Beruflich Dokumente
Kultur Dokumente
NETAPP UNIVERSITY
Exercise Guide
Course ID: STRSW-ILT-NFSAD-REV06
Catalog Number: STRSW-ILT-NFSAD-REV06-EG
Content Version: 1.1
COPYRIGHT
© 2015 NetApp, Inc. All rights reserved. Printed in the U.S.A. Specifications subject to change without notice.
No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or
mechanical, including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written
permission of NetApp, Inc.
TRADEMARK INFORMATION
NetApp, the NetApp logo, Go Further, Faster, ASUP, AutoSupport, Campaign Express, Customer Fitness, CyberSnap,
Data ONTAP, DataFort, FilerView, Fitness, Flash Accel, Flash Cache, Flash Pool, FlashRay, FlexCache, FlexClone,
FlexPod, FlexScale, FlexShare, FlexVol, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster, MultiStore,
OnCommand, ONTAP, ONTAPI, RAID DP, SANtricity, SecureShare, Simplicity, Simulate ONTAP, Snap Creator,
SnapCopy, SnapDrive, SnapIntegrator, SnapLock, SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore,
Snapshot, SnapValidator, SnapVault, StorageGRID, Tech OnTap, and WAFL are trademarks or registered trademarks of
NetApp, Inc. in the United States and/or other countries.
Other product and service names might be trademarks of NetApp or other companies. A current list of NetApp trademarks
is available on the Web at http://www.netapp.com/us/legal/netapptmlist.aspx.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
OBJECTIVES
By the end of this exercise, you should be able to:
Identify the exercise environment
Log in to the exercise environment
Log in to a cluster by using System Manager
1. With the assistance of your instructor, identify your main Windows server.
NOTE: This machine might be a virtual machine (VM). Windows Server
IP address: _______________________________________________
Domain: _________________________________________________
Domain administrator password: Netapp123
2. With the assistance of your instructor, identify your clustered Data ONTAP operating system
nodes.
IP address: 192.168.0.21
Root password: Netapp123
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. On your local Windows machine desktop, click the Remote Desktop Connection link to log in
to the remote Windows server through the RDC tool.
NOTE: If this link is unavailable, ask your instructor where to find the tool.
2. Enter the IP address of your remote Windows server, and then click Connect.
4. If you are asked for authentication, enter the username and password that your instructor gave
you.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. Verify that you see the Modern view of your assigned Windows server.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
5. Type the IP address of the cluster1 cluster-management LIF, and then press Enter.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
7. Type the username admin and the appropriate password, and then click Sign In to log in.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
END OF EXERCISE
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
OBJECTIVES
By the end of this exercise, you should be able to:
Create a data aggregate
Verify that NFS is licensed
Create an SVM for NFS
Create a UNIX group and user
Define a new export policy and rule
Allocate an aggregate as a resource for an SVM
Create the SVM namespace
Mount the SVM namespace
Describe the effects of file permissions
1. In the left pane of OnCommand System Manager, select the Cluster category, expand cluster1,
and select Storage.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
5. Click Create.
6. In the left pane, select the Cluster category, expand cluster1 > Storage, and select Aggregates.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
8. In the right pane, select the new aggregate aggr_NFS1, and review the aggregate details.
1. In the left pane of System Manager, select the Cluster category, expand cluster1 >
Configuration > System Tools, and select Licenses.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. In the left pane of System Manager, select the Storage Virtual Machines category and select
cluster1.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
2. In the right pane, click Create to display the Storage Virtual Machine (SVM) Setup dialog box.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
3. In the Storage Virtual Machine (SVM) Setup dialog box, at Step 1, specify the following
information:
SVM Name: svmNFS
IPspace: Default
Volume Type: FlexVol volumes
Data Protocols: NFS checkbox selected
Default Language: C.UTF-8
Security Style: UNIX
Root Aggregate: aggr_NFS1
Search Domains: learn.netapp.local
Name Servers: 192.168.0.11
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
5. In the Storage Virtual Machine (SVM) Setup dialog box, at Step 2, specify the following
information:
Subnet: sub60
Port: cluster1-01:e0d
NOTE: This exercise configures a simple NFS server authenticating users via local users and
groups. Be sure to clear the default NIS configuration so that NIS doesn’t get in the way. Do not
skip this step.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
7. In the Storage Virtual Machine (SVM) Setup dialog box, at Step 3, specify the following
information:
Password: Netapp123
Confirm Password: Netapp123
Create a new LIF for SVM management checkbox: selected
Subnet: sub60
Port: cluster1-02:e0d
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
12. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Configuration > Protocols, and select NFS.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
13. In the right pane, if Server Status is Not Configured, click Enable to activate NFS.
14. Verify that Server Status and Version 3 Support are Enabled.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
15. In the left pane, select the Cluster category, expand cluster1 > Configuration, and select
Network.
17. Locate the new data LIF that is authorized for the NFS protocol and record the IP address to use
later.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
4. Click Load.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
13. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Users and Groups, and select UNIX.
14. In the right pane, on the Groups tab, click Add Group.
15. In the Add Group dialog box, enter the following information:
Group Name: NFSUserList
Group ID: Use the student ID.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
20. In the Add User dialog box, enter the following information:
User Name: student
User ID: Use the student ID.
Group Name: NFSUserList
Full Name: Student NFS User
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
22. Verify that the new user was created and added to the group.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Policies, and select Export Policies.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
3. Click Add.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
4. In the Create Export Rule dialog box, specify the following information:
Client Specification: 0.0.0.0/0
Rule Index: 1
Access Protocols: NFS checkbox selected
Read-Only checkbox: selected
Read/Write checkbox: selected
Allow Superuser Access checkbox: selected
5. Click OK.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
6. Verify that when you select default in the Policy area, the new rule appears in the Rule Index
area.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
8. In the Create Export Policy dialog box, in the Policy Name box, type readOnly.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
10. In the Create Export Rule dialog box, specify the following information:
Client Specification: 0.0.0.0/0
Access Protocols: NFSv3 checkbox selected
Read-Only checkbox: selected
Read/Write checkbox: cleared
Allow Superuser Access checkbox: cleared
12. Verify the new policy and rule, and then click Create.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
13. Note that the new rule is in the first index of the new policy.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
Vserver: svmNFS
Policy Name: readOnly
Rule Index: 1
Access Protocol: nfs3
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0
RO Access Rule: any
RW Access Rule: none
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: none
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true
2 entries were displayed.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. In the left pane of System Manager, select the Storage Virtual Machines category and select
cluster1.
3. Click Edit.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
4. In the Edit Storage Virtual Machine dialog box, click the Resource Allocation tab.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Storage, and select Volumes.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
4. Click Create.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
10. Note that both new volumes are automatically mounted under the root node, with the default
export policy.
11. In the right pane, select the vol_NFS2 node, and then click Change Export Policy.
12. In the Change Export Policy dialog box, select the readOnly policy for vol_NFS2.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
13. Attempt to create a file in the root directory of the SVM namespace:
# touch foo
NOTE: A NetApp best practice recommends against creating files in the SVM namespace root.
In this exercise, files are created in the namespace root for demonstration purposes only.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
23. Review the readOnly policy (the policy for vol_NFS2) rule permissions.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
13. Attempt to create a file in the root directory of the SVM namespace:
$ touch foo1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
END OF EXERCISE
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
OBJECTIVES
By the end of this exercise, you should be able to:
Configure an SVM with a new storage volume and logical interface (LIF)
Enable NFSv4 features on an SVM and client
Describe an NFSv4 export on a client
Create NFSv4 ACLs
1. In the left pane of OnCommand System Manager, select the Cluster category, expand cluster1
> Storage, and select Aggregates.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
5. Click Create.
7. In the left pane, select the Storage Virtual Machines category and select cluster1.
9. In the Edit Storage Virtual Machine dialog box, click the Resource Allocation tab.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
12. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Storage, and select Volumes.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
14. In the Create Volume dialog box, specify the following information:
Name: vol_NFS3
Aggregate: aggr_NFS2
Total Size: 1 GB
Snapshot Reserve (%): 5
Thin Provisioned checkbox: cleared
NOTE: Use the Choose button to select the correct Aggregate value.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
17. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Storage, and select Namespace.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
18. Verify the export policy and namespace mounted location of the new volume.
19. In the left pane, select the Cluster category, expand cluster1 > Configuration, and select
Network.
20. In the right pane, click the Network Interfaces tab to begin creating a data LIF.
22. Verify that the Create Network Interface wizard has opened.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
23. On the network interface properties page, specify the following information:
Name: svmNFS_nfs_lif2
Interface Role: Serves Data
SVM: svmNFS
Protocol Access NFS checkbox: selected
Subnet: sub60
Port: cluster1-02:e0d
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
25. Verify the new LIF, and record the IP address to use later.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Protocols, and select NFS.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
3. In the Edit NFS Settings dialog box, specify the following information:
Support version 3 checkbox: selected
Support version 4.0 checkbox: selected
ACLs checkbox: selected
Read delegation checkbox: selected
Write delegation checkbox: selected
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
5. Verify that Version 3 Support and Version 4 Support are Enabled on this SVM.
6. Use PuTTY to launch a Secure Shell (SSH) session to the cluster management interface of your
assigned cluster.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
16. Remove the hashtag symbol (#) that appears before Domain in the output.
21. Type :wq to save and exit the virtual interface (VI).
22. Review the list of the file and verify that the changes occurred:
# cat /etc/idmapd.conf
The output should resemble this sample:
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = example.com
…
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. After the rpcidmapd restart completes, leave this Linux session open.
NOTE: For the remainder of this exercise, this session is called SESSION 1.
4. Open a second PuTTY session to the Linux machine and log in as the root user.
NOTE: For the remainder of this exercise, this session will be called SESSION 2.
7. With the SESSION 2 window visible, on SESSION 1, use the IP address of the first LIF
(svmNFS_nfs_lif1) on the svmNFS SVM to create an NFSv4 mount of the SVM namespace:
# mount –t nfs4 –o acl 192.168.0.60:/ /mnt/svmNFS-v4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
NOTE: These names are resolved by default because System Manager 2.2 and later create the
root user (id=0) and the daemon group (id=1). Without these users and group, the output would
resemble the following:
total 12
-rw-r--r--. 1 nobody nobody 0 Nov 6 12:44 foo
-rw-rw-r--. 1 nobody nobody 0 Nov 6 12:50 foo1
drwxr-xr-x. 2 nobody nobody 4096 Nov 6 12:45 vol_NFS1
drwxr-xr-x. 2 nobody nobody 4096 Nov 6 12:22 vol_NFS2
drwxr-xr-x. 2 nobody nobody 4096 Nov 6 13:00 vol_NFS3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
8. Attempt to use the student user account to change the directory to vol_NFS3:
$ cd vol_NFS3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
17. Deny the student (user ID 500) user account access to the foo file:
# nfs4_setfacl -a D::500:rwxtncy foo
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
21. Attempt to use the student user account to change the directory to vol_NFS3:
$ cd vol_NFS3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
END OF EXERCISE
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
OBJECTIVES
By the end of this exercise, you should be able to:
Configure an SVM for NFSv4.1
Describe an NFSv4.1 export on a client
Analyze the effects of a volume move operation on parallel NFS (pNFS)
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
svmNFS > Configuration > Protocols, and select NFS.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
3. Verify that the Support version 3, Support version 4.0, and Support version 4.1 checkboxes are
selected.
5. Verify that NFS Version 3 Support, Version 4 Support, and Version 4.1 Support are Enabled on
this SVM.
6. Launch a PuTTy session to the CLI of your assigned Data ONTAP cluster.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
10. Review the output and note that NFSv4.1 pNFS support is enabled by default.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
11. Turn on NFSv4.1 access control lists (ACLs) and set the implementation domain and name:
cluster1::*> vserver nfs mod -vserver svmNFS -v4.1-acl enabled
-v4.1-implementation-domain example.com
-v4.1-implementation-name example
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
13. In the left pane of System Manager, select the Cluster category, expand cluster1 >
Configuration, and select Network.
14. In the right pane, on the Network Interfaces tab, verify that the current port is the same as the
home port (not failed over) for each network interface.
NOTE: LIF1 should be on node 1 and LIF2 should be on node 2.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
15. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Storage, and select Namespace to display the current namespace for the SVM.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
16. In the left pane, select Volumes and verify that vol_NFS1 and vol_NFS2 are on node 1 and that
vol_NFS3 is on node 2.
NOTE: Multiple volumes on multiple nodes are accessible by multiple logical interfaces (LIFs).
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
9. Review the file to determine whether you correctly edited the dist.conf file:
# tail /etc/modprobe.d/dist.conf
13. Open a second PuTTY session to the Linux machine and log in as root.
NOTE: For the remainder of this exercise, this session is called SESSION 2.
15. With the SESSION 2 window visible, on SESSION 1, use the IP address of svmNFS-lif1on the
svmNFS SVM to create an NFSv4.1 mount of the SVM namespace:
# mount –t nfs4 –o minorversion=1,acl 192.168.0.60:/
/mnt/svmNFS-v41
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
35. Use SESSION 2 to further explore pNFS and which interface is used for each file operation.
NOTE: pNFS is complex, and which interface is used is sometimes unclear. The file-system
operations (read and write) on a volume that is mounted on node1 and node 2 are in your
assigned cluster on SESSION 1.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Storage, and select Volumes.
3. Click Move.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
4. In the Move Volume dialog box, in the Destination Aggregate section, select aggr_NFS1.
5. Click Move.
7. After the move volume operation is complete, the Move Volume dialog box displays a Job ID.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
10. On SESSION 1, perform some read and write operations to the vol_NFS3 directory while the
move volume operation is running.
For example, run the ls – l, cat, and touch commands.
11. On SESSION 2, verify which interfaces are used during the operations.
12. In the right pane of System Manager, on the Current Jobs tab, click Refresh.
13. On SESSION 1, perform a few read and write operations to the vol_NFS3 directory while the
volume move operation is running.
For example, run the ls – l, cat, and touch commands.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
14. On SESSION 2, verify which interfaces are used during the operations.
END OF EXERCISE
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
EXERCISE A
In this exercise, you configure Active Directory Kerberos authentication for an NFS mount.
OBJECTIVES
By the end of this exercise, you should be able to:
Configure clustered Data ONTAP for NFS Active Directory authentication
Configure Windows for NFS Active Directory authentication
Configure Linux for NFS Active Directory authentication
TASK 1: CONFIGURE CLUSTERED DATA ONTAP FOR NFS ACTIVE DIRECTORY AUTHENTICATION
In this task, you configure Kerberos in the cluster. You then configure a storage virtual machine (SVM)
logical interface (LIF) to use Kerberos configuration, while specifying a service principal name (SPN) for the
SVM. Finally, you confirm that the SPN is mapping appropriately.
STEP ACTION
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
4. In the left pane of System Manager, select the Cluster category, expand cluster1 >
Configuration > System Tools, and select Date and Time.
6. In the Edit Date and Time dialog box, specify the following information:
Time Zone: US/Pacific (or the time zone of your assigned Active Directory server)
Timer Servers: 192.168.0.11
NOTE: Use the Add button to add the entry for Time Servers.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
7. Click OK.
8. Verify that the cluster date and time synchronize to within 5 minutes of your kit’s Windows
machine. This process can take several minutes.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
9. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Services, and select Kerberos Realm.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
22. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Services, and select DNS.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
23. Verify that DNS services are properly configured to the Microsoft DNS server.
NOTE: In your educational environment, the DNS server is usually the same server as your
Active Directory server.
24. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Configuration > Services, and select Kerberos Interface.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
27. In the Edit Kerberos Configuration dialog box, specify the following information:
Interface Name: svmNFS_nfs_lif1
Enable Kerberos checkbox: selected
Kerberos Realm: LEARN.NETAPP.LOCAL
Service Principal Name:
nfs/kerberos.learn.netapp.local@LEARN.NETAPP.LOCAL
Admin User Name: administrator
Admin Password: Netapp123
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
29. Verify that svmNFS_nfs_lif1 is configured for Kerberos with a valid SPN.
NOTE: In a production environment, you would configure multiple paths for redundancy.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
30. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Configuration > Users and Groups, and select Name Mapping.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
32. In the Add Name Mapping Entry dialog box, specify the following information:
Direction: Kerberos to UNIX
Position: 1
Pattern: nfs/kerberos.learn.netapp.local@LEARN.NETAPP.LOCAL
Replacement: pcuser
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
34. Verify that the SPN that svmNFS_nfs_lif1 uses is properly mapped to pcuser.
NOTE: You can also create an NFS UNIX user to ensure that the NFS name is properly
authenticated.
35. From a Secure Shell (SSH) session, log in as admin and change to diagnostic mode:
cluster1::> set -privilege diag
38. Verify the Kerberos encryption types that are enabled for NFS:
cluster1::*> nfs show -vserver svmNFS -fields permitted-enc-
types
vserver permitted-enc-types
------- ------------------------
svmNFS des,des3,aes-128,aes-256
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
5. In the left pane, navigate to Group Policy Management > Forest: learn.netapp.local >
Domains > learn.netapp.local > Default Domain.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
10. In the left pane, navigate to Default Domain Policy > Computer Configuration > Policies >
Windows Settings > Security Settings > Local Policies > Security Options.
11. In the right pane, double-click the policy Network security: Configure encryption types
allowed for Kerberos.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
12. On the Security Policy Setting tab, specify the following information:
Select the Define these policy settings checkbox.
Select all the encryption type checkboxes.
Verify that AES128_HMAC_SHA1 and AES256_HMAC_SHA1 are included.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
18. In the left pane, navigate to W2K12 > Reverse Lookup Zones.
19. Right-click Reverse Lookup Zones and select New Zone to open the New Zone Wizard.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
23. Select To all DNS servers running on domain controllers in this domain:
learn.netapp.local.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
29. Select Allow only secure dynamic updates (recommended for Active Directory).
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
36. Create a DNS entry for the Kerberos SPN that is associated with the SVM LIF IP address:
PS C:\> dnscmd learn.netapp.local /RecordAdd learn.netapp.local
kerberos /CreatePTR A 192.168.0.60
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
39. Modify the computer account for the Linux host identity to enable AES encryption:
PS C:\> Set-ADComputer -Identity centos65 -Replace @{’msDS-
SupportedEncryptionTypes’=28}
40. Modify the computer account for the SVM identity to enable AES encryption:
PS C:\> Set-ADComputer -Identity NFS-KERBEROS-LE -Replace
@{’msDS-SupportedEncryptionTypes’=28}
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
44. Use ktpass to create the mappings for the SPN and output the mappings to the keytab files:
PS C:\> ktpass -princ
root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL -mapuser
LEARN\centos65$ -crypto ALL +rndpass -ptype KRB5_NT_PRINCIPAL
+Answer -out centos65.keytab
The output should resemble this sample:
Targeting domain controller: w2k12.nau.com
Using legacy password setting method
Successfully mapped root/centos65.learn.netapp.local to CENTOS65$.
WARNING: Account CENTOS65$ is not a user account (uacflags=0x1021).
WARNING: Resetting CENTOS65$'s password may cause authentication problems if
CEN
TOS64$ is being used as a server.
Reset CENTOS65$'s password [y/n]? auto:
YES
WARNING: pType and account type do not match. This might cause problems.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to centos65.keytab:
Keytab version: 0x502
keysize 78 root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL ptype 1
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2c7689bf257f15dc)
keysize 78 root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL ptype 1
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x3 (DES-CBC-MD5) keylength 8 (0x2c7689bf257f15dc)
keysize 86 root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL ptype 1
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16
(0x68a60a541ba235cb9d946cca0b6b237d)
keysize 102 root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 2 etype 0x12 (AES256-SHA1) keylength 32
(0xdc3bd08a9a487a0d1839f
81b670f24da44ce93bb5c4988ea96689f1a8f282e06)
keysize 86 root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 2 etype 0x11 (AES128-SHA1) keylength 16
(0xab2ec0cb98670247d8bab38788d39aa0)
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
46. Copy the keytab file to the Linux host and provide the root password. You will be prompted for
the root user’s password.
C:\> pscp centos65.keytab
root@192.168.0.21:/root/centos65.keytab
root@192.168.0.21’s password: Netapp123
svmNFS_nfs_lif1.keytab | 0 kB | 0.1 kB/s | ETA: 00:00:00 | 100%
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
9. Using the cursor keys, navigate within the file until you find the following line:
#SECURE_NFS="yes"
11. Type r and then press the space bar to remove the # sign.
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
[libdefaults]
default_realm = LEARN.NETAPP.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
LEARN.NETAPP.LOCAL = {
kdc = w2k12.learn.netapp.local
default_domain = learn.netapp.local
}
[domain_realm]
.netapp.local = LEARN.NETAPP.LOCAL
.learn.netapp.local = LEARN.NETAPP.LOCAL
17. Log in with the credentials that are configured in Active Directory:
# kinit administrator
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
22. Log in again with the credentials that are configured in Active Directory:
# kinit administrator
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
END OF EXERCISE
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.