NFS SDK and Kerberos

Introduction

With NFS SDK, both client- and server-side components can be configured to work with Kerberos to provide authentication, integrity protection, or data encryption. This article provides relevant examples of configuring the NFSServer and NFSClient components accordingly given an existing key distribution center (KDC) on Linux and Windows.

The underlying OS in the Linux examples is Ubuntu 24.04, and the OS in the Windows examples is Windows Server 2022. Note that these instructions may not be absolute for all KDCs, but the examples will highlight the important points for successful setup.

In this guide, all parties are located in the common domain example.com. The machine hosting the NFSServer component will be named nfs-server.example.com, and the machine hosting the NFSClient component will be named nfs-client.example.com. After configuration, the NFSClient component should be able to successfully connect to the NFSServer component following the provided sample configurations of each component.

The machine hosting the KDC will be named kdc.example.com. On all systems, the host files will contain entries for each entity, pointing to their respective IP addresses to ensure proper DNS name resolution.

NFSServer

The NFSServer component will act as a Kerberos service principal. To act as a service principal, the KDC must generate a keytab file for the component (or service principal) here. This section explains how to set up the NFSServer component with an existing KDC hosted on Linux and Windows.

Linux

In this example, we will create the principal nfs/nfs-server.example.com for the service and generate the keytab file associated with this principal. We assume we are working on the KDC. Before generating the keytab file, we will add a service principal by first running sudo kadmin.local and then running the following command:

addprinc nfs/nfs-server.example.com

Enter a new password for the service principal. Assuming this is successful, the keytab file can be created with the ktadd command. For example:

ktadd -k /tmp/server.keytab nfs/nfs-server.example.com@EXAMPLE.COM

After generating the keytab file, you can transfer this to the machine running the NFSServer component, which should be nfs-server.example.com. Please see the Component Configuration section for details.

Windows

Before generating a keytab file, a new account should be created in the Microsoft Active Directory for the service.

To create a new account, navigate to the Server Manager and open the Active Directory Users and Computers menu item. In this example, we will create a new user account with the first name and login name nfs-server. Please set the password appropriately and ensure that the user does not need to change the password. Next, you will need to set the SPN (Service Principal Name) for the service. In this example, we are using the setspn command:

setspn -S nfs/nfs-server.example.com nfs-server

Note that in the above example, nfs-server represents the account name associated with the service. This may be set to the domain/name of the target computer, or a user account, according to the setspn command documentation. The '-C' option may be used to indicate that the account name is a computer account, and the '-U' option may be used to indicate that the account name is a user account.

After creating the account and calling setspn, you can generate a new keytab file using ktpass. In the next example, we create a keytab file for the principal nfs/nfs-server.example.com@EXAMPLE.COM and map this principal to the user we previously created.

ktpass -princ nfs/nfs-server.example.com@EXAMPLE.COM -mapuser nfs-server@EXAMPLE.COM -pass StrongPassword123! -out server.keytab -ptype KRB5_NT_PRINCIPAL

Note that when specifying the -princ option, it is required that the specified realm (svc/hostname@REALM) is completely capitalized.

The previous command should successfully generate a keytab file on disk. Once this is done, please transfer the keytab file to the machine running the NFSServer component, which should be nfs-server.example.com. Please see the Component Configuration section for details.

Component Configuration

To ensure the component can accept incoming connections utilizing Kerberos, the SecurityMechanism property should include krb5, krb5i, or krb5p. Additionally, the KeytabFile property should then be set accordingly. For example:

component.SecurityMechanism = "krb5,krb5i,krb5p"; component.KeytabFile = "C:\keytabs\server.keytab"; component.StartListening();

For more information on establishing a connection to this server with an external NFS client (e.g., on Linux or macOS), please refer to the guide here.

NFSClient

The NFSClient component will act as a Kerberos client, and the following properties should be set accordingly:

This section explains how to set up the NFSClient with an existing KDC and NFS service hosted on Linux and Windows. We assume that the SPN nfs/nfs-server.example.com has been created as described in the previous section.

Linux

For this example, we will first create a new user principal nfs/nfs-client.example.com, which is used to connect to the service created in the previous section. We will create the user principal first by running sudo kadmin.local, and then by running the following command:

addprinc nfs/nfs-client.example.com

Enter a new password for the principal. This password can be used to set the Password property as previously mentioned. Alternatively, the KeytabFile property can be specified instead. To generate a keytab file, please run the ktadd command. For example:

ktadd -k /tmp/client.keytab nfs/nfs-client.example.com@EXAMPLE.COM

After generating the keytab file, you can transfer this to the machine running the NFSClient component. Please see the Component Configuration section for details.

Windows

For this example, we will first create a new user account, which is used to connect to the service created in the previous section.

To create a new user account, please navigate to the Server Manager and open the Active Directory Users and Computers menu item. In this example, we will create a new user account with the first name and login name nfs-client. Please set the password appropriately and ensure that the user does not need to change the password. This password can be used to set the Password property as previously mentioned.

Alternatively, rather than specifying a password, the KeytabFile property can be specified instead. To generate a keytab file, please run the ktpass command. In the next example, we create a keytab file for the principal nfs-client@EXAMPLE.COM and map this principal to the user we previously created.

ktpass -princ nfs/nfs-client.example.com@EXAMPLE.COM -mapuser nfs-client@EXAMPLE.COM -pass StrongPassword123! -out client.keytab -ptype KRB5_NT_PRINCIPAL

Note that when specifying the -princ option, it is required that the specified realm (svc/user@REALM) is completely capitalized.

The previous command should successfully generate a keytab file on disk. After generating the keytab file, you can transfer this to the machine running the NFSClient component, which should be nfs-client.example.com. Please see the Component Configuration section for details.

Component Configuration

The SecurityMechanism property should be set to either krb5, krb5i, or krb5p. For example, to connect to the NFSServer configuration in the previous section, the component should be configured like so:

// Enable Kerberos component.SecurityMechanism = "krb5p";
// Set Kerberos properties component.KDCHost = "kdc.example.com"; component.KDCPort = 88; component.SPN = "nfs/nfs-server.example.com"; component.User = "nfs/nfs-client.example.com@EXAMPLE.COM"; //component.Password = "SecurePassword123!"; component.KeytabFile = "C:\keytabs\client.keytab"; // alternative to 'Password'
// Set remote host properties component.RemoteHost = "nfs-server.example.com"; component.RemotePort = 2049;
component.Connect();