TECH::How to set up Kerberos on vSphere 6.0 servers for datastores on NFS

For a more in-depth, updated version:

Kerberize your NFSv4.1 Datastores in ESXi 6.5 using NetApp ONTAP

In case you were living under a rock somewhere, VMWare released vSphere 6.0 in March. I covered some of my thoughts from a NFS perspective in vSphere 6.0 – NFS Thoughts.

In that blog, I covered some of the new features, including support for Kerberized NFS on vSphere 6.0. However, in my experience of setting up Kerberos for NFS clients, I learned that doing it can be a colossal pain in the ass. Luckily, vSphere 6.0 actually makes the process pretty easy.

TR-4073: Secure Unified Authentication will eventually contain information on how to do it, but I wanted to get the information out now and strike while the iron is hot!

What is Kerberos?

cerberus

I cover some scenarios regarding securing your NFS environment in “Feeling insecure about NFS?” One of those I mention is Kerberos, but I never really go into detail about what Kerberos actually is.

Kerberos is a ticket-based authentication process that eliminates the need to send passwords over the wire in text format. Instead, passwords are stored on a centralized server (known as a Key Distribution Center, or KDC) that issues tickets to grant tickets for access. This is done through varying levels of encryption, which is controlled via the client, server and keytabs. Right now, the best you can do is AES, which is the NIST standard. Clustered Data ONTAP 8.3 supports both AES-128 and AES-256, by the way. 🙂

However, vSphere 6.0 supports only DES, so…

Again,  TR-4073: Secure Unified Authentication covers this all in more detail than you’d probably want…

Kerberize… like a rockstar!

game-blouses

In one of my Insight sessions, I break down the Kerberos authentication process as a real-world scenario, such as buying a ticket to see your favorite band.

  • A person joins a fan club for first access to concert tickets
    • Ticket Granting Ticket (TGT) issued from Key Distribution Center (KDC)
  • A person buys the concert ticket to see their favorite band
    • TGT used to request Service Ticket (ST) from the KDC
  • They pick the ticket up at the box office
    • ST issued by KDC
  • They use the ticket to get into the concert arena
    • Authentication
  • The ticket specifies which seat they are allowed to sit in
    • Authorization; backstage pass specifies what special permissions they have

Why Kerberos?

One of the questions you may be asking, or have heard asked is, “why the heck do I want to Kerberize my NFS datastore mount? Doesn’t my export policy rule secure it enough?”

Well, how easy is it to change an IP address of an ESXi server? How easy is it to create a user? That’s really all you need to mount NFSv3. However, Kerberos requires a user name and password to get a ticket, interaction with a KDC, ticket exchange, etc.

So, it’s much more secure.

Awesome… how do I do it?

Glad you asked!

After you’ve set up your KDC and preferred NFS server to do Kerberos, you’d need to set the client up. In this case, the client is vSphere 6.0.

Step 1: Configure DNS

Kerberos needs DNS to work properly. This is tied to how service principal names (SPNs) are queried on the KDC. So, you need the following:

  • Forward and reverse lookup records on the DNS server for the ESXi server
  • Proper DNS configuration on the ESXi server

Example:

DNS-conf

Step 2: Configure NTP

Kerberos is very sensitive to time skew. There is a default of 5 minutes allowed between client/server/KDC. If the skew is outside of that, the Kerberos request will fail. This is for your security. 🙂

ntp

Step 3: Join ESXi to the Active Directory Domain

This essentially saves you the effort of messing with manual configuration of creating keytabs, SPNs, etc. Save yourself time and headaches.

Join-domain

Step 4: Specify a user principal name (UPN)

This user will be used by ESXi to kinit and grab a ticket granting ticket (TGT). Again, it’s entirely possible to do this manually and likely possible to leverage keytab authentication. But, again, save yourself the headache.

Credentials

Step 5: Create the NFS datastore for use with NFSv4.1 and Kerberos authentication

You *could* Kerberized NFSv3. But why? All that gets encrypted is the NFS stuff. NLM, NSM, portmap, mount, etc don’t get Kerberized. NFSv4.1 encapsulates all things related to the protocol, so encrypting NFSv4.1 encrypts it all.

New-datastore
Enter the server/datastore information:

Add-datastore-nfsv4.1

Be sure you don’t forget to enable Kerberos:

Kerberos-enable

After you’re done, test it out!

6 thoughts on “TECH::How to set up Kerberos on vSphere 6.0 servers for datastores on NFS

  1. Pingback: VMware Fling brings NFS cmdlets to PowerCLI - Datacenter Dude

  2. Pingback: vSphere 6.5: The NFS edition | Why Is The Internet Broken?

  3. Pingback: Kerberize your NFSv4.1 Datastores in ESXi 6.5 using NetApp ONTAP | Why Is The Internet Broken?

  4. If it’s not too much trouble, would you mind elaborating on Step 4 (NFS Kerberos Credentials). Specifically, I am using a Windows Server for NFS (Windows Server 2019, NFS 4.1) and vSphere 6.7 (vCenter and hosts are all running the latest stable version).

    I can’t seem to get Kerberos authentication working with ESXi, I have verified it works with Windows NFS clients and also that ESXi can mount the datastore successfully using AUTH_SYS.

    I came across your other articles:

    https://whyistheinternetbroken.wordpress.com/2019/02/05/windows-nfs-who-does-that/
    https://whyistheinternetbroken.wordpress.com/2017/10/11/nfs41-kerberos-esxi65-ontap9/

    and tried following the instructions, but they didn’t work for my particular setup (using Windows NFS Server instead of NetApp ONTAP).

    I’d really appreciate any help in this manner, especially if you could provide a walkthrough similar to the other ones you’ve already written.

    Reddit post with more details: https://www.reddit.com/r/vmware/comments/faxu20/windows_server_for_nfs_how_to_configure_kerberos/

    Like

  5. Would you mind elaborating on “Step 4: Specify a user principal name (UPN)”? I tried my domain admin credentials, but they don’t seem to work for mounting the datastore with Kerberos (I get the standard SysInfo error).

    Running the “kinit” command from ESXCLI with my domain admin credentials works successfully and shows a ticket, so it seems the host is able to authenticate against Kerberos. For reference, I am using a Windows NFS 4.1 server on Windows Server 2019, I have already verified I can mount with AUTH_SYS.

    More details here: https://www.reddit.com/r/vmware/comments/faxu20/windows_server_for_nfs_how_to_configure_kerberos/

    Like

    • Replied to the reddit thread. I don’t have the correct resources to do this on ESXi but it was fairly straightforward on CentOS. I posted it, but I’m getting the spinning wheel of death on the comment. If it bombs, I’ll post it again. Basics are:

      – Configure DNS
      – Join ESXi to domain
      – Configure UPN (valid user in domain to get tickets)
      – export NFS properly from the Windows server
      – Ensure time is within 5 minutes on KDC and ESXi server

      A packet capture of the issue should help isolate it, but you may want to get VMware support involved.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s