Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Deduplication Guide
  3. Configuring and managing universal shares
  4. Prerequisites to configure universal shares
  5. Configuring universal share user authentication
  6. Kerberos-based authentication
  7. Configuring the Kerberos-based authentication on the servers and the clients
NetBackup™ Deduplication Guide

Configuring the Kerberos-based authentication on the servers and the clients

You can configure the Kerberos-based authentication for NetBackup BYO, Flex media server, Flex WORM, and Flex Scale.

You must configure Kerberos-based authentication both on the servers and the clients.

For NetBackup BYO environment, before you configure Kerberos authentication on NetBackup servers and clients, check if the necessary krb5 package is installed on the system. Run the following commands to check if these packages are installed or not:

yum install krb5-workstation

pam_krb5 -f

To configure Kerberos-based authentication on the servers

  • On the NetBackup server, run the vpfs_nfs_krb.sh script to create keytab entries for Kerberos principals.

    /usr/openv/pdde/vpfs/bin/vpfs_nfs_krb.sh

    For NetBackup BYO, run the script in the command window. For Flex media server, you must log in to the media server instance and run the script with sudo.

    • Add the key entries.

      ./vpfs_nfs_krb.sh add --user nfs/storage-server.mydomain.com

    • Delete the key entries.

      ./vpfs_nfs_krb.sh delete --user nfs/storage-server.mydomain.com

    • Verify Kerberos principal login.

      ./vpfs_nfs_krb.sh verify --user nfs/storage-server.mydomain.com

    • Update the password for Kerberos principals.

      ./vpfs_nfs_krb.sh update --user nfs/storage-server.mydomain.com

    • Display the key entries.

      ./vpfs_nfs_krb.sh list

    • Display the configurations related to Kerberos authentication.

      ./vpfs_nfs_krb.sh status

    For Flex WORM and Flex Scale, you must log in to the WORM or MSDP engine Restricted Shell to run these commands.

    • Add the key entries.

      setting SecureNfs add-krb-user krbuser=nfs/storage-server.mydomain.com

    • Delete the key entries.

      setting SecureNfs delete-krb-user krbuser=nfs/storage-server.mydomain.com

    • Verify Kerberos principal login.

      setting SecureNfs verify-krb-user krbuser=nfs/storage-server.mydomain.com

    • Update the password for Kerberos principals.

      setting SecureNfs update-krb-user krbuser=nfs/storage-server.mydomain.com

    • Display the key entries.

      setting SecureNfs list-krb-users

    • Display the configurations related to Kerberos authentication.

      setting SecureNfs nfs-secure-status

    Both nfs/storage-server.mydomain.com and host/storage-server.mydomain.com principals must be added to the /etc/krb5.keytab in the storage servers.

    For Flex Scale, you must create both nfs/storage-server.mydomain.com and host/storage-server.mydomain.com principals for every MSDP engine. Here, the storage-server is the MSDP engine host name configured in Flex Scale web UI. You can find these names in Monitor > NetBackup > Storage servers list on the NetBackup web UI. All these principals must be added to the krb5.keytab file by running the MSDP shell command. In every engine, the /etc/krb5.keytab file contains key entries of all principals that are created for all engines in the cluster.

    For multi-VLAN environments, storage servers may have more than one IPs. If you need to mount the universal shares from the clients that are in the secondary VLAN, ensure that other FQDNs of the storage servers and clients are added in DNS, and corresponding Active Directory users are created and registered as Kerberos principals. The key entries also need to be added to the /etc/krb5.keytab file.

To configure Kerberos-based authentication on the universal share clients

  1. Create /etc/krb5.conf file for the Kerberos authentication.

    You can copy the /etc/krb5.conf file from a storage server where universal share is configured.

    Note:

    If there is kdc section defined in krb5.conf file. Copy kdc.conf file along with /etc/krb5.conf file.

  2. Enable SECURE_NFS in the /etc/sysconfig/nfs file.

    Add the line SECURE_NFS=yes in the /etc/sysconfig/nfs configuration file.

    Then, run the following command to restart the service:

    systemctl restart nfs-secure

    Note:

    This configuration is required only on Red Hat 7 or earlier versions. On Red Hat 8 and 9, this step is not required.

  3. Create keytab entries for Kerberos principals.

    You can configure the keytab file by using one of the following two methods:

    • Copy vpfs_nfs_krb.sh script from a storage server, then run the script to configure the keytab file.

    • After the Active Directory user for a universal share client is created, run ktpass utility to generate the keytab for the Kerberos principal.

      Then, copy the keytab file to the NFS client /etc folder and rename it to /etc/krb5.keytab.

    Note:

    If the universal share client has the existing /etc/krb5.keytab file, use the vpfs_nfs_krb.sh script to add the key entries.

    The script vpfs_nfs_krb.sh can write logs about universal share configuration-related operations. The logs are available only for universal share servers.

    You can find the logs at the following location: /<storage path>/log/vpfs/yymmdd_*_vpfs_nfs_krb.log

Feedback

Was this page helpful?
Previous

Registering the Kerberos principals to the KDC database

Next

Managing universal shares

Feedback

Was this page helpful?