1 / 18

Remote Name Mapping Linux NFSv4

Remote Name Mapping Linux NFSv4. Andy Adamson Center For Information Technology Integration University of Michigan. NFSv4 Administrative Domain. Multiple DNS domains Multiple Security Realms Kerberos, PKI Certificate Authorities (SPKM3) NFSv4 domain = unique UID/GID namespace

tynice
Download Presentation

Remote Name Mapping Linux NFSv4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Remote Name Mapping Linux NFSv4 Andy Adamson Center For Information Technology IntegrationUniversity of Michigan

  2. NFSv4 Administrative Domain • Multiple DNS domains • Multiple Security Realms • Kerberos, PKI Certificate Authorities (SPKM3) • NFSv4 domain = unique UID/GID namespace • Pick one DNS domain to be the NFSv4 Domain Name <user@nfsv4domain> • ACL 'who' and GETTATTR owner and owner_group

  3. Local NFSv4 Domain Name to ID • One to one correspondence between UID and NFSv4 domain name • joe@arbitrary.domain.org • GSS Principal name will differ from NFSv4 domain name • Kerberos V: joe@ARBITRARY.DOMAIN.ORG • PKI: OU=US, OU=State, OU= Arbitrary Inc, CN = Joe User Email= joe@arbitrary.domain.org

  4. Local Mount: Kerberos V v4 Domain v4 Domain: arbitrary.domain.org LDAP K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu Secure LDAP Call FAILS nfs/host.citi.umich.edu@TANGENT.REALM GSSD /etc/krb5.keytab GSSD If machine name, map to nobody NFSv4 Server NFSv4 Client gss context call succeeds nfs/host.citi.umich.edu@TANGENT.REALM gss context creation

  5. Local Mount: Kerberos V Issues • Distribution of client keytabs • Client service name • UID/GID mapping for client machine principals? • Related issue: Client root user • Map to machine principal • Map to root principal • Map to nobody • other

  6. Local Principal: Kerberos V v4 Domain v4 Domain v4 Domain: arbitrary.domain.org GSSAuthName:joe@TANGENT.REALM LDAP uidNumber: 10098 K5 Realm: TANGENT.REALM gidNumber: 10 DNS Domain: citi.umich.edu joe@TANGENT.REALM % kinit joe@TANGENT.REALM secure LDAP call GSSD GSSD /tmp/krb5cc_UID NFSv4 Server NFSv4 Client gss context creation succeeds joe@TANGENT.REALM gss context creation

  7. Local Principal: Kerberos V Issues • Where to put kinit credentials for client GSSD • /tmp/krb5cc_UID • getpwid on principal portion assumes UNIX name (posixAccount uid) == K5 principal • Current code, getpwid => LDAP query • GSSAuthName attribute added to posixAccount to associate with uidNumber • Server GSSD principal mapping failure = contest creation failure

  8. Local User: Set ACL v4 Domain: arbitrary.domain.org NFSv4Name: joe@arbitrary.domain.org LDAP K5 Realm: TANGENT.REALM uid: joe uidNumber: 10098 DNS Domain: citi.umich.edu 10098 10098 joe joe@arbitrary.domian.org 10098 10 % setfacl -m u:joe:rw /tmp/x.c IDMAPD joe@arbitrary.domain.org NFSv4 Server IDMAPD /tmp/x.c NFSv4 Client joe@arbitrary.domain.org 10098:rw SETATTR

  9. Local User: Set ACL issues • setfacl POSIX interface uses UID/GID across kernel boundary • LDAP posixAccount: uid is mapped • need a local name • two name mapping calls • LINUX nfs4_setfacl interface passes string names across kernel boundary • no local name needed

  10. Local User: Get ACL v4 Domain: arbitrary.domain.org NFSv4Name: joe@arbitrary.domain.org LDAP K5 Realm: TANGENT.REALM uid: joe uidNumber: 10098 DNS Domain: citi.umich.edu 10098 joe joe@arbitrary.domain.org 10098 10 % getfacl /tmp/x.c 10098 joe@arbitrary.domain.org IDMAPD NFSv4 Server IDMAPD /tmp/x.c NFSv4 Client joe@arbitrary.domain.org 10098:rw GETATTR

  11. Local User: Get ACL issues • getfacl POSIX interface uses UID/GID across kernel boundary • LDAP posixAccount: uid is displayed • two name mapping calls • LINUX nfs4_getfacl interface passes string names across kernel boundary

  12. Kerberos V X-Realm and Linux NFSv4 • X-realm GSS context initialization just works • Need to add GSSAuthName and UID/GID mapping for remote user • NFSv4RemoteUser schema can be used instead of posixAccount • NFSv4 remote access without local machine access • mount from remote machine: mapping library needs to recognize service portion of name • Secure LDAP communication required

  13. Remote Kerberos V Principal v4 Domain v4 Domain v4 Domain: arbitrary.domain.org v4 Domain: citi.umich.edu K5 Realm: TANGENT.REALM K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu DNS Domain: citi.umich.edu GSSAuthName:andros@CITI.UMICH.EDU LDAP % kinit andros@CITI.UMICH.EDU uidNumber: 10075 gidNumber: 10 GSSD /tmp/krb5cc_UID andros@CITI.UMICH.EDU NFSv4 Client secure LDAP call GSSD NFSv4 Server gss context creation succeeds andros@CITI.UMICH.EDU gss context creation

  14. Remote User: Set ACL v4 Domain: citi.umich.edu v4 Domain: arbitrary.domain.org K5 Realm: CITI.UMICH.EDU K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu DNS Domain: citi.umich.edu NFSv4Name:andros@citi.umich.edu LDAP NFSv4Name: andros@citi.umich.edu LDAP uid: andros uidNumber: 23975 uidNumber: 10075 andros@citi.umich.edu 23975 23975 andros 10075 10 % setfacl -m u:andros:rw /tmp/x.c IDMAPD andros@citi.umich.edu IDMAPD NFSv4 Server NFSv4 Client /tmp/x.c andros@citi.umich.edu 10075:rw SETATTR

  15. Remote User: Set ACL • Remote realm: associate NFSv4Name with uidNumber, gidNumber, and GSSAuthName • NFSv4RemoteUser schema available • NFSv4domain name always used • Secure LDAP communication required

  16. Remote User: Get ACL v4 Domain: citi.umich.edu v4 Domain: arbitrary.domain.org K5 Realm: CITI.UMICH.EDU K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu DNS Domain: citi.umich.edu LDAP NFSv4Name: andros@citi.umich.edu LDAP NFSv4Name: andros@citi.umich.edu uidNumber: 10075 uidNumber: 23975 uid: joe 23975 andros andros@citi.umich.edu 10075 10 % getfacl /tmp/x.c 23975 andros@citi.umich.edu IDMAPD NFSv4 Server IDMAPD /tmp/x.c NFSv4 Client andros@citi.umich.edu 10075:rw GETATTR

  17. Remote User: Get ACL • LDAP mappings required only for POSIX getfacl • NFSv4Name and uidNumber for remote user • uid (local user name) for remote user • nfsv4_getfacl simply displays the on-the-wire ACL name • Secure LDAP not required

  18. Any Questions? http://www.citi.umich.edu/projects

More Related