Title: Remote%20Name%20Mapping%20Linux%20NFSv4
1Remote Name Mapping Linux NFSv4
Andy Adamson Center For Information Technology
IntegrationUniversity of Michigan
2NFSv4 Administrative Domain
- Multiple DNS domains
- Multiple Security Realms
- Kerberos, PKI Certificate Authorities (SPKM3)
- NFSv4 domain unique UID/GID namespace
- Pick one DNS domain to be the NFSv4 Domain Name
ltuser_at_nfsv4domaingt - ACL 'who' and GETTATTR owner and owner_group
3Local NFSv4 Domain Name to ID
- One to one correspondence between UID and NFSv4
domain name - joe_at_arbitrary.domain.org
- GSS Principal name will differ from NFSv4 domain
name - Kerberos V joe_at_ARBITRARY.DOMAIN.ORG
- PKI OUUS, OUState, OU Arbitrary Inc, CN Joe
User Email joe_at_arbitrary.domain.org
4Local Mount Kerberos V
v4 Domain
v4 Domain arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
Secure LDAP Call FAILS
nfs/host.citi.umich.edu_at_TANGENT.REALM
GSSD
/etc/krb5.keytab
GSSD
If machine name, map to nobody
NFSv4 Server
NFSv4 Client
gss context call succeeds
nfs/host.citi.umich.edu_at_TANGENT.REALM
gss context creation
5Local Mount Kerberos V Issues
- Distribution of client keytabs
- Client service name
- UID/GID mapping for client machine principals?
- Related issue Client root user
- Map to machine principal
- Map to root principal
- Map to nobody
- other
6Local Principal Kerberos V
v4 Domain
v4 Domain
v4 Domain arbitrary.domain.org
GSSAuthNamejoe_at_TANGENT.REALM
LDAP
uidNumber 10098
K5 Realm TANGENT.REALM
gidNumber 10
DNS Domain citi.umich.edu
joe_at_TANGENT.REALM
kinit joe_at_TANGENT.REALM
secure LDAP call
GSSD
GSSD
NFSv4 Server
/tmp/krb5cc_UID
NFSv4 Client
gss context creation succeeds
joe_at_TANGENT.REALM
gss context creation
7Local Principal Kerberos V Issues
- Where to put kinit credentials for client GSSD
- /tmp/krb5cc_UID
- getpwid on principal portion assumes UNIX name
(posixAccount uid) K5 principal - Current code, getpwid gt LDAP query
- GSSAuthName attribute added to posixAccount to
associate with uidNumber - Server GSSD principal mapping failure contest
creation failure
8Local User Set ACL
v4 Domain arbitrary.domain.org
NFSv4Name joe_at_arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
uid joe
uidNumber 10098
DNS Domain citi.umich.edu
10098
10098
joe
joe_at_arbitrary.domian.org
10098
10
setfacl -m ujoerw /tmp/x.c
IDMAPD
joe_at_arbitrary.domain.org
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
joe_at_arbitrary.domain.org
10098rw
SETATTR
9Local User Set ACL issues
- setfacl POSIX interface uses UID/GID across
kernel boundary - LDAP posixAccount uid is mapped
- need a local name
- two name mapping calls
- LINUX nfs4_setfacl interface passes string names
across kernel boundary - no local name needed
10Local User Get ACL
v4 Domain arbitrary.domain.org
NFSv4Name joe_at_arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
uid joe
uidNumber 10098
DNS Domain citi.umich.edu
10098
joe
joe_at_arbitrary.domain.org
10098
10
getfacl /tmp/x.c
10098
IDMAPD
joe_at_arbitrary.domain.org
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
joe_at_arbitrary.domain.org
10098rw
GETATTR
11Local User Get ACL issues
- getfacl POSIX interface uses UID/GID across
kernel boundary - LDAP posixAccount uid is displayed
- two name mapping calls
- LINUX nfs4_getfacl interface passes string names
across kernel boundary
12Kerberos V X-Realm and Linux NFSv4
- X-realm GSS context initialization just works
- Need to add GSSAuthName and UID/GID mapping for
remote user - NFSv4RemoteUser schema can be used instead of
posixAccount - NFSv4 remote access without local machine access
- mount from remote machine mapping library needs
to recognize service portion of name - Secure LDAP communication required
-
13Remote Kerberos V Principal
v4 Domain
v4 Domain
v4 Domain arbitrary.domain.org
v4 Domain citi.umich.edu
K5 Realm TANGENT.REALM
K5 Realm CITI.UMICH.EDU
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
GSSAuthNameandros_at_CITI.UMICH.EDU
LDAP
kinit andros_at_CITI.UMICH.EDU
uidNumber 10075
gidNumber 10
GSSD
/tmp/krb5cc_UID
andros_at_CITI.UMICH.EDU
NFSv4 Client
secure LDAP call
GSSD
NFSv4 Server
gss context creation succeeds
andros_at_CITI.UMICH.EDU
gss context creation
14Remote User Set ACL
v4 Domain citi.umich.edu
v4 Domain arbitrary.domain.org
K5 Realm CITI.UMICH.EDU
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
NFSv4Nameandros_at_citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
LDAP
uid andros
uidNumber 23975
uidNumber 10075
andros_at_citi.umich.edu
23975
23975
andros
10075
10
setfacl -m uandrosrw /tmp/x.c
IDMAPD
andros_at_citi.umich.edu
IDMAPD
NFSv4 Server
NFSv4 Client
/tmp/x.c
andros_at_citi.umich.edu
10075rw
SETATTR
15Remote User Set ACL
- Remote realm associate NFSv4Name with uidNumber,
gidNumber, and GSSAuthName - NFSv4RemoteUser schema available
- NFSv4domain name always used
- Secure LDAP communication required
16Remote User Get ACL
v4 Domain citi.umich.edu
v4 Domain arbitrary.domain.org
K5 Realm CITI.UMICH.EDU
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
uidNumber 10075
uidNumber 23975
uid joe
23975
andros
andros_at_citi.umich.edu
10075
10
getfacl /tmp/x.c
23975
andros_at_citi.umich.edu
IDMAPD
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
andros_at_citi.umich.edu
10075rw
GETATTR
17Remote User Get ACL
- LDAP mappings required only for POSIX getfacl
- NFSv4Name and uidNumber for remote user
- uid (local user name) for remote user
- nfsv4_getfacl simply displays the on-the-wire ACL
name - Secure LDAP not required
18Any Questions?
- http//www.citi.umich.edu/projects