Difference between revisions of "Labeled NFS/Demo/UserMapping"
CraigGrube (Talk | contribs) (initial version) |
CraigGrube (Talk | contribs) m (→Host Machine Identity Mapping) |
||
(8 intermediate revisions by the same user not shown) | |||
Line 16: | Line 16: | ||
== on the Client == | == on the Client == | ||
− | * | + | * PAM is used to authenticate users, which is configured to use Kerberos. |
− | * | + | * Kerberos credentials are associated with a username, which require the correct password to be accessed. |
− | + | ||
== on the Server == | == on the Server == | ||
Line 30: | Line 29: | ||
* Examine /etc/idmapd.conf to find how where to do user translations | * Examine /etc/idmapd.conf to find how where to do user translations | ||
− | ** indicates nsswitch | + | ** Default configuration indicates nsswitch |
* Examine /etc/nsswitch.conf to find out what to use for translations | * Examine /etc/nsswitch.conf to find out what to use for translations | ||
− | ** indicates LDAP for user info and auto-mounting | + | ** Default configuration indicates LDAP for user info and auto-mounting |
* User enters user-name, look up user-name on LDAP server | * User enters user-name, look up user-name on LDAP server | ||
** returns UID, GID, shell, home directory path | ** returns UID, GID, shell, home directory path | ||
* Mount users NFS home directory using the LDAP values for path, UID, GID, etc... | * Mount users NFS home directory using the LDAP values for path, UID, GID, etc... | ||
− | * | + | * Complete user login |
== on the NFS Server == | == on the NFS Server == | ||
Line 47: | Line 46: | ||
server. The realm structure can be more complicated, but in this | server. The realm structure can be more complicated, but in this | ||
example, the network user-name matches the Kerberos principal of | example, the network user-name matches the Kerberos principal of | ||
− | user-name@REALM (e.g. newuser@ | + | user-name@REALM (e.g. newuser@EXAMPLE.COM). |
== Authentication Service, Server Side == | == Authentication Service, Server Side == | ||
Line 60: | Line 59: | ||
== Authentication Service, Client Side == | == Authentication Service, Client Side == | ||
− | + | Hosts can be configured using | |
− | authentication-tui | + | authentication-tui and checking a box |
− | to turn on Kerberos authentication. | + | to turn on Kerberos authentication. |
+ | |||
+ | Below that, what was | ||
actually happening was changes within the /etc/pam.d/system-auth | actually happening was changes within the /etc/pam.d/system-auth | ||
file. This is part of the authentication system on the machines, | file. This is part of the authentication system on the machines, | ||
− | the | + | the Plug-able Authentication Module (PAM). This file was changed so |
that system authentication would additionally use the pam_krb5.so | that system authentication would additionally use the pam_krb5.so | ||
− | library which authenticates a user-name using the Kerberos | + | library which authenticates a user-name using the Kerberos service. |
= Identity Mapping Services = | = Identity Mapping Services = | ||
Line 112: | Line 113: | ||
The client configuration for this file was shown in one of the NFS | The client configuration for this file was shown in one of the NFS | ||
install instruction sections, | install instruction sections, | ||
− | but since 'nsswitch' is the current default for | + | but since 'nsswitch' is the current default for Fedora Core 9, it probably did |
not need to be changed. | not need to be changed. | ||
Line 119: | Line 120: | ||
This configuration file sets the options available, and their order, | This configuration file sets the options available, and their order, | ||
when using the GNU C library API's (e.g. libc.so.6) to lookup user | when using the GNU C library API's (e.g. libc.so.6) to lookup user | ||
− | information. | + | information. authconfig-tui can be run to update the nsswitch.conf file to |
− | + | ||
− | + | ||
indicate that LDAP is to be used for user information on that host. | indicate that LDAP is to be used for user information on that host. | ||
The pertinent changes to include LDAP were to the following nsswitch | The pertinent changes to include LDAP were to the following nsswitch |
Latest revision as of 18:24, 11 December 2008
The network users are mapped between the Kerberos, NFS, and LDAP server and the network hosts (i.e. Kerberos, NFS and LDAP clients) using several different sub-systems. The key to connecting them all is the user-name, the string of text that uniquely identifies an individual on the network. This string is shared across the hosts and between the three servers. The use of user-name can further be broken down between identity authentication and identity mapping services.
The two 'Basic Steps' sections below show the basic authentication and identity mapping steps taken when a user logs on to a client machine. The sections following offer a more detailed explanation of what is going on how the machines were configured to do it.
Contents
Simplified Authentication Steps for User Login
on the Client
- PAM is used to authenticate users, which is configured to use Kerberos.
- Kerberos credentials are associated with a username, which require the correct password to be accessed.
on the Server
- Kerberos server responds to client requests to check the user's password and return credentials.
Note: The password is not sent across the network. It is checked locally on the client using response from the Kerberos server.
Simplified User Mapping Steps
on the Client
- Examine /etc/idmapd.conf to find how where to do user translations
- Default configuration indicates nsswitch
- Examine /etc/nsswitch.conf to find out what to use for translations
- Default configuration indicates LDAP for user info and auto-mounting
- User enters user-name, look up user-name on LDAP server
- returns UID, GID, shell, home directory path
- Mount users NFS home directory using the LDAP values for path, UID, GID, etc...
- Complete user login
on the NFS Server
- NFS server maps user-name and group names to local UID and GID values (i.e. LDAP values are not used).
Identity Authentication Service
The authentication service is provided mainly by the Kerberos server. The realm structure can be more complicated, but in this example, the network user-name matches the Kerberos principal of user-name@REALM (e.g. newuser@EXAMPLE.COM).
Authentication Service, Server Side
The identity of the user-name is authenticated by the Kerberos server interacting with the host machines and the NFS and LDAP servers. Principals are added and deleted on the Kerberos server and it is responsible for checking that a user-name is in fact that user. It then hands out credentials for that user that can in turn be checked by the host machines and the other servers.
Authentication Service, Client Side
Hosts can be configured using authentication-tui and checking a box to turn on Kerberos authentication.
Below that, what was actually happening was changes within the /etc/pam.d/system-auth file. This is part of the authentication system on the machines, the Plug-able Authentication Module (PAM). This file was changed so that system authentication would additionally use the pam_krb5.so library which authenticates a user-name using the Kerberos service.
Identity Mapping Services
The identity information is provided by the NFS and LDAP servers and is mapped using a user-name. LDAP provides the user information necessary for the client hosts to instantiate a user. NFS provides the users' personal files. It provides the files within their home directories.
LDAP Identity
The user-name is used to look up that user-name within the LDAP directory. The LDAP server maps that user-name to the information needed by the host machines to instantiate that user locally. In this example the main information stored is:
- User ID (a unique number identifying the user)
- Groups to which the user-name is a member.
- User's shell
- Path to the user's home directory
- Group information
- Group-name to Group ID (unique group number)
NFS Server User Mapping
The server in this example uses independent User IDs (UIDs) and Group IDs (GIDs). These are associated with user-names and group names on its local system and do not use LDAP provided numerical values for UID/GID. When a client connects to the NFS server, the user-name and group-name values are mapped to the local file system's UID and GIDs.
Host Machine Identity Mapping
The host machines are configured in several different ways in order to map user Identity. One of the first sources is the /etc/idmapd.conf file's Translation section:
[Translation] Method = nsswitch
The client configuration for this file was shown in one of the NFS install instruction sections, but since 'nsswitch' is the current default for Fedora Core 9, it probably did not need to be changed.
/etc/rc.d/nsswitch.conf is the file that configures nsswitch. Nsswitch is the Name Service Switch configuration for the host. This configuration file sets the options available, and their order, when using the GNU C library API's (e.g. libc.so.6) to lookup user information. authconfig-tui can be run to update the nsswitch.conf file to indicate that LDAP is to be used for user information on that host. The pertinent changes to include LDAP were to the following nsswitch subsystems:
- passwod (user,shell,UID,GIDs)
- shadow
- group (group-name<->GID)
- automount