Remote Name Mapping for Linux NFSv 4 Andy
- Slides: 22
Remote Name Mapping for Linux NFSv 4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005
NFSv 4 Administrative Domain NFSv 4: names not numbers on the wire NFSv 4 domain = unique UID/GID space Multiple Security Realms Kerberos, PKI Certificate Authorities (SPKM 3) Multiple DNS - NIS domains Pick one DNS domain to be the NFSv 4 Domain Name <user@nfsv 4 domain> nfsv 4 domain is used for ACL 'who' and GETTATTR owner and owner_group
NFSv 4 Domain n n l Kerberos V 5 DNS Domain Kerberos V 5 X 509/SPKM
Local NFSv 4 Domain: Name to ID One to one correspondence between UID and NFSv 4 domain name joe@arbitrary. domain. org GSS Principal name will differ from NFSv 4 domain name Kerberos V: joe@ARBITRARY. DOMAIN. ORG PKI: OU=US, OU=State, OU= Arbitrary Inc, CN = Joe User Email= joe@arbitrary. domain. org
New LDAP Attributes We created a new LDAP object to hold two new LDAP attributes for NFSv 4 id mapping GSSAuth. Name NFSv 4 Name We associate one NFSv 4 Name attribute with a RFC 2307 NSS-LDAP posix. Account to hold the users v 4 domain name We associate multiple GSSAuth. Names with a Posix. Account to hold the users multiple GSS principal names Attributes are configurable via /etc/idmap. conf
Local Mount: Kerberos V LDAP
Local Mount: Kerberos V Issues Distribution of client keytabs? Linux: yes With no keytab: Allow AUTH_SYS for SETCLIENTID and mount of Kerberos export User Kerberos credentials Server: maps machine credentials to nobody (mount) Client root user: UID 0? Map to machine principal (no password) Map to per server root principal (with password)
Local Principal: Kerberos V New Linux kernel keyring service enables kernel Kerberos credential storage, and PAG-like behaviour NSSwitch ID mapping (LDAP Posix. Account) getpwid on principal portion assumes UNIX name (posix. Account uid) == K 5 principal UMICH LDAP ID mapping GSSAuth. Name attribute added to LDAP posix. Account to associate with uid. Number Server GSSD principal mapping failure = context creation failure
Local Principal: Kerberos V LDAP
Local User: Set ACL issues Client setfacl POSIX interface uses UID/GID across kernel boundary (NS Switch) Two name mapping calls NSS posix. Account name (no @nfsv 4 domain) NFSv 4 Name attribute added to LDAP posix. Account to associate full nfsv 4 name with uid. Number New linux nfs 4_setfacl interface passes string names across kernel boundary No local name to ID mapping needed
Local User: Set ACL LDAP 1 0
Local User: Get ACL issues Client getfacl POSIX interface uses UID/GID across kernel boundary (NS Switch) NS Switch posix. Account: uid is displayed Two name mapping calls New Linux nfs 4_getfacl interface passes string names across kernel boundary
Local User: Get ACL LDAP 1 0
Kerberos V X-Realm and Linux NFSv 4 X-realm GSS context initialization just works GSSAuth. Name and NFSv 4 Name can hold remote user names. Need to add posix account with GSSAuth. Name for UID/GID mapping of remote user Set posix. Account shell to /dev/null for NFSv 4 remote access without local machine access Secure LDAP communication required
Remote Kerberos V Principal LDAP
Remote User: Set ACL LDAP 1 0
Remote User: Set ACL Remote realm: associate NFSv 4 Name with uid. Number, gid. Number, and GSSAuth. Name NFSv 4 Remote. User schema available NFSv 4 domain name always used Secure LDAP communication required
Remote User: Get ACL LDAP 1 0
Remote User: Get ACL LDAP mappings required only for POSIX getfacl NFSv 4 Name and uid. Number for remote user uid (local user name) for remote user nfsv 4_getfacl simply displays the on-the-wire ACL name Secure LDAP not required
Foreign Groups Need design requirements Foreign group names could be assigned a local gid How does the server resolve foreign membership Callback to foreign NFSv 4 domain Only resolve with local uid's (no callback) Pass group list (names) in GSS initialization (a la EPAC) Other?
Cross Platform ID Mapping NS Switch which uses posix. Account is the common denominator Our cross realm mapping extends NS Switch Not supported by other implementations IBM also has a cross realm solution
Any Questions? http: //www. citi. umich. edu/projects
- Suse linux remote desktop
- Nfsv
- Nfsv
- Nfsv
- Nfsv
- Nfsv
- Nfsv
- Linux linux security module m1 support
- Cs423
- Memory parameters
- Forward mapping vs backward mapping
- Transform mapping dan transaction mapping
- Name 3 points
- What tourist places does tamal tell andy about
- Iso 22301 utbildning
- Typiska novell drag
- Tack för att ni lyssnade bild
- Ekologiskt fotavtryck
- Varför kallas perioden 1918-1939 för mellankrigstiden
- En lathund för arbete med kontinuitetshantering
- Kassaregister ideell förening
- Personlig tidbok
- Anatomi organ reproduksi