Enabling Kerberos on a data LIF

You can use the vserver nfs kerberos interface enable command to enable Kerberos on a data LIF. This enables the SVM to use Kerberos security services for NFS.

1. Create the NFS Kerberos configuration: vserver nfs kerberos interface enable -vserver vserver_name -lif logical_interface -spn service_principal_name

   ONTAP requires the secret key for the SPN from the KDC to enable the Kerberos interface.

   For Microsoft KDCs, the KDC is contacted and a user name and password prompt are issued at the CLI to obtain the secret key. If you need to create the SPN in a different OU of the Kerberos realm, you can specify the optional -ou parameter.

   For non-Microsoft KDCs, the secret key can be obtained using one of two methods:

   If you...	You must also include the following parameter with the command...
   Have the KDC administrator credentials to retrieve the key directly from the KDC	-admin-username kdc_admin_username
   Do not have the KDC administrator credentials but have a keytab file from the KDC containing the key	-keytab-uri {ftp|http}://uri

2. Verify that Kerberos was enabled on the LIF: vserver nfs kerberos-config show
3. Repeat steps 1 and 2 to enable Kerberos on multiple LIFs.

vs1::> vserver nfs kerberos interface enable -lif ves03-d1 -vserver vs2 
-spn nfs/ves03-d1.lab.example.com@TEST.LAB.EXAMPLE.COM -ou "ou=lab2ou"

vs1::>vserver nfs kerberos-config show
        Logical
Vserver Interface Address       Kerberos  SPN
------- --------- -------       --------- -------------------------------
vs0     ves01-a1          
                  10.10.10.30   disabled  -
vs2     ves01-d1          
                  10.10.10.40   enabled   nfs/ves03-d1.lab.example.com@TEST.LAB.EXAMPLE.COM
2 entries were displayed.