Remote Name Mapping for Linux NFSv4 - CITI: Center for ...€¦ · Remote Name Mapping for Linux...

Preview:

Click to see full reader

Citation preview

Remote Name Mapping for Linux NFSv4

Andy AdamsonCenter For Information Technology Integration

University of MichiganAugust 2005

NFSv4 Administrative Domain

NFSv4: names not numbers on the wire

NFSv4 domain = unique UID/GID space

Multiple Security RealmsKerberos, PKI Certificate Authorities (SPKM3)

Multiple DNS - NIS domains

Pick one DNS domain to be the NFSv4 Domain Name <user@nfsv4domain>

nfsv4domain is used for ACL 'who' and GETTATTR owner and owner_group

NFSv4 Domain

nnl Kerberos V5

X509/SPKM

Kerberos V5

Kerberos V5

DNS Domain

DNS Domain

Local NFSv4 Domain: Name to ID

One to one correspondence between UID and NFSv4 domain name

joe@arbitrary.domain.org

GSS Principal name will differ from NFSv4 domain name

Kerberos V: joe@ARBITRARY.DOMAIN.ORG

PKI: OU=US, OU=State, OU= Arbitrary Inc, CN = Joe User Email= joe@arbitrary.domain.org

New LDAP Attributes

We created a new LDAP object to hold two new LDAP attributes for NFSv4 id mapping

GSSAuthName

NFSv4Name

We associate one NFSv4Name attribute with a RFC 2307 NSS-LDAP posixAccount to hold the users v4 domain name

We associate multiple GSSAuthNames with a PosixAccount to hold the users multiple GSS principal names

Attributes are configurable via /etc/idmap.conf

Local Mount: Kerberos Vv4 Domain

v4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu

LDAP

NFSv4 Client

nfs/host.citi.umich.edu@TANGENT.REALM

/etc/krb5.keytabNFSv4 ServerGSSD

gss context creation

nfs/host.citi.umich.edu@TANGENT.REALM

Secure LDAP Call FAILS

If machine name, map to nobody

gss context call succeeds

GSSD

Local Mount: Kerberos V Issues

Distribution of client keytabs? Linux: yesWith no keytab:

Allow AUTH_SYS for SETCLIENTID and mount of Kerberos export

User Kerberos credentials

Server: maps machine credentials to nobody (mount)

Client root user: UID 0?Map to machine principal (no password)

Map to per server root principal (with password)

Local Principal: Kerberos V New Linux kernel keyring service enables kernel Kerberos credential storage, and PAG-like behaviour

NSSwitch ID mapping (LDAP PosixAccount)getpwid on principal portion assumes UNIX name (posixAccount uid) == K5 principal

UMICH LDAP ID mapping

GSSAuthName attribute added to LDAP posixAccount to associate with uidNumber

Server GSSD principal mapping failure = context creation failure

Local Principal: Kerberos Vv4 Domain

v4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu

LDAP

NFSv4 Client

joe@TANGENT.REALM

% kinit joe@TANGENT.REALM

NFSv4 ServerGSSD

gss context creation

joe@TANGENT.REALM

GSSAuthName:joe@TANGENT.REALMuidNumber: 10098gidNumber: 10

gss context creation succeeds

/tmp/krb5cc_UIDGSSD

secure LDAP call

v4 Domain

Local User: Set ACL issuesClient setfacl POSIX interface uses UID/GID across kernel boundary (NS Switch)

Two name mapping calls

NSS posixAccount name (no @nfsv4domain)

NFSv4Name attribute added to LDAP posixAccount to associate full nfsv4 name with uidNumber

New linux nfs4_setfacl interface passes string names across kernel boundary

No local name to ID mapping needed

Local User: Set ACLv4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu

LDAP

NFSv4 Client

% setfacl ­m u:joe:rw /tmp/x.c

NFSv4 Server

/tmp/x.c10098:rw

NFSv4Name: joe@arbitrary.domain.orguidNumber: 10098

IDMAPD

10

IDMAPD

uid: joe

joe10098 10098

joe@arbitrary.domain.org

joe@arbitrary.domain.org

SETATTR

joe@arbitrary.domian.org10098

Local User: Get ACL issues

Client getfacl POSIX interface uses UID/GID across kernel boundary (NS Switch)

NS Switch posixAccount: uid is displayed

Two name mapping calls

New Linux nfs4_getfacl interface passes string names across kernel boundary

Local User: Get ACLv4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu

LDAP

NFSv4 Client

% getfacl  /tmp/x.c

NFSv4 Server

/tmp/x.c10098:rw

NFSv4Name: joe@arbitrary.domain.orguidNumber: 10098

IDMAPD

10

IDMAPD

uid: joe

GETATTR

10098joe@arbitrary.domain.org

joe@arbitrary.domain.org

joe@arbitrary.domain.org10098

10098joe

Kerberos V X-Realm and Linux NFSv4

X-realm GSS context initialization just worksGSSAuthName and NFSv4Name can hold remote user names.Need to add posix account with GSSAuthName for UID/GID mapping of remote userSet posixAccount shell to /dev/null for NFSv4 remote access without local machine access

Secure LDAP communication required

Remote Kerberos V Principalv4 Domain

v4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu

LDAP

NFSv4 Client

andros@CITI.UMICH.EDU

% kinit andros@CITI.UMICH.EDU

NFSv4 ServerGSSD

gss context creation

andros@CITI.UMICH.EDU

GSSAuthName:andros@CITI.UMICH.EDUuidNumber: 10075gidNumber: 10

gss context creation succeeds

/tmp/krb5cc_UIDGSSD

secure LDAP call

v4 Domainv4 Domain: citi.umich.eduK5 Realm: CITI.UMICH.EDUDNS Domain: citi.umich.edu

Remote User: Set ACLv4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu

NFSv4 Client

% setfacl ­m u:andros:rw /tmp/x.c

NFSv4 Server

/tmp/x.c

andros23975

SETATTR

IDMAPD

IDMAPD

LDAP NFSv4Name: andros@citi.umich.eduuidNumber: 10075

10

23975

v4 Domain: citi.umich.eduK5 Realm: CITI.UMICH.EDUDNS Domain: citi.umich.edu

LDAP NFSv4Name:andros@citi.umich.eduuidNumber: 23975 uid: andros

andros@citi.umich.edu

andros@citi.umich.edu

andros@citi.umich.edu10075

10075:rw

Remote User: Set ACLRemote realm: associate NFSv4Name with uidNumber, gidNumber, and GSSAuthName

NFSv4RemoteUser schema available

NFSv4domain name always used

Secure LDAP communication required

Remote User: Get ACLv4 Domain: citi.umich.eduK5 Realm: CITI.UMICH.EDUDNS Domain: citi.umich.edu

LDAP

NFSv4 Client

% getfacl  /tmp/x.c

NFSv4 Server

/tmp/x.c10075:rw

NFSv4Name: andros@citi.umich.eduuidNumber: 10075

IDMAPD

10

IDMAPD

GETATTR

10075andros@citi.umich.edu

andros@citi.umich.edu

andros@citi.umich.edu

23975

23975andros

v4 Domain: arbitrary.domain.orgK5 Realm: TANGENT.REALMDNS Domain: citi.umich.edu

LDAPNFSv4Name: andros@citi.umich.eduuidNumber: 23975 uid: joe

Remote User: Get ACLLDAP mappings required only for POSIX getfacl

NFSv4Name and uidNumber for remote user

uid (local user name) for remote user

nfsv4_getfacl simply displays the on-the-wire ACL name

Secure LDAP not required

Foreign GroupsNeed design requirements

Foreign group names could be assigned a local gid

How does the server resolve foreign membershipCallback to foreign NFSv4 domain

Only resolve with local uid's (no callback)

Pass group list (names) in GSS initialization (a la EPAC)

Other?

Cross Platform ID MappingNS Switch which uses posixAccount is the common denominator

Our cross realm mapping extends NS Switch

Not supported by other implementations

IBM also has a cross realm solution

Any Questions?

http://www.citi.umich.edu/projects

Recommended

Kerberized NFSV4 Setup Tutorial - Rutgers School of ...coe · Kerberized NFSV4 Setup Tutorial Aime Le Rouzic (aime.le-rouzic@bull.net) History Version 1.0 created on june 26, 2007
Documents
i.MX35 Board Initialization and Memory Mapping Using the ...the flow of the Linux booting process. The last section describes the general aspects of memory mapping on the system and
Documents
NFSv4 Enhancements and Best Practices Guide Data ONTAP Implementation (June 2013 Tr-3580)
Documents
Towards more effective mapping strategies for digital musical instruments Patrick McGlynn Linux Audio Conference 2011 National University of Ireland,
Documents
Memory System Case Studies Oct. 28, 2004 Topics P6 address translation x86-64 extensions Linux memory management Linux page fault handling Memory mapping
Documents
pNFS Update A standard for parallel file systems€¦ · Sun/Oracle (Files over NFSv4) U of Michigan/CITI (Linux maint., EMC and Microsoft contracts) DESY – Java-based implementation
Documents
October 2, 2015 pNFS extension for NFSv4 IETF-62 March 2005 Brent Welch welch@panasas.com
Documents
i.MX51 Board Initialization and Memory Mapping Using the Linux … · 2016-11-23 · i.MX51 Board Initialization and Memory Mapping Using the Linux Target Image Builder (LTIB), Rev
Documents
Parallel NFS (pNFS) - DTC · 2012. 8. 16. · IETF NFSv4.1 draft-ietf-nfsv4-minorversion1-10.txt Includes pNFS, sessions/RDMA, directory delegations U.Mich/CITI implÕg Linux client/server
Documents
Implementing Oracle11g Database over NFSv4 from … Oracle11g Database over. NFSv4 from a Shared Backend Storage. ... RAID Group/ Aggregate Storage. Oracle® Home. ... SnapDrive ®
Documents
NFSv4 Test Project - Linux kernel · NFSv4 Test Project Bryce Harrington OSDL ... around NFSv41 by the Linux NFSv4 com-munity. ... We have patches implementing preliminary
Documents
HP-UX 11iv3 Ignite-UX with NFSV4 and SSH Tunnel
Documents
GNU/LinuxGeneric Mapping Tools (GMT)Pythonoeser/LV/LinuxCourse.pdf · GNU/LinuxGeneric Mapping Tools (GMT)Python a basic principle in GNU/Linux and Unix I " Everything is a le!\ I
Documents
P6/Linux Memory System Topics P6 address translation Linux memory management Linux page fault handling memory mapping vm2.ppt CS 105 “Tour of the Black
Documents
SNIA an Overview of NFSv4-3 0
Documents
NFSv4 Protocol Development - SNIA · Upstream (Linus) Linux NFSv4.1 client support Basic client in Kernel 2.6.32 pNFS support (files layout type) in Kernel 2.6.39 Support for the
Documents
Ethical Hacking Module XVIII Linux Hacking. EC-Council Module Objective Why Linux? Compiling Programs in Linux Scanning Networks Mapping Networks Password
Documents
Directory Delegations in NFSv4 CITI University of Michigan Ann Arbor Brian Wickman
Documents
Migrating NFSv3 to NFSv4-Final - NetApp · 2020. 3. 5. · Migrating from NFSv3 to NFSv4 3 of 10 2011 STORAGE NETWORKING INDUSTRY ASSOCIATION Introduction In April 2003, the Network
Documents
i.MX35 Board Initialization and Memory Mapping Using the Linux
Documents