Presentation is loading. Please wait.

Presentation is loading. Please wait.

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Published byMathew Vause Modified over 9 years ago

Similar presentations

Presentation on theme: "Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005."— Presentation transcript:

1 Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005

2 NFSv4 Administrative Domain NFSv4: names not numbers on the wire NFSv4 domain = unique UID/GID space Multiple Security Realms Kerberos, PKI Certificate Authorities (SPKM3) Multiple DNS - NIS domains Pick one DNS domain to be the NFSv4 Domain Name nfsv4domain is used for ACL 'who' and GETTATTR owner and owner_group

3 NFSv4 Domain nnlnnl Kerberos V5 X509/SPKM Kerberos V5 DNS Domain

4 Local NFSv4 Domain: Name to ID One to one correspondence between UID and NFSv4 domain name joe@arbitrary.domain.org GSS Principal name will differ from NFSv4 domain name Kerberos V: joe@ARBITRARY.DOMAIN.ORG PKI: OU=US, OU=State, OU= Arbitrary Inc, CN = Joe User Email= joe@arbitrary.domain.org

5 New LDAP Attributes We created a new LDAP object to hold two new LDAP attributes for NFSv4 id mapping GSSAuthName NFSv4Name We associate one NFSv4Name attribute with a RFC 2307 NSS-LDAP posixAccount to hold the users v4 domain name We associate multiple GSSAuthNames with a PosixAccount to hold the users multiple GSS principal names Attributes are configurable via /etc/idmap.conf

6 Local Mount: Kerberos V v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client nfs/host.citi.umich.edu@TANGENT.REALM /etc/krb5.keytab NFSv4 Server GSSD gss context creation nfs/host.citi.umich.edu@TANGENT.REALM Secure LDAP Call FAILS If machine name, map to nobody gss context call succeeds GSSD

7 Local Mount: Kerberos V Issues Distribution of client keytabs? Linux: yes With no keytab: Allow AUTH_SYS for SETCLIENTID and mount of Kerberos export User Kerberos credentials Server: maps machine credentials to nobody (mount) Client root user: UID 0? Map to machine principal (no password) Map to per server root principal (with password)

8 Local Principal: Kerberos V New Linux kernel keyring service enables kernel Kerberos credential storage, and PAG-like behaviour NSSwitch ID mapping (LDAP PosixAccount) getpwid on principal portion assumes UNIX name (posixAccount uid) == K5 principal UMICH LDAP ID mapping GSSAuthName attribute added to LDAP posixAccount to associate with uidNumber Server GSSD principal mapping failure = context creation failure

9 Local Principal: Kerberos V v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client joe@TANGENT.REALM % kinit joe@TANGENT.REALM NFSv4 Server GSSD gss context creation joe@TANGENT.REALM GSSAuthName:joe@TANGENT.REALM uidNumber: 10098 gidNumber: 10 gss context creation succeeds /tmp/krb5cc_UID GSSD secure LDAP call v4 Domain

10 Local User: Set ACL issues Client setfacl POSIX interface uses UID/GID across kernel boundary (NS Switch) Two name mapping calls NSS posixAccount name (no @nfsv4domain) NFSv4Name attribute added to LDAP posixAccount to associate full nfsv4 name with uidNumber New linux nfs4_setfacl interface passes string names across kernel boundary No local name to ID mapping needed

11 Local User: Set ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % setfacl -m u:joe:rw /tmp/x.c NFSv4 Server /tmp/x.c 10098:rw NFSv4Name: joe@arbitrary.domain.org uidNumber: 10098 IDMAPD 1010 uid: joe joe 10098 joe@arbitrary.domain.org SETATTR joe@arbitrary.domian.org 10098

12 Local User: Get ACL issues Client getfacl POSIX interface uses UID/GID across kernel boundary (NS Switch) NS Switch posixAccount: uid is displayed Two name mapping calls New Linux nfs4_getfacl interface passes string names across kernel boundary

13 Local User: Get ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % getfacl /tmp/x.c NFSv4 Server /tmp/x.c 10098:rw NFSv4Name: joe@arbitrary.domain.org uidNumber: 10098 IDMAPD 1010 uid: joe GETATTR 10098 joe@arbitrary.domain.org 10098 joe

14 Kerberos V X-Realm and Linux NFSv4 X-realm GSS context initialization just works GSSAuthName and NFSv4Name can hold remote user names. Need to add posix account with GSSAuthName for UID/GID mapping of remote user Set posixAccount shell to /dev/null for NFSv4 remote access without local machine access Secure LDAP communication required

15 Remote Kerberos V Principal v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client andros@CITI.UMICH.EDU % kinit andros@CITI.UMICH.EDU NFSv4 Server GSSD gss context creation andros@CITI.UMICH.EDU GSSAuthName:andros@CITI.UMICH.EDU uidNumber: 10075 gidNumber: 10 gss context creation succeeds /tmp/krb5cc_UID GSSD secure LDAP call v4 Domain v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu

16 Remote User: Set ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu NFSv4 Client % setfacl -m u:andros:rw /tmp/x.c NFSv4 Server /tmp/x.c andros 23975 SETATTR IDMAPD LDAP NFSv4Name: andros@citi.umich.edu uidNumber: 10075 1010 23975 v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu LDAP NFSv4Name:andros@citi.umich.edu uidNumber: 23975 uid: andros andros@citi.umich.edu 10075 10075:rw

17 Remote User: Set ACL Remote realm: associate NFSv4Name with uidNumber, gidNumber, and GSSAuthName NFSv4RemoteUser schema available NFSv4domain name always used Secure LDAP communication required

18 Remote User: Get ACL v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu LDAP NFSv4 Client % getfacl /tmp/x.c NFSv4 Server /tmp/x.c 10075:rw NFSv4Name: andros@citi.umich.edu uidNumber: 10075 IDMAPD 1010 GETATTR 10075 andros@citi.umich.edu 23975 andros v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4Name: andros@citi.umich.edu uidNumber: 23975 uid: joe

19 Remote User: Get ACL LDAP mappings required only for POSIX getfacl NFSv4Name and uidNumber for remote user uid (local user name) for remote user nfsv4_getfacl simply displays the on-the-wire ACL name Secure LDAP not required

20 Foreign Groups Need design requirements Foreign group names could be assigned a local gid How does the server resolve foreign membership Callback to foreign NFSv4 domain Only resolve with local uid's (no callback) Pass group list (names) in GSS initialization (a la EPAC) Other?

21 Cross Platform ID Mapping NS Switch which uses posixAccount is the common denominator Our cross realm mapping extends NS Switch Not supported by other implementations IBM also has a cross realm solution

22 Any Questions? http://www.citi.umich.edu/projects

Download ppt "Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005."

Similar presentations

The following is intended to outline our general product direction

The following is intended to outline our general product direction
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.

Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Nfsv4 and linux peter honeyman linux scalability project center for information technology integration university of michigan ann arbor.

Nfsv4 and linux peter honeyman linux scalability project center for information technology integration university of michigan ann arbor.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.

Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.
Implementing and Administering AD FS

Implementing and Administering AD FS
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.

Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Remote Name Mapping Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan.

Remote Name Mapping Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan.

Similar presentations

Ads by Google