Lab 3 - Kerberized NFS4
The third lab teaches how to get NFS4 working with Kerberos.
Before you start remove the file
/etc/krb5.keytab from the previous lab. The instructions below only work with a user keytab as system keytab.
Configure NFS4 Client
Follow the instructions here to configure your test system. When done run the following command to mount the test share prepared for this lab:# mount -t nfs -o nfsvers=4,minorversion=0,sec=krb5p inf.nas.ethz.ch:/fs1201/infk_isg_test /mnt
klist). Now run the following commands:
$ cd /mnt $ touch $USER $ ls -la $USER
nobody or 4294967294).
The file server used is the ITS NAS which is configured to only know users and groups in the Active Directory.
Questions
- Why does the file apparently belong to
nobody? AnswerNFS4 uses names instead of numeric IDs to convey ownership information. Those names are in a format like{user or group}@D.ETHZ.CH@ETHZ.CHand your test system does not yet know how to map these to local users.
Configure the Identity Mapper
Follow the instructions here to configure the identity mapper. Run the following command to flush the internal name mapping cache:# nfsidmap -c
$ ls -la $USER
nobody or 4294967294 as group. Run the following command to change it to the AD group users:
$ chgrp users $USER $ ls -la $USER
$ ls -la
nobody.
Log in to optimus.inf.ethz.ch with your ETH user name and run the following command:
$ ls -la /infnas/infk_isg_test
Questions
- What group does the file actually belong now? AnswerThe group
Domain Users. In the file/etc/idmapd.confthere is a static mapping for the local groupuserstodomain userson the remote server. - What would be needed that you see the correct ownership of all files on your test system?AnswerYour test system would have to be configured to use the AD or our LDAP tree for name services.
optimus.inf.ethz.chis configured this way, that is why there you see all names.
ACLs
ACLs are used to grant more granular access rights for files and directories. A typical scenario is to have a directory with data and give rights to a groups of users. To ensure consistency the rights should be inherited to new files and directories too. Do all the steps below onoptimus.inf.ethz.ch. Start by removing the file with your login as name and replace it with a directory that only you can access:
$ rm /infnas/infk_isg_test/$USER $ mkdir /infnas/infk_isg_test/$USER $ chmod 700 /infnas/infk_isg_test/$USER
nfs4_getfacl command:
$ nfs4_getfacl /infnas/infk_isg_test/$USER
A:fdO:OWNER@:rwaDdxtTnNcCoy A:fdO:GROUP@:tncy A:fdO:EVERYONE@:tncy
/infnas/infk_isg_test. Run the following command to look at the respective ACLs:
$ nfs4_getfacl /infnas/infk_isg_test
Questions
- What could
OWNER@,GROUP@,EVERYONE@mean? AnswerThese ACLs are for the current user and group that owns a file or directory, and all other users. They are partially redundant to the basic file mode but allow more granular rights. - Why are there two rules per
OWNER@,GROUP@,EVERYONE@? AnswerOne ACL is for the actual access to/infnas/infk_isg_testand one is for the inheritance, i.e., the ACL that a newly created file or directory gets.
Domain Users group to your directory, including inheritance:
$ nfs4_setfacl -a 'A:dg:D\domain users@ETHZ.CH:xrtncy' /infnas/infk_isg_test/$USER $ nfs4_setfacl -a 'A:fg:D\domain users@ETHZ.CH:rtncy' /infnas/infk_isg_test/$USER
Question
- What is the difference between these two rules? AnswerThe
rtncystands for read access alone and is sufficient for files. Thexrtncyalso includes execute right which is needed for directories.
$ echo $USER >/infnas/infk_isg_test/$USER/owner $ nfs4_getfacl /infnas/infk_isg_test/$USER/owner
$ mkdir /infnas/infk_isg_test/$USER/more $ nfs4_getfacl /infnas/infk_isg_test/$USER/more
x.
Wait until other workshop participants have also come this far and check if you can read the file owner in their directory:
$ cat /infnas/infk_isg_test/*/owner