Remote Name Mapping Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan.

Slides:



Advertisements
Similar presentations
Security Issues in Mobile Code Systems David M.Chess, High Integrity Computing Lab, IBM T.J. Watson Research Center Hawthorne, NY, USA Mobile code systems.
Advertisements

CN Objectives of the course To build and maintain a UNIX-based Network Systems & Servers Install Linux, fine tune the system, enable required server,
Decentralized User Authentication in a Global File System Max Meisterhans - Seminar in Distributed Computing WS 05/06.
Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Nfsv4 and linux peter honeyman linux scalability project center for information technology integration university of michigan ann arbor.
Access Control Chapter 3 Part 3 Pages 209 to 227.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
LDAP and Kerberos: An Overview Leveraging services provided by Active Directory for Unix/Linux authentication, authorization and name services Jason Testart.
Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.
Challenges Running an NFSv4- backed OSG Cluster Kevin Coffman Center for Information Technology Integration University of Michigan.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Naming Names in computer systems are used to share resources, to uniquely identify entities, to refer to locations and so on. An important issue with naming.
Naming And Directory Services Geetika Sharma 09/22/200 8 CSC8320.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Introduction to Active Directory December 10th, pm Daniels 407.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation.
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
Module 9: Active Directory Domain Services. Overview Describe new features in AD DS List manageability and reliability enhancements in AD DS.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Java Naming and Directory Interfaces. A naming service is an entity that performs the following tasks:  It associates names with objects. Similar to.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Microsoft’s Roles Based Authorization Manager CSG, May 2004.
Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.
By Rashid Khan Lesson 6-Building a Directory Service.
Institutional Data Flows at MIT Paul B. Hill CSG, May 1999.
1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.
CSCI 530 Lab Authorization. Review Authentication: proving the identity of someone Passwords Smart Cards DNA, fingerprint, retina, etc. Authorization:
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
FROM MIT KERBEROS TO MICROSOFT ACTIVE DIRECTORY The Pennsylvania State University’s move from a lower case MIT Kerberos realm to a Standard Microsoft Active.
Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.
Introduction to Active Directory
Active Directory CNS 4650 Fall 2004 Rev. 2. Active Directory Introduced with Windows 2000 Server X.500 based Can emulate NT-style network environments.
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Active Directory.
LDAP Namespace CNS 4650 Fall 2004 Rev. 2. What is a namespace? Different from XML, C++, Java, etc. Names permitted and used in a directory Can include.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
1 Introduction to Active Directory Directory Services Uniquely identify users and resources on a network Provide a single point of network management.
CS Tellabs Group Sherlock! What’s happening in the coding phase...
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Role-based authentication framework for enterprise Vishal Kher Yongdae Kim Friday, November 19, 2004.
Kernel Key Management. Red Hat: Kernel Key Management Kernel Key Management Overview Designed to hold keys ready for fast use by kernel services ● Mainly.
Grid Security.
Filesystem Caching (FS-Cache)
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain.
SSSD for Linux Authentication with Active Directory
UNIX System Protection
Preventing Privilege Escalation
Network File System (NFS)
Presentation transcript:

Remote Name Mapping Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan

NFSv4 Administrative Domain Multiple DNS domains Multiple Security Realms Kerberos, PKI Certificate Authorities (SPKM3) NFSv4 domain = unique UID/GID namespace Pick one DNS domain to be the NFSv4 Domain Name ACL 'who' and GETTATTR owner and owner_group

Local NFSv4 Domain Name to ID One to one correspondence between UID and NFSv4 domain name GSS Principal name will differ from NFSv4 domain name Kerberos V: PKI: OU=US, OU=State, OU= Arbitrary Inc, CN = Joe User =

Local Mount: Kerberos V v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client /etc/krb5.keytab NFSv4 Server GSSD gss context creation Secure LDAP Call FAILS If machine name, map to nobody gss context call succeeds GSSD

Local Mount: Kerberos V Issues Distribution of client keytabs Client service name UID/GID mapping for client machine principals? Related issue: Client root user Map to machine principal Map to root principal Map to nobody other

Local Principal: Kerberos V v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % kinit NFSv4 Server GSSD gss context creation uidNumber: gidNumber: 10 gss context creation succeeds /tmp/krb5cc_UID GSSD secure LDAP call v4 Domain

Local Principal: Kerberos V Issues Where to put kinit credentials for client GSSD /tmp/krb5cc_UID getpwid on principal portion assumes UNIX name (posixAccount uid) == K5 principal Current code, getpwid => LDAP query GSSAuthName attribute added to posixAccount to associate with uidNumber Server GSSD principal mapping failure = contest creation failure

Local User: Set ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % setfacl -m u:joe:rw /tmp/x.c NFSv4 Server /tmp/x.c 10098:rw NFSv4Name: uidNumber: IDMAPD 1010 uid: joe joe SETATTR 10098

Local User: Set ACL issues setfacl POSIX interface uses UID/GID across kernel boundary LDAP posixAccount: uid is mapped need a local name two name mapping calls LINUX nfs4_setfacl interface passes string names across kernel boundary no local name needed

Local User: Get ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % getfacl /tmp/x.c NFSv4 Server /tmp/x.c 10098:rw NFSv4Name: uidNumber: IDMAPD 1010 uid: joe GETATTR joe

Local User: Get ACL issues getfacl POSIX interface uses UID/GID across kernel boundary LDAP posixAccount: uid is displayed two name mapping calls LINUX nfs4_getfacl interface passes string names across kernel boundary

Kerberos V X-Realm and Linux NFSv4 X-realm GSS context initialization just works Need to add GSSAuthName and UID/GID mapping for remote user NFSv4RemoteUser schema can be used instead of posixAccount NFSv4 remote access without local machine access mount from remote machine: mapping library needs to recognize service portion of name Secure LDAP communication required

Remote Kerberos V Principal v4 Domain v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4 Client % kinit NFSv4 Server GSSD gss context creation uidNumber: gidNumber: 10 gss context creation succeeds /tmp/krb5cc_UID GSSD secure LDAP call v4 Domain v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu

Remote User: Set ACL v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu NFSv4 Client % setfacl -m u:andros:rw /tmp/x.c NFSv4 Server /tmp/x.c andros SETATTR IDMAPD LDAP NFSv4Name: uidNumber: v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu LDAP uidNumber: uid: andros :rw

Remote User: Set ACL Remote realm: associate NFSv4Name with uidNumber, gidNumber, and GSSAuthName NFSv4RemoteUser schema available NFSv4domain name always used Secure LDAP communication required

Remote User: Get ACL v4 Domain: citi.umich.edu K5 Realm: CITI.UMICH.EDU DNS Domain: citi.umich.edu LDAP NFSv4 Client % getfacl /tmp/x.c NFSv4 Server /tmp/x.c 10075:rw NFSv4Name: uidNumber: IDMAPD 1010 GETATTR andros v4 Domain: arbitrary.domain.org K5 Realm: TANGENT.REALM DNS Domain: citi.umich.edu LDAP NFSv4Name: uidNumber: uid: joe

Remote User: Get ACL LDAP mappings required only for POSIX getfacl NFSv4Name and uidNumber for remote user uid (local user name) for remote user nfsv4_getfacl simply displays the on-the-wire ACL name Secure LDAP not required

Any Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.