Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Slides:

Advertisements

Similar presentations

The following is intended to outline our general product direction

Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Active Directory and NT Kerberos Rooster JD Glaser.

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Nfsv4 and linux peter honeyman linux scalability project center for information technology integration university of michigan ann arbor.

Access Control Chapter 3 Part 3 Pages 209 to 227.

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.

Implementing and Administering AD FS

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.

Active Directory: Final Solution to Enterprise System Integration

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

CS603 Active Directory February 1, 2001.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Remote Name Mapping Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan.

Challenges Running an NFSv4- backed OSG Cluster Kevin Coffman Center for Information Technology Integration University of Michigan.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

1 DNS,NFS & RPC Rizwan Rehman, CCS, DU. Netprog: DNS and name lookups 2 Hostnames IP Addresses are great for computers –IP address includes information.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Understanding Active Directory

Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Introduction to Active Directory December 10th, pm Daniels 407.

Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation.

Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.

Chapter 11: Creating and Managing Shared Folders BAI617.

User Management in LHCb Gary Moine, CERN 29/08/

Windows interoperability with Unix/Linux. Introduction to Active Directory Integration for Unix and Linux Systems Unix/Linux interoperability components.

Xrootd Authentication & Authorization Andrew Hanushevsky Stanford Linear Accelerator Center 6-June-06.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

SEC400 UNIX & Kerberos Interop to Achieve Identity Management

Lieberman Software Random Password Manager & Two-Factor Authentication.

Sys Admin Course NFS and SAMBA Fourie Joubert. Sys Admin Course NFS NFS is the Network File System It allows Linux systems to share a file system, or.

 CASTORFS web page - CASTOR web site - FUSE web site -

Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.

UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.

Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.

By Rashid Khan Lesson 6-Building a Directory Service.

Chapter 10: File-System Interface Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 1, 2005 File-System Interface.

1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.

Larry Mead TSP - Platform Modernization Microsoft Corporation SESSION CODE: WSV318 John Kelbley Sr. Technical Product Mgr. Microsoft Corporation.

Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Active Directory.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.

1 Introduction to Active Directory Directory Services Uniquely identify users and resources on a network Provide a single point of network management.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.

Understand Names Resolution

Windows interoperability with Unix/Linux

Filesystem Caching (FS-Cache)

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain.

SSSD for Linux Authentication with Active Directory

UNIX System Protection

Presentation transcript:

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005

NFSv4 Administrative Domain NFSv4: names not numbers on the wire NFSv4 domain = unique UID/GID space Multiple Security Realms Kerberos, PKI Certificate Authorities (SPKM3) Multiple DNS - NIS domains Pick one DNS domain to be the NFSv4 Domain Name nfsv4domain is used for ACL 'who' and GETTATTR owner and owner_group

NFSv4 Domain nnlnnl Kerberos V5 X509/SPKM Kerberos V5 DNS Domain

Local NFSv4 Domain: Name to ID One to one correspondence between UID and NFSv4 domain name GSS Principal name will differ from NFSv4 domain name Kerberos V: PKI: OU=US, OU=State, OU= Arbitrary Inc, CN = Joe User =

New LDAP Attributes We created a new LDAP object to hold two new LDAP attributes for NFSv4 id mapping GSSAuthName NFSv4Name We associate one NFSv4Name attribute with a RFC 2307 NSS-LDAP posixAccount to hold the users v4 domain name We associate multiple GSSAuthNames with a PosixAccount to hold the users multiple GSS principal names Attributes are configurable via /etc/idmap.conf

Local Mount: Kerberos V v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client /etc/krb5.keytab NFSv4 Server GSSD gss context creation Secure LDAP Call FAILS If machine name, map to nobody gss context call succeeds GSSD

Local Mount: Kerberos V Issues Distribution of client keytabs? Linux: yes With no keytab: Allow AUTH_SYS for SETCLIENTID and mount of Kerberos export User Kerberos credentials Server: maps machine credentials to nobody (mount) Client root user: UID 0? Map to machine principal (no password) Map to per server root principal (with password)

Local Principal: Kerberos V New Linux kernel keyring service enables kernel Kerberos credential storage, and PAG-like behaviour NSSwitch ID mapping (LDAP PosixAccount) getpwid on principal portion assumes UNIX name (posixAccount uid) == K5 principal UMICH LDAP ID mapping GSSAuthName attribute added to LDAP posixAccount to associate with uidNumber Server GSSD principal mapping failure = context creation failure

Local Principal: Kerberos V v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % kinit NFSv4 Server GSSD gss context creation uidNumber: gidNumber: 10 gss context creation succeeds /tmp/krb5cc_UID GSSD secure LDAP call v4 Domain

Local User: Set ACL issues Client setfacl POSIX interface uses UID/GID across kernel boundary (NS Switch) Two name mapping calls NSS posixAccount name NFSv4Name attribute added to LDAP posixAccount to associate full nfsv4 name with uidNumber New linux nfs4_setfacl interface passes string names across kernel boundary No local name to ID mapping needed

Local User: Set ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % setfacl -m u:joe:rw /tmp/x.c NFSv4 Server /tmp/x.c 10098:rw NFSv4Name: uidNumber: IDMAPD 1010 uid: joe joe SETATTR 10098

Local User: Get ACL issues Client getfacl POSIX interface uses UID/GID across kernel boundary (NS Switch) NS Switch posixAccount: uid is displayed Two name mapping calls New Linux nfs4_getfacl interface passes string names across kernel boundary

Local User: Get ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % getfacl /tmp/x.c NFSv4 Server /tmp/x.c 10098:rw NFSv4Name: uidNumber: IDMAPD 1010 uid: joe GETATTR joe

Kerberos V X-Realm and Linux NFSv4 X-realm GSS context initialization just works GSSAuthName and NFSv4Name can hold remote user names. Need to add posix account with GSSAuthName for UID/GID mapping of remote user Set posixAccount shell to /dev/null for NFSv4 remote access without local machine access Secure LDAP communication required

Remote Kerberos V Principal v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % kinit NFSv4 Server GSSD gss context creation uidNumber: gidNumber: 10 gss context creation succeeds /tmp/krb5cc_UID GSSD secure LDAP call v4 Domain v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu

Remote User: Set ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu NFSv4 Client % setfacl -m u:andros:rw /tmp/x.c NFSv4 Server /tmp/x.c andros SETATTR IDMAPD LDAP NFSv4Name: uidNumber: v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu LDAP uidNumber: uid: andros :rw

Remote User: Set ACL Remote realm: associate NFSv4Name with uidNumber, gidNumber, and GSSAuthName NFSv4RemoteUser schema available NFSv4domain name always used Secure LDAP communication required

Remote User: Get ACL v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu LDAP NFSv4 Client % getfacl /tmp/x.c NFSv4 Server /tmp/x.c 10075:rw NFSv4Name: uidNumber: IDMAPD 1010 GETATTR andros v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4Name: uidNumber: uid: joe

Remote User: Get ACL LDAP mappings required only for POSIX getfacl NFSv4Name and uidNumber for remote user uid (local user name) for remote user nfsv4_getfacl simply displays the on-the-wire ACL name Secure LDAP not required

Foreign Groups Need design requirements Foreign group names could be assigned a local gid How does the server resolve foreign membership Callback to foreign NFSv4 domain Only resolve with local uid's (no callback) Pass group list (names) in GSS initialization (a la EPAC) Other?

Cross Platform ID Mapping NS Switch which uses posixAccount is the common denominator Our cross realm mapping extends NS Switch Not supported by other implementations IBM also has a cross realm solution

Any Questions?