Veritas Access Administrator's Guide
- Section I. Introducing Veritas Access
- Section II. Configuring Veritas Access
- Adding users or roles
- Configuring the network
- Configuring authentication services
- Section III. Managing Veritas Access storage
- Configuring storage
- Configuring data integrity with I/O fencing
- Configuring ISCSI
- Veritas Access as an iSCSI target
- Configuring storage
- Section IV. Managing Veritas Access file access services
- Configuring the NFS server
- Setting up Kerberos authentication for NFS clients
- Using Veritas Access as a CIFS server
- About Active Directory (AD)
- About configuring CIFS for Active Directory (AD) domain mode
- About setting trusted domains
- About managing home directories
- About CIFS clustering modes
- About migrating CIFS shares and home directories
- About managing local users and groups
- Configuring an FTP server
- Using Veritas Access as an Object Store server
- Configuring the NFS server
- Section V. Monitoring and troubleshooting
- Section VI. Provisioning and managing Veritas Access file systems
- Creating and maintaining file systems
- Considerations for creating a file system
- Modifying a file system
- Managing a file system
- Creating and maintaining file systems
- Section VII. Configuring cloud storage
- Section VIII. Provisioning and managing Veritas Access shares
- Creating shares for applications
- Creating and maintaining NFS shares
- Creating and maintaining CIFS shares
- Using Veritas Access with OpenStack
- Integrating Veritas Access with Data Insight
- Section IX. Managing Veritas Access storage services
- Compressing files
- About compressing files
- Compression tasks
- Configuring SmartTier
- Configuring SmartIO
- Configuring episodic replication
- Episodic replication job failover and failback
- Configuring continuous replication
- How Veritas Access continuous replication works
- Continuous replication failover and failback
- Using snapshots
- Using instant rollbacks
- Compressing files
- Section X. Reference
Exporting an NFS share for Kerberos authentication
Kerberos provides three types of security options for exporting an NFS share:
krb5
krb5i
krb5p
Veritas Access also provides a sys (sec=sys) export option, which does not provide Kerberos authentication. Veritas Access supports all of the three types of Kerberos security options. All of the security options use Kerberos V5 to authenticate users to NFS servers.
krb5i computes a hash on every remote procedure (RPC) call request to the server and every response to the client. The hash is computed on an entire message: RPC header, plus NFS arguments or results. Since the hash information travels with the NFS packet, any attacker modifying the data in the packet can be detected. Thus krb5i provides integrity protection.
krb5p uses encryption to provide privacy. With krb5p, NFS arguments and results are encrypted, so a malicious attacker cannot spoof on the NFS packets and see file data or metadata.
Note:
Since krb5i and krb5p perform an additional set of computations on each NFS packet, NFS performance decreases as compared with krb5.
Performance decreases in the following order: krb5 > krb5i > krb5p.
krb5 provides better performance and krb5p gives the least performance.
Additional export options are available.
See Exporting an NFS share .
To export a directory using only the krb5 mount option
- Export a directory using only the krb5 mount option:
NFS> share add sec=krb5 /vx/fs1 Exporting /vx/fs1 with options sec=krb5 Success.
To export a directory using krb5, krb5i, krb5p, and sys options
- Export a directory using krb5, krb5i, krb5p, and sys options.
NFS> share add sec=krb5:krb5i:krb5p:sys /vx/fs1 Exporting /vx/fs1 with options sec=krb5:krb5i:krb5p:sys Success.
Different clients can use different levels of security in this case. Client A can mount with krb5, and client B can mount with krb5p. If no mount option is given at the client side, security to be chosen is negotiated, and the highest level of security is chosen. In this case, it is krb5p.