Remote%20Name%20Mapping%20Linux%20NFSv4 - PowerPoint PPT Presentation

Title: Remote%20Name%20Mapping%20Linux%20NFSv4


1
Remote Name Mapping Linux NFSv4
Andy Adamson Center For Information Technology
IntegrationUniversity of Michigan
2
NFSv4 Administrative Domain

• Multiple DNS domains
• Multiple Security Realms
• Kerberos, PKI Certificate Authorities (SPKM3)
• NFSv4 domain unique UID/GID namespace
• Pick one DNS domain to be the NFSv4 Domain Name
  ltuser_at_nfsv4domaingt
• ACL 'who' and GETTATTR owner and owner_group

3
Local NFSv4 Domain Name to ID

• One to one correspondence between UID and NFSv4
  domain name
• joe_at_arbitrary.domain.org
• GSS Principal name will differ from NFSv4 domain
  name
• Kerberos V joe_at_ARBITRARY.DOMAIN.ORG
• PKI OUUS, OUState, OU Arbitrary Inc, CN Joe
  User Email joe_at_arbitrary.domain.org

4
Local Mount Kerberos V
v4 Domain
v4 Domain arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
Secure LDAP Call FAILS
nfs/host.citi.umich.edu_at_TANGENT.REALM
GSSD
/etc/krb5.keytab
GSSD
If machine name, map to nobody
NFSv4 Server
NFSv4 Client
gss context call succeeds
nfs/host.citi.umich.edu_at_TANGENT.REALM
gss context creation
5
Local Mount Kerberos V Issues

• Distribution of client keytabs
• Client service name
• UID/GID mapping for client machine principals?
• Related issue Client root user
• Map to machine principal
• Map to root principal
• Map to nobody
• other

6
Local Principal Kerberos V
v4 Domain
v4 Domain
v4 Domain arbitrary.domain.org
GSSAuthNamejoe_at_TANGENT.REALM
LDAP
uidNumber 10098
K5 Realm TANGENT.REALM
gidNumber 10
DNS Domain citi.umich.edu
joe_at_TANGENT.REALM
kinit joe_at_TANGENT.REALM
secure LDAP call
GSSD
GSSD
NFSv4 Server
/tmp/krb5cc_UID
NFSv4 Client
gss context creation succeeds
joe_at_TANGENT.REALM
gss context creation
7
Local Principal Kerberos V Issues

• Where to put kinit credentials for client GSSD
• /tmp/krb5cc_UID
• getpwid on principal portion assumes UNIX name
  (posixAccount uid) K5 principal
• Current code, getpwid gt LDAP query
• GSSAuthName attribute added to posixAccount to
  associate with uidNumber
• Server GSSD principal mapping failure contest
  creation failure

8
Local User Set ACL
v4 Domain arbitrary.domain.org
NFSv4Name joe_at_arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
uid joe
uidNumber 10098
DNS Domain citi.umich.edu
10098
10098
joe
joe_at_arbitrary.domian.org
10098
10
setfacl -m ujoerw /tmp/x.c
IDMAPD
joe_at_arbitrary.domain.org
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
joe_at_arbitrary.domain.org
10098rw
SETATTR
9
Local User Set ACL issues

• setfacl POSIX interface uses UID/GID across
  kernel boundary
• LDAP posixAccount uid is mapped
• need a local name
• two name mapping calls
• LINUX nfs4_setfacl interface passes string names
  across kernel boundary
• no local name needed

10
Local User Get ACL
v4 Domain arbitrary.domain.org
NFSv4Name joe_at_arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
uid joe
uidNumber 10098
DNS Domain citi.umich.edu
10098
joe
joe_at_arbitrary.domain.org
10098
10
getfacl /tmp/x.c
10098
IDMAPD
joe_at_arbitrary.domain.org
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
joe_at_arbitrary.domain.org
10098rw
GETATTR
11
Local User Get ACL issues

• getfacl POSIX interface uses UID/GID across
  kernel boundary
• LDAP posixAccount uid is displayed
• two name mapping calls
• LINUX nfs4_getfacl interface passes string names
  across kernel boundary

12
Kerberos V X-Realm and Linux NFSv4

• X-realm GSS context initialization just works
• Need to add GSSAuthName and UID/GID mapping for
  remote user
• NFSv4RemoteUser schema can be used instead of
  posixAccount
• NFSv4 remote access without local machine access
• mount from remote machine mapping library needs
  to recognize service portion of name
• Secure LDAP communication required

13
Remote Kerberos V Principal
v4 Domain
v4 Domain
v4 Domain arbitrary.domain.org
v4 Domain citi.umich.edu
K5 Realm TANGENT.REALM
K5 Realm CITI.UMICH.EDU
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
GSSAuthNameandros_at_CITI.UMICH.EDU
LDAP
kinit andros_at_CITI.UMICH.EDU
uidNumber 10075
gidNumber 10
GSSD
/tmp/krb5cc_UID
andros_at_CITI.UMICH.EDU
NFSv4 Client
secure LDAP call
GSSD
NFSv4 Server
gss context creation succeeds
andros_at_CITI.UMICH.EDU
gss context creation
14
Remote User Set ACL
v4 Domain citi.umich.edu
v4 Domain arbitrary.domain.org
K5 Realm CITI.UMICH.EDU
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
NFSv4Nameandros_at_citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
LDAP
uid andros
uidNumber 23975
uidNumber 10075
andros_at_citi.umich.edu
23975
23975
andros
10075
10
setfacl -m uandrosrw /tmp/x.c
IDMAPD
andros_at_citi.umich.edu
IDMAPD
NFSv4 Server
NFSv4 Client
/tmp/x.c
andros_at_citi.umich.edu
10075rw
SETATTR
15
Remote User Set ACL

• Remote realm associate NFSv4Name with uidNumber,
  gidNumber, and GSSAuthName
• NFSv4RemoteUser schema available
• NFSv4domain name always used
• Secure LDAP communication required

16
Remote User Get ACL
v4 Domain citi.umich.edu
v4 Domain arbitrary.domain.org
K5 Realm CITI.UMICH.EDU
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
uidNumber 10075
uidNumber 23975
uid joe
23975
andros
andros_at_citi.umich.edu
10075
10
getfacl /tmp/x.c
23975
andros_at_citi.umich.edu
IDMAPD
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
andros_at_citi.umich.edu
10075rw
GETATTR
17
Remote User Get ACL

• LDAP mappings required only for POSIX getfacl
• NFSv4Name and uidNumber for remote user
• uid (local user name) for remote user
• nfsv4_getfacl simply displays the on-the-wire ACL
  name
• Secure LDAP not required

18
Any Questions?

• http//www.citi.umich.edu/projects