settings { "auth_sys_enabled": true, "krb5_enabled": true, "krb5p_enabled": true, "krbi_enabled": true, "v4_enabled": false }
This is the default configuration:
- NFSv4.1 is disabled by default.
AUTH_SYS
,AUTH_KRB5
,AUTH_KRB5P
, andAUTH_KRB5I
are enabled by default (however, Qumulo Core doesn’t support Kerberos configuration on NFSv3).
-
To harden security, configure your cluster to use only Kerberos by disabling
AUTH_SYS
(without changingAUTH_KRB5
). For example:Important
Because it uses authentication based on a simple UID and GID passed over the wire in plain text, RPCAUTH_SYS
is inherently insecure. In a trusted environment,AUTH_SYS
might be sufficient for enforcing basic permissions and preventing good-faith actors from making mistakes. In all other cases, you must treatAUTH_SYS
as if it provides no security whatsoever.$ qq nfs_modify_settings --disable-auth-sys { "v4_enabled": false, "auth_sys_enabled": false, "auth_krb5_enabled": true, "auth_krb5p_enabled": true, "auth_krb5i_enabled": true }
-
(Optional) You can also run the following commands.
Command Description qq nfs_modify_settings
--enable-auth-sys
Enables AUTH_SYS
without changingAUTH_KRB5
qq nfs_modify_settings
--enable-krb5
Enables AUTH_KRB5
without changingAUTH_SYS
qq nfs_modify_settings
--enable-krb5p
Enables AUTH_KRB5P
without changingAUTH_SYS
qq nfs_modify_settings
--enable-krb5i
Enables AUTH_KRB5I
without changingAUTH_SYS
qq nfs_modify_settings
--enable-v4
Enables NFSv4.1 qq nfs_modify_settings
--disable-v4
Disables NFSv4.1 qq nfs_modify_settings
--disable-krb5
Disables AUTH_KRB5
without changingAUTH_SYS
qq nfs_modify_settings
--disable-krb5p
Disables AUTH_KRB5P
without changingAUTH_SYS
qq nfs_modify_settings
--disable-krb5i
Disables AUTH_KRB5I
without changingAUTH_SYS
- Security configuration options apply to all versions of NFS (NFSv3 and NFSv4.1). Thus, disabling
AUTH_SYS
also disables NFSv3, becauseAUTH_SYS
is the only Kerberos security flavor that NFSv3 supports by design. - In a secure environment, where Kerberos is required,
AUTH_SYS
NFSv3 connections aren't allowed. - These configuration options apply cluster-wide to all NFS exports and files.
Configuring Export Configuration
You can use NFSv4.1 exports to configure access to the Qumulo file system.
The user-mapping portion of the export configuration has no effect on Kerberos configuration. Specifying root
or any
user mapping for a particular export applies only to AUTH_SYS
mounts that access this export.
Otherwise, exports and IP address restrictions (that you specify in exports) behave identically for all Kerberos security flavors: AUTH_SYS
, AUTH_KRB5
, AUTH_KRB5P
, and AUTH_KRB5I
.