![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
Network File System (NFS) is one of the most widely used distributed file systems. It allows users on client machines to access remote files as if those files are on the local machine. Such a distributed environment normally consists of multiple NFS domains. Typically, an NFS client could belong to a domain, which may differ from the NFS server domain. In this case, there is a need to provide a method for the local NFS server and client to translate users and groups in foreign domain to corresponding users and groups in the local domain. This method is called Identity Mapping and is handled by the nfsrgyd NFS daemon.
The current AIX NFSv4 implementation makes use of Kerberos to provide enhanced security. In practical situations, the NFS domains may be configured with different Kerberos realms (administrative domains). So, in such scenarios there is a need to configure cross realm setup among Kerberos realms. For more information on cross-realm setup in NFSv4, refer to the Securing NFS in AIX An Introduction to NFS V4 in AIX 5L Version 5.3 Redbook (see Resources).
This article describes the steps to configure Enterprise Identity Mapping (EIM) technology for AIX NFS version 4 over a Kerberos cross-realm setup. IBM NAS (Network Authentication Service) is the IBM version of Kerberos on AIX. This article covers setting up an NFSv4 server with Kerberos authentication, setting up cross-realm configuration among Kerberos realms, and then configuring EIM for foreign identity mapping for NFSv4.
Overview of Enterprise Identity Mapping (EIM)
AIX provides foreign identity mapping using EIM, which is an LDAP-based technology to manage multiple user registries in an organization. In case of Identity Mapping in NFSv4, it is used to store the user and group names of foreign NFS domains and their corresponding mapping to local user and group names.
For example, consider a scenario in which the NFS client is in the us.ibm.com NFS domain and the NFS server is in the in.ibm.com domain.
When a UNIX® user, user2, from group group2 on the NFS client accesses a file in NFS-mounted directory, the ownership information of user2 is passed as user2@us.ibm.com and group2@us.ibm.com.
Now the NFS server detects that the request is from the foreign domain and consults the EIM server for the foreign identity mapping information. To resolve this request correctly, the EIM administrator has to store the following foreign identity mapping information on the EIM server.
| User | Domain |
|---|---|
| user2 | us.ibm.com |
| user1 | in.ibm.com |
where user1 and user2 are two identities of the same user (nfs_user) in different NFS domains.
| Group | Domain |
|---|---|
| group2 | us.ibm.com |
| group1 | in.ibm.com |
where group1 and group2 are two identities of the same group (nfs_group) in different NFS domains.
The NFS server understands that user2 in the us.ibm.com domain is same as user1 in the in.ibm.com domain and that group2 in us.ibm.com is same as group1 in in.ibm.com. Thus, the NFS server would access the file as user1:group1; however, on the NFS client, the file ownership information will be visible as user2:group2.
When NFSv4 uses the AUTH_KERB (Kerberos) security flavor, the ownership information is passed from the NFS client to the server as principal@kerberos_realm, which is then converted to native credentials (uid: gid) by the NFS server. In this case, for successful identity mapping, the EIM administrator has to also store the Kerberos realm to NFS domain mapping information in the EIM server.
The following example shows the setup and how to achieve the objective of this article.
Figure 1. Example setup
Listing 1. Machine details of example setup
AIX NAS 1.4 (KDC) and AIX NFS V4 server and EIM Client:
Hostname : vayu08.in.ibm.com
NFS domain name : in.ibm.com
Realm name : REALM_1
Operating system : AIX 6.1.0.0
IBM NAS admin principal : admin/admin
NFS V4 Server principal : nfs/vayu08.in.ibm.com
IBM NAS user principal : user1
Unix users : user1:group1
AIX NAS 1.4 (KDC) and EIM server:
Hostname : vayu07.in.ibm.com
NFS domain name : us.ibm.com
Realm Name : REALM_2
Operating system : AIX 6.1.0.0
IBM NAS admin principal : admin/admin
IBM NAS user principal : user2
IBM Tivoli Directory Server Version 5.2
AIX NAS 1.4 client and AIX NFS V4 client:
Hostname : nfsaix08.in.ibm.com
NFS domain name : us.ibm.com
Realm name : REALM_2
Operating system : AIX 6.1.0.0
Unix users : user2:group2
Configured to REALM_1 and REALM_2 realms.
|
The configuration steps are divided into four different sections for better interpretation:
- Setting up the IBM NAS server and AIX NFSv4 server
- Setting up cross-realm authentication between IBM NAS servers
- Setting up the IBM NAS client and AIX NFSv4 client
- Setting up the EIM server and EIM client and adding Identity Mapping information
Setting up the IBM NAS server and the AIX NFSv4 server
- Install the krb5.server (IBM NAS 1.4), clic.rte, and the modcrypt.base filesets on the AIX V6.1 machine. These filesets are shipped with the AIX Version 6.1 Expansion CDs.
- Configure the IBM NAS KDC server as listed below.
For more information on configuration of IBM NAS, please refer to IBM NAS Version 1.4 Administration Guide, shipped with AIX Version 6.1 Expansion Pack CD.
Listing 2. Configuring the IBM NAS server# hostname vayu08.in.ibm.com # export PATH=/usr/krb5/bin/:/usr/krb5/sbin/:$PATH # config.krb5 -S -r REALM_1 -d in.ibm.com Initializing configuration... Creating /etc/krb5/krb5_cfg_type... Creating /etc/krb5/krb5.conf... Creating /var/krb5/krb5kdc/kdc.conf... Creating database files... Initializing database '/var/krb5/krb5kdc/principal' for realm 'REALM_1' master key name 'K/M@REALM_1' You are prompted for the database Master Password. It is important that you DO NOT FORGET this password. Enter database Master Password: Re-enter database Master Password to verify: WARNING: no policy specified for admin/admin@REALM_1; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "admin/admin@REALM_1": Re-enter password for principal "admin/admin@REALM_1": Principal "admin/admin@REALM_1" created. Creating keytable... Creating /var/krb5/krb5kdc/kadm5.acl... Starting krb5kdc... krb5kdc was started successfully. Starting kadmind... kadmind was started successfully. The command completed successfully. #
You can also use the mkkrb5srv command to configure the NAS server. Please refer to the mkkrb5srv main page for its complete usage.
- Configure the NFSv4 server with the Kerberos security flavor.
Listing 3. Configuring the NFSv4 server with krb5 authentication# hostname vayu08.in.ibm.com # chnfsdom in.ibm.com # chnfsdom Current local domain: in.ibm.com # kadmin.local kadmin.local: ank nfs/vayu08.in.ibm.com WARNING: no policy specified for nfs/vayu08.in.ibm.com@REALM_1; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "nfs/vayu08.in.ibm.com@REALM_1": Re-enter password for principal "nfs/vayu08.in.ibm.com@REALM_1": Principal "nfs/vayu08.in.ibm.com@REALM_1" created. kadmin.local: ktadd nfs/vayu08.in.ibm.com Entry for principal nfs/vayu08.in.ibm.com with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/vayu08.in.ibm.com with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/vayu08.in.ibm.com with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/vayu08.in.ibm.com with kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin.local: # nfshostkey -p nfs/vayu08.in.ibm.com -f /etc/krb5/krb5.keytab # nfshostkey -l nfs/vayu08.in.ibm.com /etc/krb5/krb5.keytab # exportfs -i -o vers=4,sec=krb5 /home/guest # exportfs /home/guest -vers=4,sec=krb5 # chnfs -s 0513-044 The gssd Subsystem was requested to stop. # chnfs -S 0513-059 The gssd Subsystem has been started. Subsystem PID is 286862.
For more details on AIX NFSv4 configuration with Kerberos, please refer to the Securing NFS in AIX. An Introduction to NFS V4 in AIX 5L Version 5.3 Redbook (see Resources).
- Create a UNIX user (user1) with primary group (group1) on this machine.
Also, create a Kerberos principal for user1. This will be required in subsequent sections.
Listing 4. Creating UNIX user/group and adding an equivalent Kerberos user principal# mkgroup group1 # useradd -g group1 user1 #kadmin.local: ank user1 WARNING: no policy specified for user1@REALM_1; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "user1@REALM_1": Re-enter password for principal "user1@REALM_1": Principal "user1@REALM_1" created.
- Configure the NAS KDC server on the second machine after installing the krb5.server fileset.
Listing 5. Configuring IBM NAS server on a second machinebash-2.05b# hostname vayu07.in.ibm.com bash-2.05b# config.krb5 -S -r REALM_2 -d us.ibm.com Initializing configuration... Creating /etc/krb5/krb5_cfg_type... Creating /etc/krb5/krb5.conf... Creating /var/krb5/krb5kdc/kdc.conf... Creating database files... Initializing database '/var/krb5/krb5kdc/principal' for realm 'REALM_2' master key name 'K/M@REALM_2' You are prompted for the database Master Password. It is important that you DO NOT FORGET this password. Enter database Master Password: Re-enter database Master Password to verify: WARNING: no policy specified for admin/admin@REALM_2; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "admin/admin@REALM_2": Re-enter password for principal "admin/admin@REALM_2": Principal "admin/admin@REALM_2" created. Creating keytable... Creating /var/krb5/krb5kdc/kadm5.acl... Starting krb5kdc... krb5kdc was started successfully. Starting kadmind... kadmind was started successfully. The command completed successfully.
Now create a Kerberos principal for another user (user2).
Listing 6. Creating a Kerberos principal for a second UNIX userbash-2.05b# hostname vayu07.in.ibm.com # kadmin.local kadmin.local: ank user2 WARNING: no policy specified for user2@REALM_2; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "user2@REALM_2": Re-enter password for principal "user2@REALM_2": Principal "user2@REALM_2" created.
Setting up cross-realm authentication between IBM NAS servers
- Add the krbtgt service principal on both the NAS KDC servers.
For a KDC in one realm to authenticate Kerberos users in a different realm, it must share
a key with the KDC in the other realm. Therefore, you need to create krbtgt service
principals for cross-realm access. Also, ensure that you have chosen the same password for these principals on both KDC servers.
Listing 7. Adding a krbtgt service principal on both NAS KDC servers# kadmin.local kadmin.local: ank krbtgt/REALM_2@REALM_1 WARNING: no policy specified for krbtgt/REALM_2@REALM_1; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "krbtgt/REALM_2@REALM_1": Re-enter password for principal "krbtgt/REALM_2@REALM_1": Principal "krbtgt/REALM_2@REALM_1" created. kadmin.local: kadmin.local: ank krbtgt/REALM_1@REALM_2 WARNING: no policy specified for krbtgt/REALM_1@REALM_2; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "krbtgt/REALM_1@REALM_2": Re-enter password for principal "krbtgt/REALM_1@REALM_2": Principal "krbtgt/REALM_1@REALM_2" created.
- Edit the /etc/krb5/krb5.conf file on both NAS servers as shown below to have entries of both the realms.
Listing 8. Edited /etc/krb5/krb5.conf file of both NAS servers[libdefaults] default_realm = REALM_1 default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc [realms] REALM_1 = { kdc = vayu08.in.ibm.com:88 admin_server = vayu08.in.ibm.com:749 default_domain = in.ibm.com } REALM_2 = { kdc = vayu07.in.ibm.com:88 admin_server = vayu07.in.ibm.com:749 default_domain = us.ibm.com } [domain_realm] .in.ibm.com = REALM_1 vayu08.in.ibm.com = REALM_1 .us.ibm.com = REALM_2 vayu07.in.ibm.com = REALM_2 [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log - Stop and restart the krb5 daemons to have these changes take effect.
Listing 9. Restarting krb5 daemons# stop.krb5 # start.krb5
Setting up the IBM NAS client and AIX NFSv4 client
- Configure the AIX NAS client once you have installed the krb5.client fileset on it.
Listing 10. Configuring AIX NAS client# hostname nfsaix08.in.ibm.com #config.krb5 -C -r REALM_2 -d us.ibm.com -c vayu07.in.ibm.com -s vayu07.in.ibm.com
- Edit the /etc/krb5/krb5.conf file to add the cross-realm information, as
shown in the
previous section, and create a UNIX user (user2) with primary group (group2) on this client machine.
Listing 11. Creating a group and adding a UNIX user to it# mkgroup group2 # useradd -g group2 user2
- Get the TGT (Ticket Granting Ticket) for user2 in REALM_2 and use it to
access the NFS-exported data with krb5 security.
Listing 12. Obtain Kerberos credentials# hostname nfsaix08.in.ibm.com # chnfsdom us.ibm.com # kinit user2 Password for user2@REALM_2: # mount -o vers=4,sec=krb5 vayu08:/home/guest /mnt # cd /mnt/ # touch data.txt # ls -l total 0 -rw-r--r-- 1 nobody nobody 0 Nov 19 17:37 data.txt
So as seen here, the ls -l output shows nobody:nobody for user:group of the file created in the NFS-mounted directory. Note that the NFS domain of NFS server and clients are different.
Setting up EIM server/client and adding Identity Mapping information
- Configure the EIM server after installing the ldap.server and bos.eim.rte filesets.
If -h [host_name] is the local host in this command, it automatically configures the LDAP server on this host. For detailed information on LDAP installation and configuration, refer to the IBM Tivoli® Directory Server Version 5.2 documentation.
Listing 13. Configuring the EIM server# hostname vayu07.in.ibm.com bash-2.05b# chnfsim -c -a -t P -h vayu07.in.ibm.com -e nfs -f nfseim -w secret ldapdb2's New password: Enter the new password again: You have chosen the following actions: Administrator DN 'cn=admin' and password will be set. Setting administrator DN 'cn=admin' and password. Set administrator DN 'cn=admin' and password. IBM Tivoli Directory Server Configuration complete. You have chosen the following actions: Database 'ldapdb2' will be configured in instance 'ldapdb2'. : : IBM Tivoli Directory Server Configuration complete. You have chosen the following actions: Suffix 'cn=aixdata' will be added to the configuration file. Adding suffix: 'cn=aixdata'. Added suffix: 'cn=aixdata'. IBM Tivoli Directory Server Configuration complete. Server starting in configuration only mode. : : Server starting. : : Non-SSL port initialized to 389. adding new entry cn=nfseim adding new entry cn=nfs_map_reader,cn=nfseim
- Add the EIM information that will be used by the NFSv4 server for mapping
foreign identity.
Add realm-to-domain mapping in EIM server as mentioned in Listing 14 below.
Listing 14. Adding realm-to-domain mapping# chnfsim -a -r REALM_1 -d in.ibm.com # chnfsim -a -r REALM_2 -d us.ibm.com
Add the user and group identity mapping information in the EIM server. You also need to add the owner of the /usr/sbin/nfsrgyd daemon i.e root:system in the EIM server.
Listing 15. Adding user and group identity mapping#chnfsim -a -u -i "nfs_user" -n user1 -d in.ibm.com #chnfsim -a -u -i "nfs_user" -n user2 -d us.ibm.com #chnfsim -a -g -i "nfs_group" -n group1 -d in.ibm.com #chnfsim -a -g -i "nfs_group" -n group2 -d us.ibm.com #chnfsim -a -u -i root -n root -d in.ibm.com #chnfsim -a -u -i root -n root -d us.ibm.com #chnfsim -a -g -i system -n system -d in.ibm.com #chnfsim -a -g -i system -n system -d us.ibm.com
- Configure the EIM client on the NFSv4 server after installing the
ldap.client and bos.eim.rte filesets. Also, check that the NFSv4 server is
able to read the correct information from the EIM server.
Listing 16. Configuring the EIM client on the AIX NFSv4 server#hostname vayu08.in.ibm.com # chnfsim -c EIM server type: P EIM server: vayu07.in.ibm.com EIM domain: nfs EIM directory suffix: nfseim #chnfsim -c -a -t P -h vayu07.in.ibm.com -e nfs -f nfseim -w secret # chnfsim -l -u -i nfs_user Identity mappings for nfs_user: Name Domain user1 in.ibm.com user2 us.ibm.com # chnfsim -l -g -i nfs_group Identity mappings for nfs_group: Name Domain group1 in.ibm.com group2 us.ibm.com # chnfsim -l Realm to Domain mappings: realm_1 in.ibm.com realm_2 us.ibm.comFrom AIX V53L and AIX V610 and later you can configure the NFS server with more than one EIM LDAP replica server. So, if one of the EIM servers is down, the NFSv4 server can move to another available EIM server and get the required mapping information.
- Restart the nfsrgyd daemon on the NFSv4 server.
Listing 17. Restarting nfsrgyd daemon# chnfs -v # chnfs -V
- Now try mounting and creating a file from the NFS client after krb5 authentication.
Listing 18. Creating a file in the NFS-mounted directory#hostname vayu08.in.ibm.com #kdestroy #nfsauthreset # kinit user2 Password for user2@REALM_2: # mount -o vers=4,sec=krb5 vayu08:/home/guest /mnt # cd /mnt # touch abc.txt # ls -l total 0 -rw-r--r-- 1 user2 group2 0 Nov 19 18:03 abc.txt
Check the user:group information on the NFS server for this file.
Listing 19. Confirming ownership information of the created file#hostname vayu08.in.ibm.com # cd /home/guest/ # ls -l total 0 -rw-r--r-- 1 user1 group1 0 Nov 19 18:03 abc.txt
So as seen here, after configuring and adding the foreign identity information in the EIM server, the NFSv4 server and client are able to show the correct ownership information of files.
In this article you have seen how to set up and configure Enterprise Identity Mapping (EIM) for AIX Network File System (NFS) version 4 over a cross-realm Kerberos (IBM NAS) setup and have correct ownership information visible to the NFS server/client.
Learn
- The
IBM Redbooks
Securing NFS in AIX:
An Introduction to NFS Version 4 in AIX 5L Version 5.3 gives a broad understanding of NFS Version 4 and specific AIX NFS Version 4 implementation details.
- A Kerberos Primer
(developerWorks, Nov 2001): This article introduces Kerberos technology and Distributed Computing Environment-based applications.
- AIX
NFS Version 4 configuration over Kerberos inter-realm setup: This article describes the configuration steps for a successful inter-realm setup between IBM NAS Version 1.4 and Microsoft Active Directory.
- AIX 5L LDAP user management(developerWorks, April 2006): Read this developerWorks article to learn about LDAP user management on AIX.
-
"Network File System (NFS) Version 4 Protocol"
For details on NFS Version 4, see IETF Request for Comments (RFC) 3530
-
In the AIX and
UNIX area on developerWorks, get the resources you need to
advance your skills in UNIX administration.
-
Check out additional UNIX
tips and tricks from the developerWorks site.
- New to AIX and UNIX: New to IBM®
AIX® and UNIX? Visit the this page to learn more.
Discuss
- Podcasts: Tune in and catch up
with IBM technical experts.
- Check out
developerWorks
blogs and
get involved in the
developerWorks community.
-
Participate in the AIX and UNIX forums:
- AIX Forum
- AIX Forum for developers
- Cluster Systems Management
- IBM Support Assistant Forum
- Performance Tools Forum
- Virtualization Forum
- More AIX and UNIX Forums
Sagar Dixit is a System Software Engineer with IBM India - Systems and Technology Labs in Pune, India. He has been working with IBM since July 2006 and currently works with the Network File System development team. He is involved with developing security and deployment related new features for NFSv4. He holds a Bachelors degree in computers science engineering. You can reach him at sagar.dixit@in.ibm.com.
Prashant Sodhiya is a Senior Staff Software Engineer for IBM India Systems and Technology Labs. He has worked for IBM for the past four years on development features of AIX NFSv4, development and support of IBM Network Authentication Service (IBM Kerberos). Before joining IBM, he worked with the Centre for Development of Advanced Computing (CDAC) for three years in network security domain. You can contact him at psodhiya@in.ibm.com.
Table of contents
Local resources
Tags
Use the slider bar to see more or fewer tags.
For articles in technology zones (such as Java technology, Linux, Open source, XML), Popular tags shows the top tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), Popular tags shows the top tags for just that product zone.
For articles in technology zones (such as Java technology, Linux, Open source, XML), My tags shows your tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), My tags shows your tags for just that product zone.
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
