Sds-hd nfs: Difference between revisions
mNo edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
<H2>Prequisites</H2> |
<H2>Prequisites</H2> |
||
| ⚫ | |||
NFS access to the SDS@hd service is machine-based. This means that each nfs client has to be enabled individually for the service (and thus access to one or more storage projects). |
|||
A detailed tutorial for installing a working NFS & Kerberos environment is described in the [https://sds-hd.urz.uni-heidelberg.de/management/index.php?mode=access_lx_nfssetup SDS@hd Managementtool]. |
|||
*In order for the Kerberos authentication to work, a properly synchronized time must be set on each nfs client, i.e. by: |
|||
<pre>ntpdate ntp01.urz.uni-heidelberg.de</pre> |
|||
* The local hostname of the client must match the valid DNS hostname, as the credentials for Kerberos are only valid for this |
|||
* Valid access data for the nfs-client (keytab). These can be obtained directly from the [mailto:sds-hd-support@urz.uni-heidelberg.de SDS@hd support team ] after '''registration of the machine''' |
|||
* (optional) A CA certificate for ''bwservices.uni-heidelberg.de'' to connect to the LDAP. This can be downloaded directly [https://sds-hd.urz.uni-heidelberg.de/management/html/GSchain_bwservices.pem *here* ]. |
|||
<br /> |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
<H2>NFS & Kerberos Configuration:</H2> |
|||
You have to install the following packages on your client machine and update some configuration files, to enable nfs with kerberos authentication. |
|||
''RedHat/CentOS:'' |
|||
<pre> |
<pre> |
||
| ⚫ | |||
> yum install krb5-workstation nfs-utils nfs4-acl-tools |
|||
| ⚫ | |||
edit the file: '/etc/sysconfig/nfs' and change: |
|||
NEED_IDMAPD=yes |
|||
NEED_GSSD=yes |
|||
close and save the file |
|||
</pre> |
</pre> |
||
To enable the mounting after a restart, you have to add the following line to the file "/etc/fstab" |
|||
''Debian/Ubuntu:'' |
|||
<pre> |
|||
> apt-get install krb5-user nfs-common nfs4-acl-tools nfs-server |
|||
edit the file: '/etc/default/nfs-common' and change: |
|||
NEED_IDMAPD=yes |
|||
NEED_GSSD=yes |
|||
close and save the file |
|||
</pre> |
|||
''/etc/krb5.conf:'' |
|||
<pre> |
|||
[libdefaults] |
|||
default_realm = BWSERVICES.UNI-HEIDELBERG.DE |
|||
[realms] |
|||
BWSERVICES.UNI-HEIDELBERG.DE= { |
|||
kdc = bwservices.uni-heidelberg.de |
|||
admin_server = bwservices.uni-heidelberg.de |
|||
} |
|||
[domain_realm] |
|||
.uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE |
|||
uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE |
|||
</pre> |
|||
The keytab belonging to the machine must then be stored as ''/etc/krb5.keytab''. You get this keytab from [mailto:sds-hd-support@urz.uni-heidelberg.de SDS@hd support team ]. |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
<pre> |
<pre> |
||
lsdf02export.urz.uni-heidelberg.de:/gpfs/lsdf02/ <mountpoint> nfs4 sec=krb5 0 0 |
|||
| ⚫ | |||
| ⚫ | |||
</pre> |
</pre> |
||
| Line 85: | Line 42: | ||
<H3>renew a kerberos ticket</H3> |
<H3>renew a kerberos ticket</H3> |
||
Because a kerberos ticket has a limited lifetime (default: 10 hours, maximum 24 hours) for security reasons, you have renew your ticket before it expires to prevent access |
Because a kerberos ticket has a limited lifetime (default: 10 hours, maximum 24 hours) for security reasons, you have to renew your ticket before it expires to prevent access loss. |
||
<pre> |
<pre> |
||
> kinit -R |
> kinit -R |
||
</pre> |
</pre> |
||
<H3>ID Mapping</H3> |
|||
~ to be continued ~ |
|||
<hr> |
|||
<br> |
|||
<br> |
|||
<br> |
|||
<br> |
<br> |
||
[[Category:Sds-hd|NFS|Kerberos]] |
[[Category:Sds-hd|NFS|Kerberos]] |
||
Revision as of 14:22, 23 October 2017
Using NFSv4 for UNIX client
Attention: To access data served by SDS@hd, you need a Service Password. Please set your Service Password under following site: https://bwservices.uni-heidelberg.de
Prequisites
Authentication for data access via NFSv4 is performed using Kerberostickets. This requires a functioning Kerberos environment on the client!
A detailed tutorial for installing a working NFS & Kerberos environment is described in the SDS@hd Managementtool.
The usual restrictions for mounting drives under Linux are valid. Usually this can only be done by the superuser "root". For detailed information, please contact the system administrator of your system.
After successfull configuration (s. Prequisites) you can mount your SDS@hd share with the following commands:
> mkdir <mountpoint> > mount -t nfs4 -o sec=krb5 lsdf02export.urz.uni-heidelberg.de:/gpfs/lsdf02/ <mountpoint>
To enable the mounting after a restart, you have to add the following line to the file "/etc/fstab"
lsdf02export.urz.uni-heidelberg.de:/gpfs/lsdf02/ <mountpoint> nfs4 sec=krb5 0 0
access your data
Attention! The access can not be done as root user, because root uses the Kerberosticket of the machine, which does not have data access!
To access your data on SDS@hd you need an valid kerberos ticket:
> kinit hd_xy123
Password for hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE:
> klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE
Valid starting Expires Service principal
20.09.2017 04:00:01 21.09.2017 04:00:01 krbtgt/BWSERVICES.UNI-HEIDELBERG.DE@BWSERVICES.UNI-HEIDELBERG.DE
renew until 29.09.2017 13:38:49
> ls mountpoint
sd16j007 sd17c010 sd17d005
renew a kerberos ticket
Because a kerberos ticket has a limited lifetime (default: 10 hours, maximum 24 hours) for security reasons, you have to renew your ticket before it expires to prevent access loss.
> kinit -R