Kerberized NFSv3 incorrect behavior
George Mamalakis
mamalos at eng.auth.gr
Mon Feb 8 17:50:13 UTC 2010
On 08/02/2010 00:34, Rick Macklem wrote:
>
>
> On Sat, 6 Feb 2010, George Mamalakis wrote:
>
>>
>> thank you for all your answers. I am planning on setting up the
>> computer labs of my department using kerberized nfsv3 (since v4 seems
>> to be "more" experimental) with a FreeBSD nfs server and Linux nfs
>> clients. I was wondering "how stable" such an implementation would
>> be; meaning that I wouldn't want to end up with an unstsable setup
>> when receiving requests from 50-60 simultaneous clients, because that
>> would be my everyday scenario.
>>
>
> I believe that the above should be stable, but your mileage may vary, as
> they say. The main issue will be what your TGT lifetime will be, since
> client access to the server will normally stop when the TGT expires. Some
> systems (Mac OS X) will automagically renew the TGT before it expires,
> if your KDC allows that. I don't think most/all Linux systems do this
> by default, but there are some utilities out there (try a search for
> krenew) that will do so.
>
I think that this I can be overcome with a default timeout option in my
shell variables (at least for the 'pilot phase').
> Basically, I think you'll want to avoid TGTs expiring before the user
> logs out. You also need a unique uid<->user principal mapping for all
> users logging in.
I am planning on using LDAP as my backend with kerberos attributes (I
have already setup my ldap like that). To be honest, I have done
something funny. My heimdal's backend is openldap; this LDAP is only for
heimdal access (inside a jail). Then, I have another jail which serves
its openldap instance to all my clients. This ldap (which stores a
totally different DIT then heimdal's LDAP) is kerberized (it uses gssapi
authentication via cyrus-sasl), using the heimdal jail. It's a bit
dramatic, but it seems to work fine-until now-, it seems quite secure,
and allows me to synchronize the heimdal backend easily through openldap
replication. Moreover, keeping the user credentials in ldap helps for
having a generic user/password store for other services I use (like
samba, (for my windows hosts)). So, I use a different ldap attribute for
samba-semantics and another ldap attribute for kerberos. Lastly,
openldap caters for storing uids,gids,home_folder_locations,etc for my
users, where my clients have access to this information via their
respective nsswitch.conf files. I think that this answers your question
regarding uid<->user principal mapping, unless I misunderstood something.
>
> You definitely want to do some testing with whatever Linux system you
> are using for the client.
>
> Good luck with it, rick
> ps: Choosing nfsv3 vs nfsv4 is basically independent of using RPCSEC_GSS
> except for the host based initiator credential needed by some clients
> (Linux and Solaris10 are among those) for NFSv4.
>
To tell you the truth, when I recompiled my kernel with:
options NFSD
options KGSSAPI
device crypto
to setup an nvsv4 server, nfsd refused to start because mountd was
segfaulting. I didn't play much with this setup, because I was in a
hurry, so I commented out NFSD and put back NFSSERVER, to be able to
test my server.
Now a last question: Does gssapi/nfs setup work with the automounter
(bsd/linux nfs-client)?
Thanx again for your answer.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
More information about the freebsd-current
mailing list