9.5. Setting up user authentication and authorization

Acronis Cyber Infrastructure allows you to authenticate users for access to specific NFS shares via Kerberos and authorize them to access specific NFS exports inside these shares via LDAP.

9.5.1. Authenticating NFS share users with Kerberos

To enable user authentication in an NFS share, do the following:

  1. Assign a forward and reverse resolvable FQDN (fully qualified domain name) to the share’s IP address.

  2. On the Settings > Security > Kerberos tab, specify the following Kerberos information:

    1. In Realm, your DNS name in uppercase letters.

    2. In KDC service, the DNS name or IP address of the host running the realm’s key distribution center (KDC) service.

    3. In KDC administration service, the DNS name or IP address of the host running the realm’s KDC administration service.

      Usually, the KDC and its administration service run on the same host.

  3. On the Kerberos server, do the following:

    1. Log in as administrator to the Kerberos database administration program.

    2. Add a principal for the share by using the command addprinc -randkey nfs/<share_FQDN>@<realm>. For example:

      # addprinc -randkey nfs/share1.example.com@example.com
      
    3. Generate a keytab (key table) for the principal and save it to a directory you can upload from. For example:

      # ktadd -k /tmp/krb5.keytab nfs/share1.example.com@example.com
      
  4. On the Storage services > NFS > Share tab, select a share, and then click Authentication.

  5. Upload the keytab file, and then click Save.

Important

Each share and client (user that mounts the export) must have their own principal and keytab.

9.5.2. Authorizing NFS export users with LDAP

By configuring access to a user directory via LDAP, you can control which users can access which NFS exports. You will need a directory of user accounts with desired NFS access parameters.

To configure access to an LDAP server, do the following:

  1. On the Settings > Security > LDAP tab, specify the following information:
    • In Address, the IP address of the LDAP server.
    • In Base DN, the distinguished name of the search starting point.
  2. Click Save.