Sds-hd nfs: Difference between revisions

From bwHPC Wiki
Jump to navigation Jump to search
No edit summary
mNo edit summary
Line 50: Line 50:


<H3>automated kerberos tickets</H3>
<H3>automated kerberos tickets</H3>
<strong>'''Attention!''' Keep this generated Keytab safe and use it only in trusted environments!</strong>

If your workflow needs a permanent access to SDS@hd for longer than 10 Days, you can use '''ktutil''' to encrypt your Service Password into a keytab file:
If your workflow needs a permanent access to SDS@hd for longer than 10 Days, you can use '''ktutil''' to encrypt your Service Password into a keytab file:
<pre>
<pre>
Line 65: Line 67:
</pre>
</pre>
<br>
<br>

[[Category:Sds-hd|NFS|Kerberos]]
[[Category:Sds-hd|NFS|Kerberos]]

Revision as of 16:02, 14 May 2019

Using NFSv4 for UNIX client

Attention: To access data served by SDS@hd, you need a Service Password. Please set your Service Password under following site: https://bwservices.uni-heidelberg.de

Prequisites

Authentication for data access via NFSv4 is performed using Kerberostickets. This requires a functioning Kerberos environment on the client!

A detailed tutorial for installing a working NFS & Kerberos environment is described in the SDS@hd Managementtool.

mount a nfs share

The usual restrictions for mounting drives under Linux are valid. Usually this can only be done by the superuser "root". For detailed information, please contact the system administrator of your system.

After successfull configuration (s. Prequisites) you can mount your SDS@hd share with the following commands:

> mkdir <mountpoint>
> mount -t nfs4 -o sec=krb5 lsdf02export.urz.uni-heidelberg.de:/gpfs/lsdf02/ <mountpoint>

To enable the mounting after a restart, you have to add the following line to the file "/etc/fstab"

   lsdf02export.urz.uni-heidelberg.de:/gpfs/lsdf02/   <mountpoint>   nfs4     sec=krb5     0 0

access your data

Attention! The access can not be done as root user, because root uses the Kerberosticket of the machine, which does not have data access!

To access your data on SDS@hd you need an valid kerberos ticket:

> kinit hd_xy123
Password for hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE: 
> klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE

Valid starting       Expires              Service principal
20.09.2017 04:00:01  21.09.2017 04:00:01  krbtgt/BWSERVICES.UNI-HEIDELBERG.DE@BWSERVICES.UNI-HEIDELBERG.DE
        renew until 29.09.2017 13:38:49

> ls mountpoint
sd16j007  sd17c010  sd17d005

renew a kerberos ticket

Because a kerberos ticket has a limited lifetime (default: 10 hours, maximum 24 hours) for security reasons, you have to renew your ticket before it expires to prevent access loss.

> kinit -R

This renewal could only be done for maximum time of 10 Days.

automated kerberos tickets

Attention! Keep this generated Keytab safe and use it only in trusted environments!

If your workflow needs a permanent access to SDS@hd for longer than 10 Days, you can use ktutil to encrypt your Service Password into a keytab file:

ktutil
ktutil: addent -password -p hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE -k 1 -e rc4-hmac
    Password for hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE:
ktutil:  addent -password -p hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE -k 1 -e aes256-cts
    Password for hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE:
ktutil:  wkt xy123.keytab
ktuitl: quit

With this keytab, you can acquire a kerberos ticket without an interactive password:

kinit -k -t xy123.keytab hd_xy123