configuring Isilon for kerberized NFSv4

This post will describe the required steps to configure an Isilon Cluster for using kerberized NFSv4. There are two supported kerberos server: Microsoft Active Directory and MIT KDC.
We will use a Microsoft Windows Active Directory 2012 R2 kerberos server and RFC2307 for user/id mapping.

Windows Prerequisites:

  • Windows Active Directory with RFC2307 support
  • Active Directory users configured with unix attributes (uid, gid, …)

The steps to configure and prepare a Microsoft Windows Server 2012 R2 for kerberized Linux and NFSv4 can be found in earlier posts here and here. For our example in this post we will use the example domain “EMC.LAB” and the configured users and group from the mentioned previous posts.

Isilon Prerequisites:

  • Isilon Cluster 7.0+ (this post was tested with Isilon 7.1.0)
  • working DNS Delegation to you Isilon System Zone (in our example: isilonc1.emc.lab)
  • date and time close to your active directory server (after joining the domain will the time being synced automatically)
Warning: At this time (OneFS 7.1.0) is kerberize NFSv4 only working in the System Zone! Support for different access zones is planned for a future release!

Configuring Isilon NFSv4:

Enabling and configuring NFSv4 is easy but has to be done by CLI.
The first thing to do is to join our Active Directory domain “EMC.LAB”  with user “administrator” using the computer account “isilonc1”:

isi auth ads create --kerberos-nfs-spn=true --name=EMC.LAB --sfu-support=rfc2307 --user=administrator --account=isilonc1

Parameter “–sfu-support=rfc2307” and “–kerberos-nfs-spn=true” are required for UID mapping and kerberize NFS. If this command was successful you should now be able to access your Isilon with SMB by opening  “\isilonc1.emc.lab” in your windows explorer.

Next we have to enable and configure NFSv4.
By default does the NFS service use the isilon cluster name as its principal. If your cluster name is different from your active directoy computer account (“isilonc1” in our case) or to make it robust against a later cluster rename, we tell the NFS service which principal it should use:

isi_sysctl_cluster vfs.nfsrv.principal_instance=isilonc1

Finally enable NFSv4 and configure NFSv4 for our domain “EMC.LAB”:

isi nfs settings global modify --nfsv4-enabled=yes --nfsv4-domain=EMC.LAB
isi auth krb5 modify default --default-realm=EMC.LAB
isi auth krb5 write

Create NFSv4 Export:

To test NFSv4 we are creating an kerberized NFSv4 export:

mkdir /ifs/data/test
chown root:'EMClinux_user' /ifs/data/test
chmod 0775 /ifs/data/test
isi nfs exports create --all-dirs=yes --map-root=nobody --paths=/ifs/data/test --security-flavors=krb5,krb5i,krb5p


At first we test on the Isilon if we can resolve the UID for a specific user:

> id user1@EMC.LAB
uid=10001(EMCuser1) gid=20000(EMClinux_user) groups=20000(EMClinux_user),1000000(EMCdomain users),1545(Users)

Next you should be able to mount our test export from a linux client, which is also joined to the domain “EMC.LAB” and has the NFSv4 client configured.

> mount -o vers=4,sec=krb5p isilonc1.emc.lab:/ifs/data/test /mnt
> nfsstat -m
/mnt from isilonc1.emc.lab:/ifs/data/test/
 Flags: rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=,minorversion=0,local_lock=none,addr=

If the mount fails, validate if the date and time is in sync with your active directory server and client. Furthermore check the isilon nfs log “/var/log/nfs.log” and the client nfs log e.g. (“/var/log/messages”)  for errors.

In the next post I will show how to join a RHEL linux client to our domain, enable nfsv4 and finally test our complete nfsv4 environment.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

3 thoughts on “configuring Isilon for kerberized NFSv4