Remote%20Name%20Mapping%20Linux%20NFSv4 - PowerPoint PPT Presentation

About This Presentation
Title:

Remote%20Name%20Mapping%20Linux%20NFSv4

Description:

NFSv4 domain = unique UID/GID namespace ... interface uses UID/GID across kernel boundary. LDAP ... Need to add GSSAuthName and UID/GID mapping for remote user ... – PowerPoint PPT presentation

Number of Views:105
Avg rating:3.0/5.0
Slides: 19
Provided by: citiU
Category:

less

Transcript and Presenter's Notes

Title: Remote%20Name%20Mapping%20Linux%20NFSv4


1
Remote Name Mapping Linux NFSv4
Andy Adamson Center For Information Technology
IntegrationUniversity of Michigan
2
NFSv4 Administrative Domain
  • Multiple DNS domains
  • Multiple Security Realms
  • Kerberos, PKI Certificate Authorities (SPKM3)
  • NFSv4 domain unique UID/GID namespace
  • Pick one DNS domain to be the NFSv4 Domain Name
    ltuser_at_nfsv4domaingt
  • ACL 'who' and GETTATTR owner and owner_group

3
Local NFSv4 Domain Name to ID
  • One to one correspondence between UID and NFSv4
    domain name
  • joe_at_arbitrary.domain.org
  • GSS Principal name will differ from NFSv4 domain
    name
  • Kerberos V joe_at_ARBITRARY.DOMAIN.ORG
  • PKI OUUS, OUState, OU Arbitrary Inc, CN Joe
    User Email joe_at_arbitrary.domain.org

4
Local Mount Kerberos V
v4 Domain
v4 Domain arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
Secure LDAP Call FAILS
nfs/host.citi.umich.edu_at_TANGENT.REALM
GSSD
/etc/krb5.keytab
GSSD
If machine name, map to nobody
NFSv4 Server
NFSv4 Client
gss context call succeeds
nfs/host.citi.umich.edu_at_TANGENT.REALM
gss context creation
5
Local Mount Kerberos V Issues
  • Distribution of client keytabs
  • Client service name
  • UID/GID mapping for client machine principals?
  • Related issue Client root user
  • Map to machine principal
  • Map to root principal
  • Map to nobody
  • other

6
Local Principal Kerberos V
v4 Domain
v4 Domain
v4 Domain arbitrary.domain.org
GSSAuthNamejoe_at_TANGENT.REALM
LDAP
uidNumber 10098
K5 Realm TANGENT.REALM
gidNumber 10
DNS Domain citi.umich.edu
joe_at_TANGENT.REALM
kinit joe_at_TANGENT.REALM
secure LDAP call
GSSD
GSSD
NFSv4 Server
/tmp/krb5cc_UID
NFSv4 Client
gss context creation succeeds
joe_at_TANGENT.REALM
gss context creation
7
Local Principal Kerberos V Issues
  • Where to put kinit credentials for client GSSD
  • /tmp/krb5cc_UID
  • getpwid on principal portion assumes UNIX name
    (posixAccount uid) K5 principal
  • Current code, getpwid gt LDAP query
  • GSSAuthName attribute added to posixAccount to
    associate with uidNumber
  • Server GSSD principal mapping failure contest
    creation failure

8
Local User Set ACL
v4 Domain arbitrary.domain.org
NFSv4Name joe_at_arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
uid joe
uidNumber 10098
DNS Domain citi.umich.edu
10098
10098
joe
joe_at_arbitrary.domian.org
10098
10
setfacl -m ujoerw /tmp/x.c
IDMAPD
joe_at_arbitrary.domain.org
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
joe_at_arbitrary.domain.org
10098rw
SETATTR
9
Local User Set ACL issues
  • setfacl POSIX interface uses UID/GID across
    kernel boundary
  • LDAP posixAccount uid is mapped
  • need a local name
  • two name mapping calls
  • LINUX nfs4_setfacl interface passes string names
    across kernel boundary
  • no local name needed

10
Local User Get ACL
v4 Domain arbitrary.domain.org
NFSv4Name joe_at_arbitrary.domain.org
LDAP
K5 Realm TANGENT.REALM
uid joe
uidNumber 10098
DNS Domain citi.umich.edu
10098
joe
joe_at_arbitrary.domain.org
10098
10
getfacl /tmp/x.c
10098
IDMAPD
joe_at_arbitrary.domain.org
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
joe_at_arbitrary.domain.org
10098rw
GETATTR
11
Local User Get ACL issues
  • getfacl POSIX interface uses UID/GID across
    kernel boundary
  • LDAP posixAccount uid is displayed
  • two name mapping calls
  • LINUX nfs4_getfacl interface passes string names
    across kernel boundary

12
Kerberos V X-Realm and Linux NFSv4
  • X-realm GSS context initialization just works
  • Need to add GSSAuthName and UID/GID mapping for
    remote user
  • NFSv4RemoteUser schema can be used instead of
    posixAccount
  • NFSv4 remote access without local machine access
  • mount from remote machine mapping library needs
    to recognize service portion of name
  • Secure LDAP communication required

13
Remote Kerberos V Principal
v4 Domain
v4 Domain
v4 Domain arbitrary.domain.org
v4 Domain citi.umich.edu
K5 Realm TANGENT.REALM
K5 Realm CITI.UMICH.EDU
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
GSSAuthNameandros_at_CITI.UMICH.EDU
LDAP
kinit andros_at_CITI.UMICH.EDU
uidNumber 10075
gidNumber 10
GSSD
/tmp/krb5cc_UID
andros_at_CITI.UMICH.EDU
NFSv4 Client
secure LDAP call
GSSD
NFSv4 Server
gss context creation succeeds
andros_at_CITI.UMICH.EDU
gss context creation
14
Remote User Set ACL
v4 Domain citi.umich.edu
v4 Domain arbitrary.domain.org
K5 Realm CITI.UMICH.EDU
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
NFSv4Nameandros_at_citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
LDAP
uid andros
uidNumber 23975
uidNumber 10075
andros_at_citi.umich.edu
23975
23975
andros
10075
10
setfacl -m uandrosrw /tmp/x.c
IDMAPD
andros_at_citi.umich.edu
IDMAPD
NFSv4 Server
NFSv4 Client
/tmp/x.c
andros_at_citi.umich.edu
10075rw
SETATTR
15
Remote User Set ACL
  • Remote realm associate NFSv4Name with uidNumber,
    gidNumber, and GSSAuthName
  • NFSv4RemoteUser schema available
  • NFSv4domain name always used
  • Secure LDAP communication required

16
Remote User Get ACL
v4 Domain citi.umich.edu
v4 Domain arbitrary.domain.org
K5 Realm CITI.UMICH.EDU
K5 Realm TANGENT.REALM
DNS Domain citi.umich.edu
DNS Domain citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
LDAP
NFSv4Name andros_at_citi.umich.edu
uidNumber 10075
uidNumber 23975
uid joe
23975
andros
andros_at_citi.umich.edu
10075
10
getfacl /tmp/x.c
23975
andros_at_citi.umich.edu
IDMAPD
NFSv4 Server
IDMAPD
/tmp/x.c
NFSv4 Client
andros_at_citi.umich.edu
10075rw
GETATTR
17
Remote User Get ACL
  • LDAP mappings required only for POSIX getfacl
  • NFSv4Name and uidNumber for remote user
  • uid (local user name) for remote user
  • nfsv4_getfacl simply displays the on-the-wire ACL
    name
  • Secure LDAP not required

18
Any Questions?
  • http//www.citi.umich.edu/projects
Write a Comment
User Comments (0)
About PowerShow.com