Difference between revisions of "Cool Solution - NFS with UCS"

From Univention Wiki

Jump to: navigation, search
Line 6: Line 6:
  
 
= Create a share =
 
= Create a share =
To create a share use the [http://docs.univention.de/manual-3.2.html#shares::management UCS documentation].
+
To create a share use the [http://docs.univention.de/manual-3.2.html#shares::management UCS documentation].
 
 
= Creation of a "virtual root" folder =
 
 
 
NFSv4 needs a ''virtual root'' folder to export all other files and folders. You can create the folder with the command
 
<pre>
 
mkdir /exports
 
</pre>
 
Afterwards the root has to be entered into the "/etc/exports" configuration file by adding the following line:
 
<pre>
 
/exports gss/krb5(rw,sync,fsid=0,insecure,crossmnt,no_subtree_check)
 
</pre>
 
 
 
= Adding a share  =
 
 
 
Multiple steps are needed to add a share, especially if you want to manage it using the UMC.
 
 
 
=== Inclusion of the Directory in the Exports Directory  ===
 
 
 
In the first step you should link the share into your export directory. Therefore you should first create the target directory within your exports directory
 
<pre>
 
mkdir /exports/&lt;target&gt;
 
</pre>
 
Afterwards you need to add a link definition in "/etc/fstab" where you bind the original directory to the target directory in the exports folder:
 
<pre>
 
/&lt;original folder&gt; /exports/&lt;target&gt; none bind 0 0
 
</pre>
 
Afterwards the directory will be bound on every reboot. To bind it without a reboot you can issue the following command as root
 
<pre>
 
mount /exports/&lt;target&gt;
 
</pre>
 
 
 
=== Creating the share in the UMC  ===
 
 
 
You should first create the NFSv3-Share in the respective UMC module which later will be turned into an NFSv4 share. The share should thereby be added with the original path "/&lt;original&gt;". Additionally you should restrict the access to the IP Adress 0.0.0.0/32. This ensures that no client can mount the NFSv3 share.
 
 
 
You only need this step, if you want to auto-mount the home folder using NFSv4. Otherwise you can also proceed manually.
 
 
 
=== Adding the share in NFSv4  ===
 
 
 
There are 4 different encryption and authentication types supported by NFSv4 which are described below. From those one has to be chosen one and copy the respective line inside "/etc/exports", without the comment in the end. Afterwards the line has to be edited according to the following:
 
 
 
==== Host based Authentication  ====
 
Similar to NFSv3 host based authentication is also supported in NFSv4.
 
For allowing all hosts add:
 
<pre>
 
/exports/&lt;target&gt; *(rw,nohide,insecure,no_subtree_check,async)
 
</pre>
 
For a specific host, here 10.10.10.10 or master.test.local, the export looks like the following. Please note that not all host client combinations support DNS based restrictions
 
<pre>
 
/exports/&lt;target&gt; 10.10.10.10(rw,nohide,insecure,no_subtree_check,async)
 
/exports/&lt;target 2&gt; master.test.local(rw,nohide,insecure,no_subtree_check,async)
 
</pre>
 
You can also offer access to your shares based on a subnet
 
<pre>
 
/exports/&lt;target&gt; 10.0.0.0/8(rw,nohide,insecure,no_subtree_check,async)
 
</pre>
 
IPv6 is possible in the same manner.
 
 
 
==== Kerberos Authentication  ====
 
To authenticate the users using Kerberos use the gss/krb5 as security option. The result is the following
 
<pre>
 
/exports/&lt;target&gt; gss/krb5(rw,nohide,insecure,no_subtree_check,async)
 
</pre>
 
==== Data integrity ====
 
If you want to provide data integrity on top of Kerberos user authentication replace the security option with gss/krb5i, resulting in
 
<pre>
 
/exports/&lt;target&gt; gss/krb5i(rw,nohide,insecure,no_subtree_check,async)
 
</pre>
 
==== Encryption  ====
 
The most secure but also most processor intensive security mechanism adds encryption on top of authentication and data integrity. If you are planning to use the storage for high volume throughput with possible many users it might be a good investment to by a dedicated appliance with hardware encryption support for NFSv4 and Kerberos. To create a share on a server cange the export line as the following:
 
<pre>
 
/exports/&lt;target&gt; gss/krb5p(rw,nohide,insecure,no_subtree_check,async)
 
</pre>
 
 
 
= Kerberos Keys  =
 
The roll-out of the Kerberos keys differs for Samba 3 and Samba 4 Domains. When updating from Samba 3 to Samba 4 you will have to redo the Key creation.
 
 
 
== Samba 4 Domain ==
 
 
 
Samba 4 has a different way of managing Service Principles in UCS 3.1 they can be managed using the samba-tools on any Samba DC.
 
<pre>
 
samba-tool spn add nfs/<nfs-server or client host>.$(hostname -d)/$(hostname -d) <nfs-server or client host>\$
 
</pre>
 
 
 
On the respective Servers you can then enlarge the keytab by the following comands:
 
<pre>
 
kvno=$(ldapsearch -D $(ucr get ldap/hostdn) -w $(cat /etc/machine.secret ) -h $(ucr get ldap/master) cn=$(hostname) -p 7389 krb5KeyVersionNumber | grep krb5KeyVersionNumber: | cut -d" " -f2)
 
ktutil add -w $(cat /etc/machine.secret ) -V $kvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e aes256-cts-hmac-sha1-96
 
ktutil add -w $(cat /etc/machine.secret ) -V $kvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e aes128-cts-hmac-sha1-96
 
ktutil add -w $(cat /etc/machine.secret ) -V $kvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e des-cbc-md5
 
ktutil add -w $(cat /etc/machine.secret ) -V $kvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e des-cbc-crc
 
</pre>
 
 
 
To automatically change the keys whenever the server changes its password create a file "/usr/lib/univention-server/server_password_change.d/nfs_keytab_change" with the following content:
 
<pre>
 
#!/bin/bash
 
if [ "$1" = "postchange" ] ; then
 
kvno=$(ldapsearch -D $(ucr get ldap/hostdn) -w $(cat /etc/machine.secret ) -h $(ucr get ldap/master) cn=$(hostname) -p 7389 krb5KeyVersionNumber | grep krb5KeyVersionNumber: | cut -d" " -f2)
 
lkvno=$(($kvno - 1))
 
ktutil remove -V $lkvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e aes256-cts-hmac-sha1-96 >> /var/log/univention/server_password_change.log
 
ktutil remove -V $lkvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e aes128-cts-hmac-sha1-96 >> /var/log/univention/server_password_change.log
 
ktutil remove -V $lkvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e des-cbc-md5 >> /var/log/univention/server_password_change.log
 
ktutil remove -V $lkvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e des-cbc-crc >> /var/log/univention/server_password_change.log
 
 
 
ktutil add -w $(cat /etc/machine.secret ) -V $kvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e aes256-cts-hmac-sha1-96 >> /var/log/univention/server_password_change.log
 
ktutil add -w $(cat /etc/machine.secret ) -V $kvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e aes128-cts-hmac-sha1-96 >> /var/log/univention/server_password_change.log
 
ktutil add -w $(cat /etc/machine.secret ) -V $kvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e des-cbc-md5 >> /var/log/univention/server_password_change.log
 
ktutil add -w $(cat /etc/machine.secret ) -V $kvno -p nfs/$(hostname -f)@$(ucr get kerberos/realm) -e des-cbc-crc >> /var/log/univention/server_password_change.log
 
fi
 
</pre>
 
and make it excecutable
 
<pre>
 
chmod +x /usr/lib/univention-server/server_password_change.d/nfs_keytab_change
 
</pre>
 
 
 
== Samba 3 - Heimdal Domain ==
 
 
 
In a Heimdal Kerberos Domain you first need to initialize the Password for the Kerberos administrative account kadmin/admin. Later you might want to change it back to a long random password as the account can modify all other passwords.
 
 
 
To change it use the following commands on your DC-Master
 
<pre>
 
kadmin -l
 
passwd kadmin/admin
 
exit
 
</pre>
 
 
 
On the DC Master you then have to create the Kerberos keys for each server and client:
 
<pre>
 
kinit kadmin/admin
 
kadmin add -r nfs/nfs-server.domain
 
kadmin add -r nfs/nfs-client1.domain
 
</pre>
 
 
 
On the server you can then load the keys with the following
 
<pre>
 
kinit kadmin/admin
 
ktutil get nfs/nfs-server.domain
 
</pre>
 
 
 
and in the same manner on the client
 
<pre>
 
kinit kadmin/admin
 
ktutil get nfs/nfs-client1.domain
 
</pre>
 
 
 
= Adapting the Configuration Files =
 
 
 
On the NFS-Server open the UCR Template "/etc/univention/templates/files/etc/default/nfs-kernel-server" in your favorite editor and replace
 
<pre>
 
NEED_SVCGSSD=
 
</pre>
 
with
 
<pre>
 
NEED_SVCGSSD=yes
 
</pre>
 
and commit the file
 
<pre>
 
ucr commit /etc/default/nfs-kernel-server
 
</pre>
 
Likewise open the UCR Template "/etc/univention/templates/files/etc/default/nfs-common" and replace the lines:
 
<pre>
 
NEED_IDMAPD=
 
NEED_GSSD=
 
</pre>
 
with
 
<pre>
 
NEED_IDMAPD=yes
 
NEED_GSSD=yes
 
</pre>
 
respectively. If you also want to disable NFSv3 change
 
<pre>
 
NEED_STATD=
 
</pre>
 
to
 
<pre>
 
NEED_STATD=no
 
</pre>
 
Afterwards you can commit the changes to the real configuration files with the command
 
<pre>
 
ucr commit /etc/default/nfs-common
 
</pre>
 
 
 
From UCS 3.0 and above the following option needs to be set
 
ucr set nfs/nfsd/nfs4=true
 
 
 
Finally restart the server and common services on the NFS-Server
 
<pre>
 
/etc/init.d/nfs-common restart
 
/etc/init.d/nfs-kernel-server restart
 
</pre>
 
 
 
On the client repeat the changes by directly editing "/etc/default/nfs-common".
 
 
 
= Testing your setup  =
 
 
 
With the following command you can mount a directory using kerberos authentication. Please note that "sec=" should be the same as used in the exports file on the server, also ensure that you use the full domain name of the server not just the hostname.
 
<pre>
 
mount -t nfs4 nfs-server.domain:/&lt;nfs target&gt; /&lt;local target&gt; -o sec=krb5
 
</pre>
 
'''Note''': If the mount command fails, make sure that "/sbin/mount.nfs4" is available on your client. If ''mount.nfs4'' is missing, you can install it through ''nfs-common'':
 
<pre>
 
apt-get install nfs-common
 
</pre>
 
After successfully mounting the share a user with a Kerberos Ticket should be able to access the directory. To obtain a Kerberos Ticket you can either login as a domain user or issue
 
<pre>
 
kinit <Username>
 
</pre>
 
as root. Please note that you will only be able to access directories the Kerberos user could access on the server themselves.
 
 
 
= Automatic Mount =
 
After a successful test you can automatically mount it using "/etc/fstab". It is sufficient to add the following line to /etc/fstab:
 
<pre>
 
nfs-server.domain:/&lt;nfs target&gt; /&lt;local target&gt; nfs4 sec=krb5 0 0
 
</pre>
 
The above mentioned restrictions apply as well.
 
 
 
= Automount Home Directories  =
 
Ubuntu offers a Tutorial on how to setup Automount which can also be used for UCC
 
[https://help.ubuntu.com/community/Autofs]
 
[https://help.ubuntu.com/community/AutofsLDAP]
 

Revision as of 09:58, 20 January 2014

The article needs a review after the Release and should focus on client-configuration for UCS servers and UCC desktops.

Produktlogo UCS Version 3.2
Produktlogo UCC Version 1.0

This article describes the server/client configuration of the Network File System (NFS). Since UCS 3.2 NFSv4 is activated by default (see UCS 3.2 Release Notes). To disable NFSv4 support set the Univention Configuration Registry variable nfs/nfsd/nfs4 false. To activate NFSv4 support in UCS < 3.2 go to corresponding wiki article

Create a share

To create a share use the UCS documentation.

Personal tools