Create a custom realm for Kerberos

You can configure a custom realm to use with Kerberos.

A custom Kerberos realm lets you configure any kind of KDC (MIT/Heidmal or AD). Use this method when you do not have an SMB server domain that is configured on the NAS server or if you want to use a different Kerberos realm than the realm configured for the SMB server.

Create custom realm for pure NFS Server

To use a UNIX-based KDC, follow these steps before configuring Kerberos in PowerMax. The steps assume that you want to use myrealm in the Kerberos realm linux.dellemc.com as the hostname of the NFS server.

  1. Run the kadmin.local tool.
  2. Create the principals and their keys: 
    kadmin.local: addprinc -randkey nfs/myrealm.linux.dellemc.com
    and/or 
    kadmin.local: addprinc -randkey nfs/myrealm
  3. Put the key of the principal into the keytab file myrealm.linux.dellemc.fr: 
    kadmin.local: ktadd -k myrealm.linux.dellemc.com.keytab nfs/myrealm.linux.dellemc.fr

Create custom realm for multiprotocol (NFS and SMB) NAS server

To use a Windows-based KDC without using the SMB server account on the NAS server, follow these steps before configuring Kerberos in PowerMax. The steps assume that you want to use myrealm.windows.dellemc.com as the FQDN for the NFS server.

  1. Create an account myrealm for the NAS server in the Active Directory (AD) of the windows domain windows.dellemc.com.
  2. Register the service principal name (SPN) on the account that you created: 
    C:\setspn -S nfs/myrealm.windows.dellemc.com myrealm
  3. Verify that the SPN was created. 
    C:\setspn myrealm
  4. Generate a keytab file for the SPN: 
    C:\ktpass -princ nfs/myrealm.windows.dellemc.com@WINDOWS.DELLEMC.COM -mapuser WINDOWS\myrealm
 -crypto ALL +rndpass -ptype KRB5_NT_PRINCIPAL -out myrealm.windows.dellemc.com.keytab