FreeIPA and NFSv4

From Linux NFS

(Difference between revisions)

Jump to: navigation, search

Latest revision as of 02:48, 1 March 2012

This has been moved to NFS and FreeIPA.

@@ Line 1: / Line 1: @@
-This is a WIP by dros@netapp.com - please let me finish before changing/commenting).
+This has been moved to [[NFS and FreeIPA]].
-This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA].
-Historically, setting up a secure NFSv4 export (or even a client) was challenging, requiring the setup of a [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos] realm and possibly an [http://en.wikipedia.org/wiki/LDAP LDAP] server.   FreeIPA provides a packaged service of both [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos 5] and [http://en.wikipedia.org/wiki/LDAP LDAP] with the purpose of making this process much less painful.
-These instructions are for [http://www.fedora.org/ Fedora 15].  Other distros will require similar setup - the key differences will be a package installation tool other than yum(1), and a different config file layout.
-= Disclaimer about the testing environment =
-For this example I've used a private network (192.168.56.0/24) with a fake DNS realm (example.fake).
-Setup with routable IP addresses and a real DNS realm should be straightforward.
-For this example I run the DNS server on the same machine as the NFSv4 export and the IPA server (server.example.fake).  Of course, these could all be different machines.
-I have not tried setting up freeipa without DNS, or using it's own DNS server.
-I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server!  You probably shouldn't do that!  You'll need to allow traffic on:
-* port 53 for named(1)
-* port 88 for kerberos
-* port 389 for ldap
-* XXX MORE!!
-= Set up DNS realm =
-== Create the DNS realm on the server ==
-=== Install named(1) on the server ===
-<pre>
- [root@server ~]# sudo yum install bind
- </pre>
-=== Configure the DNS zone ===
-Create the file "/var/named/example.fake.zone":
-<pre>
-$TTL 3D
-@       IN      SOA     ns1.example.fake. hostmaster.example.fake. (
-                       201107111       ; serial#
-            ; refresh, seconds
-            ; retry, seconds
-            ; expire, seconds
-)          ; minimum, seconds
-                NS      ns1             ; Inet Address of nameserver
-example.fake.   MX      10 mail         ; Primary Mail Exchanger
-ns1             A       192.168.56.20
-server          A       192.168.56.20
-client1         A       192.168.56.40
-ipa             CNAME   build
-mail            CNAME   build
-; DNS auto discovery of services
-_ldap._tcp      SRV 10 10 389 server.example.fake.
-_kerberos._udp  SRV 10 10 88 server.example.fake.
-_kerberos._tcp  SRV 10 10 88 server.example.fake.
-</pre>
-=== Configure the reverse mapping ===
-Create the file "/var/named/192-168-56.zone":
-<pre>
-$TTL 2d  ; 172800 seconds
-$ORIGIN 56.168.192.IN-ADDR.ARPA.
-@       IN        SOA        ns1.example.fake.  hostmaster.example.fake. (
-                            201107111          ; serial number
-H                 ; refresh, seconds
-H                 ; retry, seconds
-W                 ; expire, seconds
-D )               ; minimum, seconds
-                IN      NS      ns1.example.fake.
-              IN      PTR     server.example.fake.
-              IN      PTR     client1.example.fake.
-</pre>
-=== Modify named(1) config to use new zone files ===
-Add the sections to file "/etc/named.conf":
-<pre>
-zone "example.fake" IN {
-	type master;
-	file example.fake.zone;
-};
-zone "56.168.192.in-addr.arpa" IN {
-	type master;
-	file "192-168-56.zone";
-};
-</pre>
-=== Other named(1) config ===
- There are a few other things that I needed to configure in my test setup.  You probably don't want to turn off dnssec in real world setups!
-In the "options" section:
-* change the "listen-on" option to include the server's external address ""{ localhost; 192.168.56.20; }"
-* change "allow-query" option to "{ localhost; 192.168.56.0/24 }"
-* change "dnssec-enable" option to "no"
-* change "dnssec-validation" option to "no"
-=== Restart named(1) ===
-<pre>
-[root@server ~]# service named restart
-Restarting named (via systemctl):                          [  OK  ]
-</pre>
-== Configure the client(s) and server to use the local DNS server ==
-The server and all clients should use this name server (with this testing environment).  With a real DNS server, clients shouldn't require this configuration.
-Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the DNS1 line to:
-<pre>
-DNS1=192.168.56.20
-</pre>
-Restart the network service to pick up the change.
-<pre>
-[root@server ~]# service network restart
-Restarting network (via systemctl):                        [  OK  ]
-</pre>
-And verify that it worked:
-<pre>
-[root@server ~]# cat /etc/resolv.conf
-# Generated by NetworkManager
-search example.fake
-nameserver 192.168.56.20
-</pre>
-<pre>
-[root@server ~]# nslookup server.example.fake
-Server:		192.168.56.20
-Address:	192.168.56.20#53
-Name:	server.example.fake
-Address: 192.168.56.20
-</pre>

FreeIPA and NFSv4

From Linux NFS

Latest revision as of 02:48, 1 March 2012

Views

Personal tools

Navigation

Search

Toolbox