Using Solaris and SPARC Networking and Virtualization

Configuring Secure NFS in Solaris 11


Recently a customer asks for suggestions how to transfer files security, meaning the data is encrypted while on the wire. Several options came to mind.
  • scp
  • IPsec
  • Secure NFS

Using scp(1M) seems the most straightforward since ssh/scp/sftp is installed in almost all Solaris 11.2 Package Groups (link here.) Only downside is that scp is run from the command line or a script.

The benefit of IPsec is that all traffic can be encrypted. However, it requires either manual keying or an IKE v2 infrastructure.

Secure NFS is an extension of typical NFS setups, so should be rather simple, if remote file access works for the customer.

After meeting with the customer it turns out the key application that needs secure file transfer only support ftp(1M) (and not sftp or even ftps) or NFS. Thus looking closer at Secure NFS seemed the logical path. Using IPsec to only secure NFS traffic looked to be more work than necessary.

My setup uses Solaris Zones for a number of reasons.

  • I can do this on a single system.
  • They are easy to build, manage, and delete.
  • I can see traffic between Zones easily, even if they are on the same system.
  • And the customer is already using Zones, so this will show that they can do this using Zones as well.

The steps that follow are done on a system running Solaris 11.2. For convenience, I will refer to it as Solaris or Solaris 11. Due to possible packaging differences, Solaris 11 11/11 or Solaris 11.1 might require some changes. I have not tested these steps with either.

Building a Secure NFS configuration consists of the following steps:

  • NTP to insure all nodes' clocks are in sync
  • DNS (optional if you have a DNS setup you can access and customize, if necessary)
  • KDC to install the Kerberos Key Distribution Center
  • Kerberos client
  • NFS server also as Kerberos client
  • KDC as NFS server to show a single node as both KDC and NFS server (optional)

To make this easier to follow, and to write, I am breaking this into several different steps.

Click on either Step O or Step 1 to get started!

When you done, come back here for the comments below, if you wish.

Wrapping Things Up

This pretty much does it. In summary, we have done the following:

  • Created and configured a DNS servers since I don't have one available. This might be optional for you.
  • Created a Kerberos Key Distribution Center (KDC) for all clients and servers to use.
  • Built an NFS server that is a Kerberos client, and added a share that requires Kerberos privacy through encryption.
  • Added an NFS client and verified that the data passed over the network is ecrypted.
  • Combined the KDC and NFS server onto a single "node", showing that a KDC can be a client of itself.

Some things this entry does not cover and readers may try on their own include:
  • Redundant slave KDCs
  • Using an existing Kerberos service not provided by a Solaris KDC
  • Work with Microsoft Active Directory
  • Integrate this with a ZFS Storage Appliance

I hope this will be helpful to others!

References and Notes

Useful Links

Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Working With Oracle® Solaris 11.2 Directory and Naming Services: DNS and NIS


There is currently (I noticed this in Solaris 11.2 SRU 12, and it exists in earlier releases and SRUs) the situation that kadmin will restart too quickly on Solaris startup and go into maintenance mode. At this time there is no fix. I created a script in /etc/rc3.d to clear the error with svcadm(1M) after about 30 seconds.

I address this with a legacy run script started by SMF when going to multiuser-server. If this were a more permanent requirement I would create an SMF service.

root@kdc1:/etc/rc3.d# ls
kadmin.sh README S99kadmin
root@kdc1:/etc/rc3.d# cat S99kadmin
/etc/rc3.d/kadmin.sh &
root@kdc1:/etc/rc3.d# cat kadmin.sh
sleep 30
svcadm clear kadmin
logger "cleared kadmin"

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.