Sds-hd nfs: Difference between revisions
m (→Example sssd) |
|||
Line 20: | Line 20: | ||
The authentication for data access via NFSv4 is performed using Kerberostickets. This requires a functioning Kerberos environment on the client! |
The authentication for data access via NFSv4 is performed using Kerberostickets. This requires a functioning Kerberos environment on the client! |
||
{{:Sds-hd_kerberos}} |
|||
The following parameters of kerberos tickets are set on server side: |
|||
* max. Lifetime of a Serviceticket: 10 hours |
|||
* max. Lifetime of a Userticket: 24 hours |
|||
* max. Renewaltime for Usertickets: 10 days |
|||
After configuring kerberos, you have to install nfs packages in your system, and enable kerberized NFSv4. The exact names of the packages depending on you linux distribution (see examples below). |
|||
The properties (e.g. lifetimes, encryption, ...) of the kerberos tickets can be changed on client site with different kinit parameters (see manpages of kinit) or via ''/etc/krb5.conf''. |
|||
== configure kerberos environment for SDS@hd == |
|||
=== kerberized nfs configuration === |
|||
First you have to install kerberos and nfs packages in your system to provide a working kerberos environment. The exact names of the packages depending on you linux distribution (see examples below). |
|||
''Example RedHat/CentOS'' |
''Example RedHat/CentOS'' |
||
<pre>yum install krb5-workstation nfs-utils nfs4-acl-tools</pre> |
|||
''Example debian/ubuntu'' |
|||
<pre>apt install krb5-user nfs-common nfs4-acl-tools nfs-server</pre> |
|||
On ubuntu server: nfs-kernel-server |
|||
After installing the packages you have to use the following kerberos parameters for connecting to SDS@hd: |
|||
* Default Realm = BWSERVICES.UNI-HEIDELBERG.DE |
|||
* KDC = bwservices.uni-heidelberg.de |
|||
So your kerberos configuration file (/etc/krb5.conf) should contain the following entries: |
|||
<pre> |
<pre> |
||
> yum install nfs-utils nfs4-acl-tools |
|||
[libdefaults] |
|||
default_realm = BWSERVICES.UNI-HEIDELBERG.DE |
|||
/etc/sysconfig/nfs: |
|||
[realms] |
|||
NEED_IDMAPD=yes |
|||
BWSERVICES.UNI-HEIDELBERG.DE= { |
|||
NEED_GSSD=yes |
|||
kdc = bwservices.uni-heidelberg.de |
|||
admin_server = bwservices.uni-heidelberg.de |
|||
} |
|||
[domain_realm] |
|||
.uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE |
|||
uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE |
|||
</pre> |
</pre> |
||
''Example debian/ubuntu'' |
|||
The keytab file of the machine, which you get from the [mailto:sds-hd-support@urz.uni-heidelberg.de SDS@hd Team], has to be stored as ''/etc/krb5.keytab'' in the system. |
|||
<pre> |
|||
> apt install nfs-common nfs4-acl-tools nfs-server |
|||
/etc/default/nfs-common: |
|||
To enable kerberized NFSv4, you have to set the parameters: |
|||
<pre> |
|||
NEED_IDMAPD=yes |
NEED_IDMAPD=yes |
||
NEED_GSSD=yes |
NEED_GSSD=yes |
||
</pre> |
</pre> |
||
On ubuntu server: nfs-kernel-server |
|||
in your nfs configuration. |
|||
You can find the configuration depending on your linux distribution, e.g.: |
|||
* RedHat/CentOS: <pre>/etc/sysconfig/nfs</pre> |
|||
* debian/ubuntu: <pre>/etc/default/nfs-common</pre> |
|||
{{:Sds-hd_idmapping}} |
|||
=== ID Mapping === |
|||
To enable the ID-Mapping for NFSv4 mounts change the file ''/etc/idmapd.conf'' with the following lines: |
|||
In order to be able to correctly resolve the ownership of files and folders, an ID mapping must be set up (assignment of uid/gid to uidNumbers/gidNumbers). |
|||
Therefor change the file ''/etc/idmapd.conf'' with the following lines, to enable id mapping for nfs mounts: |
|||
<pre> |
<pre> |
||
in /etc/idmapd.conf: |
in /etc/idmapd.conf: |
||
Line 84: | Line 52: | ||
Local-Realms = BWSERVICES.UNI-HEIDELBERG.DE |
Local-Realms = BWSERVICES.UNI-HEIDELBERG.DE |
||
</pre> |
</pre> |
||
The connection to SDS@hd LDAP Server is authenticated with the kerberos keytab of your nfs-Client. You can use any tool which supports GSSAPI with kerberos for authentication with the following parameters: |
|||
* uri: ldap://bwservices.uni-heidelberg.de |
|||
* search_base: dc=bwservices,dc=uni-heidelberg.de,dc=de |
|||
* sasl mech: GSSAPI Authentication |
|||
* krb5 Realm: BWSERVICES.UNI-HEIDELBERG.DE |
|||
==== Example configuration of sssd ==== |
|||
Because [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_domains sssd] is one of the standard tools and it supports more than one ldap/identity provider on a system, we are showing here an example configuration for this tool. |
|||
First install the packages: |
|||
* RedHat/CentOS: |
|||
<pre>> yum install sssd-client sssd-krb5 sssd-ldap</pre> |
|||
* debian/ubuntu: |
|||
<pre>> apt install sssd sssd-krb5 sssd-ldap sssd-tools libnss-sss libsasl2-modules-gssapi-mit</pre> |
|||
Now create a sssd configuration file (/etc/sssd/sssd.conf) like this: |
|||
<span style="color:red">Attention: </span> '''Don't forget to change "ldap_sasl_authid" to the Hostname in your keytab file!''' |
|||
<pre> |
|||
[sssd] |
|||
domains = BWSERVICESAD |
|||
config_file_version = 2 |
|||
services = nss |
|||
[domain/BWSERVICESAD] |
|||
id_provider = ldap |
|||
ldap_uri = ldap://bwservices.uni-heidelberg.de |
|||
ldap_search_base = dc=bwservices,dc=uni-heidelberg,dc=de |
|||
ldap_referrals = false |
|||
ldap_schema = ad |
|||
ldap_id_mapping = true |
|||
min_id = 100000 |
|||
ldap_sasl_mech = GSSAPI |
|||
krb5_realm = BWSERVICES.UNI-HEIDELBERG.DE |
|||
ldap_sasl_authid = <HOSTNAME>$ |
|||
ldap_krb5_keytab = /etc/krb5.keytab |
|||
krb5_server = bwservices.uni-heidelberg.de |
|||
ldap_sasl_canonicalize = false |
|||
krb5_canonicalize = false |
|||
use_fully_qualified_names = true |
|||
full_name_format = %3$s\%1$s |
|||
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))) |
|||
enumerate = false |
|||
</pre> |
|||
If another service for authentication or name resolution is allready be used on the machine, an additional domain block can be set up for this and should be added to the line "domains". |
|||
To enable sssd for id mapping in your system the lines "passwd" and "group" in file "/etc/nsswitch.conf" have to be extended by "sss", e.g.: |
|||
<pre> |
|||
passwd: compat sss |
|||
group: compat sss |
|||
</pre> |
|||
'''Note''': If you are using sssd you should not use "nscd" in parallel! Otherwise this could lead to undefined behaviour due to double caching passwd, group and netgroup entries. |
|||
Now you should enable and restart the services: |
|||
* systemctl enable sssd.service && systemctl restart sssd.service |
|||
* systemctl restart nfs-idmapd.service |
|||
== mount a nfs share == |
== mount a nfs share == |
Revision as of 11:06, 24 April 2020
Prerequisites
- Attention: To access data served by SDS@hd, You need a Service Password. See details Sds-hd_user_access.
- Additionally the access to SDS@hd is currently only available inside the belwue-Network. This means you have to use the VPN Service of your HomeOrganization, if you want to access SDS@hd from outside the bwHPC-Clusters (e.g. via eduroam or from your personal Laptop)
- The access via nfs protocol is machine-based, which means new nfs-Clients have to be registered on SDS@hd. During this registration each machine gets a keytab file, which allows mounting SDS@hd.
- Currently you have to send an email for Clientregistration to SDS@hd Team with the following information:
- hostname of the new nfs-Client
- IP address
- short description
- location
- acronym of the Speichervorhabens which should be available on this machine
- For Kerberos authentication to work, a correctly synchronized system time must be set on each nfs client (e.g. via ntpdate ntp01.urz.uni-heidelberg.de or chrony)
Using NFSv4 for UNIX client
The authentication for data access via NFSv4 is performed using Kerberostickets. This requires a functioning Kerberos environment on the client!
SDS@hd is a central service for securely storing scientific data (Scientific Data Storage). The service is provided as a state service to researchers of higher education institutions of Baden-Württemberg. It is intended to be used for data that is frequently accessed ('hot data').
News |
|
Training & Support |
User Documentation |
|
Storage Funding | ||||||||
After configuring kerberos, you have to install nfs packages in your system, and enable kerberized NFSv4. The exact names of the packages depending on you linux distribution (see examples below). Example RedHat/CentOS > yum install nfs-utils nfs4-acl-tools /etc/sysconfig/nfs: NEED_IDMAPD=yes NEED_GSSD=yes Example debian/ubuntu > apt install nfs-common nfs4-acl-tools nfs-server /etc/default/nfs-common: NEED_IDMAPD=yes NEED_GSSD=yes On ubuntu server: nfs-kernel-server SDS@hd is a central service for securely storing scientific data (Scientific Data Storage). The service is provided as a state service to researchers of higher education institutions of Baden-Württemberg. It is intended to be used for data that is frequently accessed ('hot data').
|