Configure UNIX based NFS to connect Windows Server for NFS using Kerberos security

This post discuss how to configure a UNIX based NFS client to connect to Windows Server for NFS using Kerberos security with RPCSEC_GSS. “Traditionally NFS clients and servers use AUTH_SYS security. This essentially allows clients to send authentication information by specifying UID/GID of UNIX user to an NFS Server. Each NFS request has UID/GID of […]

This post discuss how to configure a UNIX based NFS client to connect to Windows Server for NFS using Kerberos security with RPCSEC_GSS. “Traditionally NFS clients and servers use AUTH_SYS security. This essentially allows clients to send authentication information by specifying UID/GID of UNIX user to an NFS Server. Each NFS request has UID/GID of the UNIX user specified in incoming request. This method of authentication provides minimal security as client can spoof the request by specifying UID/GID of a different user. This method of authentication is also vulnerable to tampering of NFS request by some 3rd party between client & server on network. RPCSEC_GSS provides a generic mechanism to use multiple security mechanisms with ONCRPC (on which NFS requests are built). Server for NFS currently provides support for two Kerberos "flavors" over NFS using RPCSEC_GSS: krb5 and krb5i. krb5 provides Kerberos authentication at RPC request level, while krb5i (Kerberos v5 with Integrity) also protects NFS payload from tampering,” writes Microsoft.

More Info: Using Kerberos security with Server for NFS