On VMware vSphere 6.7, you can use NFS 4.1 datastores to benefit from Kerberos authentication (krb5 or krb5i).
This was not the case with NFS 3 which was not secure and therefore had to be used on a separate network for security reasons.
However, using NFS 4.1 requires some prerequisites compared to NFS 3.
The main advantages of NFS 4.1 are:
The main disadvantages of NFS 4.1 are that it requires more configuration and that some vSphere features are not supported as with NFS 3.
NFS 3 and NFS 4.1 are compatible with these VMware vSphere features:
However, these features will not be supported if you use NFS 4.1:
Warning : the locking system used by NFS 3 is not the same as under NFS 4.1.
So do not try to create an NFS 3 share on your NFS server to mount it in NFS 4.1 on VMware vSphere (or vice versa), as this could create problems and data corruption.
Source : NFS Protocols and ESXi - VMware Docs.
To use NFS 4.1 securely, you need Kerberos authentication.
For this to be possible, it is first necessary that:
Sources :
To do this, select the desired VMware ESXi host and go to: Configure -> Networking -> TCP/IP configuration.
Next, select the "Default" TCP/IP stack and click: Edit.
In the "Default - Edit TCP/IP Stack Configuration" window that appears, make sure that the preferred DNS server matches the IP address of your Active Directory domain controller (or your local DNS server which knows the DNS zone of your AD domain).
Preferably, also indicate your Active Directory domain name in the "Domain" and "Search domains" fields.
Do the same on other VMware ESXi hosts on which you want to mount NFS 4.1 datastores.
For the Kerberos authentication required for the NFS 4.1 protocol to work correctly, it is essential that the clock of your VMware ESXi host is synchronized with that of your domain controller.
To do this, select your VMware ESXi host and go to "Configure -> System -> Time Configuration".
Then click: Edit.
Important : a difference of more than 5 minutes between the 2 clocks will cause Kerberos authentication problems and therefore problems when adding or using your NFS 4.1 datastores.
In the "Edit Time Configuration" window that appears, select "Use Network Time Protocol (Enable NTP client)" and fill in the proposed fields:
Your VMware ESXi host is now configured to synchronize its clock with that of your Active Directory domain controller.
Do the same on other hosts where you want to use NFS 4.1 datastores.
Now that the previous prerequisites have been configured, you can join your VMware ESXi host to your Active Directory domain.
To do this, select your VMware ESXi host and go to "Configure -> System -> Authentication Services" and click: Join domain.
Specify the domain name you want to join, then select the "Using credentials" option and provide the credentials that have the necessary rights to join a computer or server to your Active Directory domain.
In our case, we will use the administrator of our Active Directory domain.
Once your host is joined to your Active Directory domain, you will see that the directory service type is "Active Directory" and you will see your domain name appear in the "Domain Settings" section.
Do the same thing on your other VMware ESXi hosts if necessary.
For Kerberos authentication used by the NFS 4.1 protocol, you can use an existing account or create a single user on your Active Directory domain controller.
In our case, we created a simple user named: ESXi_NFS_User.
Next, in the VMware vSphere Client, select your VMware ESXi host and go to "Configure -> System -> Authentication Services".
At the bottom of the page, you'll find a "NFS Kerberos Credentials" section.
Click the "Edit" button on the right.
In the "Edit NFS Kerberos Credentials" window that appears, specify:
Warning : as noted here, credentials specified here will not be tested.
This information will only be used when you attempt to add an NFS 4.1 datastore to your VMware ESXi host by enabling Kerberos authentication.
As you can see, the NFS Kerberos authentication status is now enabled and the desired username appears.
Again, do this same configuration on other hosts where you want to use NFS 4.1 datastores, if applicable.
In business, you will use a NAS supporting the NFS 4.1 protocol.
However, in a test environment, you can install an NFS server on Linux or preferably on Windows Server (as is the case here).
In our case, we installed an NFS server under Windows Server 2016.
To do this, open Server Manager, then launch the Add Roles and Features Wizard.
In the "Server Roles" step, deploy the "File and Storage Services -> File and iSCSI Services" node and check the "Server for NFS" box.
Once the NFS server is installed, go to the "File and Storage Services" section of the Server Manager.
Next, in the "Servers" section, right-click "NFS Settings" on the name of your NFS server.
As you can see in the "Protocol Versions" section, Windows Server 2016 supports NFS versions 2, 3 and 4.1.
VMware 5/19/2023
VMware 8/12/2022
VMware 5/10/2024
VMware 6/5/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment