Monday, August 10, 2009

Kerberized NFSv4 support

Introduction

Assuming we have successfully managed to integrate our Linux Box with Active Directory (see my previous post), we can try other features - like Kerberized NFS.

1. Client/Server common tasks

To support NFSv4 with Kerberos security, we also need to generate service principal for NFS:

[root@dorado_v1 root]# net -U administrator ads keytab add nfs
Also make sure that
# Set to turn on Secure NFS mounts.
SECURE_NFS="yes"
.. in your /etc/sysconfig/nfs configuration file (to make sure the GSS subsystem is properly started)

2. Server tasks

  1. Configure NFS share like this (note the second line limiting allowed security types):
    /mnt      192.168.0.0/16(rw,fsid=0,crossmnt)
    /mnt/share1   192.168.0.0/16(sec=none:krb5:krb5i:krb5p,rw,crossmnt)
  2. Make sure rpc.svcgssd daemon is successfully started and running
If you intend to use NetApp NAS as the NFSv4 server, all you need is to follow the wizard to join NetApp to Active Directory and configure some CIFS shares. Once this is done, finish the setup for Kerberized NFS:
  • Setup NFS for Kerberos on the NetApp following this article
  • Setup Kerberos ready NFS share like this: 
    /vol/vol0/home  -sec=sys:krb5:krb5i:krb5p,rw
    Note that if you export /vol/vol0 as well, you must allow Kerberos security for it, too
  • Make sure NFSv4 is enabled on the filer: 
    nfs.v4.enable                on
    • And that's it...

    3. Client tasks

    It is important, that the rpc.gssd service is running on the NFS client. As of nfs-utils <= 1.1 rpc.gssd looks for the nfs/ principal on startup to access AD and to obtain the TGT to use when dealing with the NFS server.

    Now this principal is treated as a user principal (we use it to obtain TGT) so UPN attribute must be set for the machine account in AD in order to make rpc.gssd happy:

  • Start ADSIEDIT
  • Navigate to the Active Directory computer object that was created when NET ADS JOIN was run
  • Right click the computer object
  • Select Properties
  • Select userPrincipalName Attribute
  • Edit the attribute to set the nfs/hostFDQN@KERBEROS.REALM value.For example (in our case) nfs/dorado_v1@PRAGUE.AD.S3GROUP.COM

    • Verify the ticket availability:

    [root@dorado_v1 /]# klist -k | grep nfs
    4 nfs/dorado_v1@PRAGUE.AD.S3GROUP.COM
    4 nfs/dorado_v1@PRAGUE.AD.S3GROUP.COM
    4 nfs/dorado_v1@PRAGUE.AD.S3GROUP.COM
    4 nfs/dorado_v1.prague.s3group.com@PRAGUE.AD.S3GROUP.COM
    4 nfs/dorado_v1.prague.s3group.com@PRAGUE.AD.S3GROUP.COM
    4 nfs/dorado_v1.prague.s3group.com@PRAGUE.AD.S3GROUP.COM

    Note:For Windows server 2008 omit the Kerberos realm in the UPN attribute (use just nfs/hostFDQN), otherwise it will not work

    Setup the OS

    [root@dorado_v1 /]# service rpcgssd start

    Verify the service rpcgssd got the ticket right:

    [root@dorado_v1 /]# tail -300 /var/log/messages
    Feb 13 11:39:12 dorado_v1 rpc.gssd[4723]: Using keytab file '/etc/krb5.keytab'
    Feb 13 11:39:12 dorado_v1 rpc.gssd[4723]: Processing keytab entry for principal 'nfs/dorado_v1@PRAGUE.AD.S3GROUP.COM'
    Feb 13 11:39:12 dorado_v1 rpc.gssd[4723]: We will use this entry (nfs/dorado_v1@PRAGUE.AD.S3GROUP.COM)
    ...
    Feb 13 11:39:12 dorado_v1 rpc.gssd[4723]: Using (machine) credentials cache: 'MEMORY:/tmp/krb5cc_machine_PRAGUE.AD.S3GROUP.COM'

    Note: rpc.gssd as of nfs-utils >= 1.1 can be started with the -n parameter which makes rpc.gssd to use Kerberos cache instead of the krb5.keytab file. The advantage of this parameter is, that we can create the necessary TGT for the NFS client using the machine account credentials already present in the keytab file: 

    dorado_v1# kinit -k dorado_v1$
    Where dorado_v1$ is our machine credential. This way is a bit cleaner as no UPN needs to be set in AD (and besides, setting UPN in AD manually might break Samba functionality).

    User access to the mounted share

    Any user wanting to access an already mounted share must have a valid Ticket Granting Ticket with the des-cbc-crc encryption, otherwise the access will fail:

    [ondrejv@dorado_v1 ~]$ klist -c -e
    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2527)


    Kerberos 4 ticket cache: /tmp/tkt2527
    klist: You have no tickets cached
    [ondrejv@dorado_v1 ~]$ ls -l /mnt/test
    ls: /mnt/test: Access denied
    [ondrejv@dorado_v1 ~]$ kinit
    Password for ondrejv@PRAGUE.AD.S3GROUP.COM:
    [ondrejv@dorado_v1 ~]$ klist -c -e
    Ticket cache: FILE:/tmp/krb5cc_2527
    Default principal: ondrejv@PRAGUE.AD.S3GROUP.COM

    Valid starting     Expires            Service principal
    02/16/09 14:28:25  02/17/09 00:28:33  krbtgt/PRAGUE.AD.S3GROUP.COM@PRAGUE.AD.S3GROUP.COM
    renew until 02/17/09 14:28:25, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5


    Kerberos 4 ticket cache: /tmp/tkt2527
    klist: You have no tickets cached
    [ondrejv@dorado_v1 ~]$ ls -l /mnt/test
    celkem 4
    -rw-r--r-- 1 ondrejv silicon 0 úno 13 10:54 test.txt
    [ondrejv@dorado_v1 ~]$
    Posted by at

    2 comments:

    1. UnknownSeptember 24, 2009 at 8:36 PM

      Back in January, you discussed an issue on the autofs mailing list with subject: auto.master in ldap + simple bind

      You said you opened a RedHat case about it (case #1887566). What was the outcome of that?

      I am getting the same kinds of errors ( like: The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism DIGEST-MD5 failed, but with GSSAPI (even thought the ticket is obtained successfully)

      any help appreciated!

      ReplyDelete
    2. JeffFebruary 2, 2010 at 1:25 PM

      I'm trying to do this with a pre-2003r2 domain. Do you know if it's possible?

      Also, did you set up anything special on the NetApp? What settings did you use?

      The problem I'm encountering is that any files I create on the netapp get mapped to the guest user.

      Thanks so much!

      ReplyDelete

    Subscribe to: Post Comments (Atom)