This post will describe the required steps to configure an Isilon Cluster for using kerberized NFSv4. There are two supported kerberos server: Microsoft Active Directory and MIT KDC.
We will use a Microsoft Windows Active Directory 2012 R2 kerberos server and RFC2307 for user/id mapping.
- Windows Active Directory with RFC2307 support
- Active Directory users configured with unix attributes (uid, gid, …)
The steps to configure and prepare a Microsoft Windows Server 2012 R2 for kerberized Linux and NFSv4 can be found in earlier posts here and here. For our example in this post we will use the example domain “EMC.LAB” and the configured users and group from the mentioned previous posts.
- Isilon Cluster 7.0+ (this post was tested with Isilon 7.1.0)
- working DNS Delegation to you Isilon System Zone (in our example: isilonc1.emc.lab)
- date and time close to your active directory server (after joining the domain will the time being synced automatically)
Configuring Isilon NFSv4:
The first thing to do is to join our Active Directory domain “EMC.LAB” with user “administrator” using the computer account “isilonc1”:
isi auth ads create --kerberos-nfs-spn=true --name=EMC.LAB --sfu-support=rfc2307 --user=administrator --account=isilonc1
Parameter “–sfu-support=rfc2307” and “–kerberos-nfs-spn=true” are required for UID mapping and kerberize NFS. If this command was successful you should now be able to access your Isilon with SMB by opening “\isilonc1.emc.lab” in your windows explorer.
Next we have to enable and configure NFSv4.
By default does the NFS service use the isilon cluster name as its principal. If your cluster name is different from your active directoy computer account (“isilonc1” in our case) or to make it robust against a later cluster rename, we tell the NFS service which principal it should use:
Finally enable NFSv4 and configure NFSv4 for our domain “EMC.LAB”:
isi nfs settings global modify --nfsv4-enabled=yes --nfsv4-domain=EMC.LAB isi auth krb5 modify default --default-realm=EMC.LAB isi auth krb5 write
Create NFSv4 Export:
To test NFSv4 we are creating an kerberized NFSv4 export:
mkdir /ifs/data/test chown root:'EMClinux_user' /ifs/data/test chmod 0775 /ifs/data/test isi nfs exports create --all-dirs=yes --map-root=nobody --paths=/ifs/data/test --security-flavors=krb5,krb5i,krb5p
At first we test on the Isilon if we can resolve the UID for a specific user:
> id user1@EMC.LAB uid=10001(EMCuser1) gid=20000(EMClinux_user) groups=20000(EMClinux_user),1000000(EMCdomain users),1545(Users)
Next you should be able to mount our test export from a linux client, which is also joined to the domain “EMC.LAB” and has the NFSv4 client configured.
> mount -o vers=4,sec=krb5p isilonc1.emc.lab:/ifs/data/test /mnt > nfsstat -m /mnt from isilonc1.emc.lab:/ifs/data/test/ Flags: rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.186.6,minorversion=0,local_lock=none,addr=192.168.186.23
If the mount fails, validate if the date and time is in sync with your active directory server and client. Furthermore check the isilon nfs log “/var/log/nfs.log” and the client nfs log e.g. (“/var/log/messages”) for errors.
In the next post I will show how to join a RHEL linux client to our domain, enable nfsv4 and finally test our complete nfsv4 environment.