Remote Name Mapping for Linux NFSv 4 Andy

  • Slides: 22
Download presentation
Remote Name Mapping for Linux NFSv 4 Andy Adamson Center For Information Technology Integration

Remote Name Mapping for Linux NFSv 4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005

NFSv 4 Administrative Domain NFSv 4: names not numbers on the wire NFSv 4

NFSv 4 Administrative Domain NFSv 4: names not numbers on the wire NFSv 4 domain = unique UID/GID space Multiple Security Realms Kerberos, PKI Certificate Authorities (SPKM 3) Multiple DNS - NIS domains Pick one DNS domain to be the NFSv 4 Domain Name <user@nfsv 4 domain> nfsv 4 domain is used for ACL 'who' and GETTATTR owner and owner_group

NFSv 4 Domain n n l Kerberos V 5 DNS Domain Kerberos V 5

NFSv 4 Domain n n l Kerberos V 5 DNS Domain Kerberos V 5 X 509/SPKM

Local NFSv 4 Domain: Name to ID One to one correspondence between UID and

Local NFSv 4 Domain: Name to ID One to one correspondence between UID and NFSv 4 domain name joe@arbitrary. domain. org GSS Principal name will differ from NFSv 4 domain name Kerberos V: joe@ARBITRARY. DOMAIN. ORG PKI: OU=US, OU=State, OU= Arbitrary Inc, CN = Joe User Email= joe@arbitrary. domain. org

New LDAP Attributes We created a new LDAP object to hold two new LDAP

New LDAP Attributes We created a new LDAP object to hold two new LDAP attributes for NFSv 4 id mapping GSSAuth. Name NFSv 4 Name We associate one NFSv 4 Name attribute with a RFC 2307 NSS-LDAP posix. Account to hold the users v 4 domain name We associate multiple GSSAuth. Names with a Posix. Account to hold the users multiple GSS principal names Attributes are configurable via /etc/idmap. conf

Local Mount: Kerberos V LDAP

Local Mount: Kerberos V LDAP

Local Mount: Kerberos V Issues Distribution of client keytabs? Linux: yes With no keytab:

Local Mount: Kerberos V Issues Distribution of client keytabs? Linux: yes With no keytab: Allow AUTH_SYS for SETCLIENTID and mount of Kerberos export User Kerberos credentials Server: maps machine credentials to nobody (mount) Client root user: UID 0? Map to machine principal (no password) Map to per server root principal (with password)

Local Principal: Kerberos V New Linux kernel keyring service enables kernel Kerberos credential storage,

Local Principal: Kerberos V New Linux kernel keyring service enables kernel Kerberos credential storage, and PAG-like behaviour NSSwitch ID mapping (LDAP Posix. Account) getpwid on principal portion assumes UNIX name (posix. Account uid) == K 5 principal UMICH LDAP ID mapping GSSAuth. Name attribute added to LDAP posix. Account to associate with uid. Number Server GSSD principal mapping failure = context creation failure

Local Principal: Kerberos V LDAP

Local Principal: Kerberos V LDAP

Local User: Set ACL issues Client setfacl POSIX interface uses UID/GID across kernel boundary

Local User: Set ACL issues Client setfacl POSIX interface uses UID/GID across kernel boundary (NS Switch) Two name mapping calls NSS posix. Account name (no @nfsv 4 domain) NFSv 4 Name attribute added to LDAP posix. Account to associate full nfsv 4 name with uid. Number New linux nfs 4_setfacl interface passes string names across kernel boundary No local name to ID mapping needed

Local User: Set ACL LDAP 1 0

Local User: Set ACL LDAP 1 0

Local User: Get ACL issues Client getfacl POSIX interface uses UID/GID across kernel boundary

Local User: Get ACL issues Client getfacl POSIX interface uses UID/GID across kernel boundary (NS Switch) NS Switch posix. Account: uid is displayed Two name mapping calls New Linux nfs 4_getfacl interface passes string names across kernel boundary

Local User: Get ACL LDAP 1 0

Local User: Get ACL LDAP 1 0

Kerberos V X-Realm and Linux NFSv 4 X-realm GSS context initialization just works GSSAuth.

Kerberos V X-Realm and Linux NFSv 4 X-realm GSS context initialization just works GSSAuth. Name and NFSv 4 Name can hold remote user names. Need to add posix account with GSSAuth. Name for UID/GID mapping of remote user Set posix. Account shell to /dev/null for NFSv 4 remote access without local machine access Secure LDAP communication required

Remote Kerberos V Principal LDAP

Remote Kerberos V Principal LDAP

Remote User: Set ACL LDAP 1 0

Remote User: Set ACL LDAP 1 0

Remote User: Set ACL Remote realm: associate NFSv 4 Name with uid. Number, gid.

Remote User: Set ACL Remote realm: associate NFSv 4 Name with uid. Number, gid. Number, and GSSAuth. Name NFSv 4 Remote. User schema available NFSv 4 domain name always used Secure LDAP communication required

Remote User: Get ACL LDAP 1 0

Remote User: Get ACL LDAP 1 0

Remote User: Get ACL LDAP mappings required only for POSIX getfacl NFSv 4 Name

Remote User: Get ACL LDAP mappings required only for POSIX getfacl NFSv 4 Name and uid. Number for remote user uid (local user name) for remote user nfsv 4_getfacl simply displays the on-the-wire ACL name Secure LDAP not required

Foreign Groups Need design requirements Foreign group names could be assigned a local gid

Foreign Groups Need design requirements Foreign group names could be assigned a local gid How does the server resolve foreign membership Callback to foreign NFSv 4 domain Only resolve with local uid's (no callback) Pass group list (names) in GSS initialization (a la EPAC) Other?

Cross Platform ID Mapping NS Switch which uses posix. Account is the common denominator

Cross Platform ID Mapping NS Switch which uses posix. Account is the common denominator Our cross realm mapping extends NS Switch Not supported by other implementations IBM also has a cross realm solution

Any Questions? http: //www. citi. umich. edu/projects

Any Questions? http: //www. citi. umich. edu/projects

Remote Name Mapping Linux NFSv 4 Andy AdamsonRemote Name Mapping Linux NFSv 4 Andy Adamson
NFSv 4 Internationalization Status David Noveck Nfsv 4NFSv 4 Internationalization Status David Noveck Nfsv 4
nfsv 4 and linux peter honeyman linux scalabilitynfsv 4 and linux peter honeyman linux scalability
Linux 1 Linux http linux vbird orglinuxbasic LinuxLinux 1 Linux http linux vbird orglinuxbasic Linux
Linux 1 Linux http linux vbird orglinuxbasic LinuxLinux 1 Linux http linux vbird orglinuxbasic Linux
Linux Installation LINUX INSTALLATION Linux Installation Download LINUXLinux Installation LINUX INSTALLATION Linux Installation Download LINUX
TRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTETRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTE
TRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTETRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTE
NFSv 4 1 Sessions Design and Linux ServerNFSv 4 1 Sessions Design and Linux Server
NFSv 4 1 Sessions Design and Linux ServerNFSv 4 1 Sessions Design and Linux Server
Andy Warhol Portraits Andy Warhol SelfPortrait 1986 AndyAndy Warhol Portraits Andy Warhol SelfPortrait 1986 Andy
ANDY WARHOL By Aaron Douglas ABOUT ANDY AndyANDY WARHOL By Aaron Douglas ABOUT ANDY Andy
Andy Goldsworthy Who is Andy Goldsworthy Andy GoldsworthyAndy Goldsworthy Who is Andy Goldsworthy Andy Goldsworthy
LINUX Objectives History of Linux Kernel Linux DistroLINUX Objectives History of Linux Kernel Linux Distro
Linux Commands LINUX COMMANDS Linux Commands UNIX CommandsLinux Commands LINUX COMMANDS Linux Commands UNIX Commands
Linux Guide to Linux Certification Chapter Three LinuxLinux Guide to Linux Certification Chapter Three Linux
LINUX Avtor Orli Luka KAJ JE LINUX LinuxLINUX Avtor Orli Luka KAJ JE LINUX Linux
Linux System Administration LINUX SYSTEM ADMINISTRATION Linux SystemLinux System Administration LINUX SYSTEM ADMINISTRATION Linux System
LINUX Sejarah Linux Nama Linux diturunkan dari penciptaLINUX Sejarah Linux Nama Linux diturunkan dari pencipta
Linux Linux 1991 Linus Torvalds 1994 Linux 1Linux Linux 1991 Linus Torvalds 1994 Linux 1
Linux Commands LINUX COMMANDS Linux Commands UNIX CommandsLinux Commands LINUX COMMANDS Linux Commands UNIX Commands