remote name mapping linux nfsv4 andy adamson center for information technology integration...
Post on 21-Dec-2015
218 views
TRANSCRIPT
Remote Name Mapping Linux NFSv4
Andy AdamsonCenter For Information Technology Integration
University of Michigan
NFSv4 Administrative Domain
Multiple DNS domains
Multiple Security RealmsKerberos, PKI Certificate Authorities (SPKM3)
NFSv4 domain = unique UID/GID namespace
Pick one DNS domain to be the NFSv4 Domain Name <user@nfsv4domain>
ACL 'who' and GETTATTR owner and owner_group
Local NFSv4 Domain Name to ID
One to one correspondence between UID and NFSv4 domain name
GSS Principal name will differ from NFSv4 domain name
Kerberos V: [email protected]
PKI: OU=US, OU=State, OU= Arbitrary Inc, CN = Joe User Email= [email protected]
Local Mount: Kerberos Vv4 Domain
v4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu
LDAP
NFSv4 Client
/etc/krb5.keytab
NFSv4 Server
GSSD
gss context creation
Secure LDAP Call FAILS
If machine name, map to nobody
gss context call succeeds
GSSD
Local Mount: Kerberos V IssuesDistribution of client keytabs
Client service name
UID/GID mapping for client machine principals?
Related issue: Client root userMap to machine principal
Map to root principal
Map to nobody
other
Local Principal: Kerberos Vv4 Domain
v4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu
LDAP
NFSv4 Client
% kinit [email protected]
NFSv4 Server
GSSD
gss context creation
GSSAuthName:[email protected]: 10098gidNumber: 10
gss context creation succeeds
/tmp/krb5cc_UIDGSSD
secure LDAP call
v4 Domain
Local Principal: Kerberos V Issues
Where to put kinit credentials for client GSSD
/tmp/krb5cc_UIDgetpwid on principal portion assumes UNIX name (posixAccount uid) == K5 principal
Current code, getpwid => LDAP query
GSSAuthName attribute added to posixAccount to associate with uidNumber
Server GSSD principal mapping failure = contest creation failure
Local User: Set ACLv4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu
LDAP
NFSv4 Client
% setfacl -m u:joe:rw /tmp/x.c
NFSv4 Server
/tmp/x.c
10098:rw
NFSv4Name: [email protected]: 10098
IDMAPD
10
IDMAPD
uid: joe
joe10098 10098
SETATTR
Local User: Set ACL issuessetfacl POSIX interface uses UID/GID across kernel boundary
LDAP posixAccount: uid is mapped
need a local name
two name mapping calls
LINUX nfs4_setfacl interface passes string names across kernel boundary
no local name needed
Local User: Get ACLv4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu
LDAP
NFSv4 Client
% getfacl /tmp/x.c
NFSv4 Server
/tmp/x.c
10098:rw
NFSv4Name: [email protected]: 10098
IDMAPD
10
IDMAPD
uid: joe
GETATTR
10098
10098joe
Local User: Get ACL issuesgetfacl POSIX interface uses UID/GID across kernel boundary
LDAP posixAccount: uid is displayed
two name mapping calls
LINUX nfs4_getfacl interface passes string names across kernel boundary
Kerberos V X-Realm and Linux NFSv4
X-realm GSS context initialization just worksNeed to add GSSAuthName and UID/GID mapping for remote userNFSv4RemoteUser schema can be used instead of posixAccount
NFSv4 remote access without local machine access
mount from remote machine: mapping library needs to recognize service portion of name
Secure LDAP communication required
Remote Kerberos V Principalv4 Domain
v4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu
LDAP
NFSv4 Client
% kinit [email protected]
NFSv4 Server
GSSD
gss context creation
GSSAuthName:[email protected]: 10075gidNumber: 10
gss context creation succeeds
/tmp/krb5cc_UIDGSSD
secure LDAP call
v4 Domainv4 Domain: citi.umich.edu
K5 Realm: CITI.UMICH.EDUDNS Domain: citi.umich.edu
Remote User: Set ACLv4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu
NFSv4 Client
% setfacl -m u:andros:rw /tmp/x.c
NFSv4 Server
/tmp/x.c
andros23975
SETATTR
IDMAPD
IDMAPD
LDAP NFSv4Name: [email protected]: 10075
10
23975
v4 Domain: citi.umich.eduK5 Realm: CITI.UMICH.EDUDNS Domain: citi.umich.edu
LDAP NFSv4Name:[email protected]
uidNumber: 23975 uid: andros
10075:rw
Remote User: Set ACLRemote realm: associate NFSv4Name with uidNumber, gidNumber, and GSSAuthName
NFSv4RemoteUser schema available
NFSv4domain name always used
Secure LDAP communication required
Remote User: Get ACLv4 Domain: citi.umich.edu
K5 Realm: CITI.UMICH.EDUDNS Domain: citi.umich.edu
LDAP
NFSv4 Client
% getfacl /tmp/x.c
NFSv4 Server
/tmp/x.c
10075:rw
NFSv4Name: [email protected]: 10075
IDMAPD
10
IDMAPD
GETATTR
23975
23975andros
v4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu
LDAP
NFSv4Name: [email protected]: 23975 uid: joe
Remote User: Get ACLLDAP mappings required only for POSIX getfacl
NFSv4Name and uidNumber for remote user
uid (local user name) for remote user
nfsv4_getfacl simply displays the on-the-wire ACL name
Secure LDAP not required