This section describes additional Qumulo cluster configuration that can affect the behavior of NFSv4.1 with Kerberos.

When your Qumulo cluster is joined to AD, you must configure the NFSv4.1 server and NFSv4.1 security settings.

To Configure Security Settings by Using the qq CLI

Qumulo provides configuration for the permitted NFSv4.1 authentication flavors in the qq CLI or directly through the Qumulo REST API.

  1. Run the qq nfs_get_settings command to get the current settings.

    The following is example output.

    $ qq nfs_get_settings
    {
      "auth_sys_enabled": true,
      "krb5_enabled": true,
      "krb5p_enabled": true,
      "krbi_enabled": true,
      "v4_enabled": false
    }
    

    This is the default configuration:

    • NFSv4.1 is disabled by default.
    • AUTH_SYS, AUTH_KRB5, AUTH_KRB5P, and AUTH_KRB5I are enabled by default (however, Qumulo Core doesn’t support Kerberos configuration on NFSv3).
  2. To harden security, configure your cluster to use only Kerberos by disabling AUTH_SYS (without changing AUTH_KRB5). For example:

    $ qq nfs_modify_settings --disable-auth-sys  
    {
      "v4_enabled": false,
      "auth_sys_enabled": false,
      "auth_krb5_enabled": true,
      "auth_krb5p_enabled": true,
      "auth_krb5i_enabled": true
    }
    
  3. (Optional) You can also run the following commands.

    Command Description
    qq nfs_modify_settings  
    --enable-auth-sys Enables AUTH_SYS without changing AUTH_KRB5
    qq nfs_modify_settings  
    --enable-krb5 Enables AUTH_KRB5 without changing AUTH_SYS
    qq nfs_modify_settings  
    --enable-krb5p Enables AUTH_KRB5P without changing AUTH_SYS
    qq nfs_modify_settings  
    --enable-krb5i Enables AUTH_KRB5I without changing AUTH_SYS
    qq nfs_modify_settings  
    --enable-v4 Enables NFSv4.1
    qq nfs_modify_settings  
    --disable-v4 Disables NFSv4.1
    qq nfs_modify_settings  
    --disable-krb5 Disables AUTH_KRB5 without changing AUTH_SYS
    qq nfs_modify_settings  
    --disable-krb5p Disables AUTH_KRB5P without changing AUTH_SYS
    qq nfs_modify_settings  
    --disable-krb5i Disables AUTH_KRB5I without changing AUTH_SYS

Configuring Export Configuration

You can use NFSv4.1 exports to configure access to the Qumulo file system.

The user-mapping portion of the export configuration has no effect on Kerberos configuration. Specifying root or any user mapping for a particular export applies only to AUTH_SYS mounts that access this export.

Otherwise, exports and IP address restrictions (that you specify in exports) behave identically for all Kerberos security flavors: AUTH_SYS, AUTH_KRB5, AUTH_KRB5P, and AUTH_KRB5I.