|
|
| (101 intermediate revisions not shown) |
| Line 1: |
Line 1: |
| - | This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA]. | + | This has been moved to [[NFS and FreeIPA]]. |
| - | | + | |
| - | Historically, setting up a secure NFSv4 export (or even a client) was challenging, requiring the setup of a [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos] realm and possibly an [http://en.wikipedia.org/wiki/LDAP LDAP] server. FreeIPA provides a packaged service of both [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos 5] and [http://en.wikipedia.org/wiki/LDAP LDAP] with the purpose of making this process much less painful.
| + | |
| - | | + | |
| - | These instructions are for [http://www.fedora.org/ Fedora 15]. Other distros will require similar setup - the key differences will be a package installation tool other than yum(1), and a different config file layout.
| + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | = Disclaimer about the testing environment =
| + | |
| - | | + | |
| - | For this example I've used a private network (192.168.56.0/24) with a fake DNS realm (example.fake).
| + | |
| - | Setup with routable IP addresses and a real DNS realm should be straightforward.
| + | |
| - | | + | |
| - | For this example I run the DNS server on the same machine as the NFSv4 export and the IPA server (server.example.fake). Of course, these could all be different machines.
| + | |
| - | | + | |
| - | I have not tried setting up freeipa without DNS, or using it's own DNS server.
| + | |
| - | | + | |
| - | I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server! You probably shouldn't do that! You'll need to allow traffic on:
| + | |
| - | * port 88 for kerberos
| + | |
| - | * port 389 for ldap
| + | |
| - | * XXX MORE!!
| + | |
| - | | + | |
| - | = Set up DNS Realm on the SERVER =
| + | |
| - | | + | |
| - | == Install bind on the server ==
| + | |
| - | | + | |
| - | <pre>
| + | |
| - | [root@server ~]# sudo yum install bind
| + | |
| - | </pre>
| + | |
| - | | + | |
| - | == Configure the dns zone ==
| + | |
| - | | + | |
| - | Create the file "/var/named/example.fake.zone":
| + | |
| - | | + | |
| - | <pre>
| + | |
| - | $TTL 3D
| + | |
| - | @ IN SOA ns1.example.fake. hostmaster.example.fake. (
| + | |
| - | 201107111 ; serial#
| + | |
| - | 3600 ; refresh, seconds
| + | |
| - | 3600 ; retry, seconds
| + | |
| - | 3600 ; expire, seconds
| + | |
| - | 3600 ) ; minimum, seconds
| + | |
| - | | + | |
| - | NS ns1 ; Inet Address of nameserver
| + | |
| - | example.fake. MX 10 mail ; Primary Mail Exchanger
| + | |
| - | | + | |
| - | ns1 A 192.168.56.20
| + | |
| - | server A 192.168.56.20
| + | |
| - | | + | |
| - | client1 A 192.168.56.40
| + | |
| - | | + | |
| - | ipa CNAME build
| + | |
| - | mail CNAME build
| + | |
| - | | + | |
| - | ; DNS auto discovery of services
| + | |
| - | _ldap._tcp SRV 10 10 389 server.example.fake.
| + | |
| - | _kerberos._udp SRV 10 10 88 server.example.fake.
| + | |
| - | _kerberos._tcp SRV 10 10 88 server.example.fake.
| + | |
| - | </pre>
| + | |
| - | | + | |
| - | == Configure the reverse mapping ==
| + | |
| - | | + | |
| - | Create the file "/var/named/192-168-56.zone":
| + | |
| - | | + | |
| - | <pre>
| + | |
| - | $TTL 2d ; 172800 seconds
| + | |
| - | $ORIGIN 56.168.192.IN-ADDR.ARPA.
| + | |
| - | @ IN SOA ns1.example.fake. hostmaster.example.fake. (
| + | |
| - | 201107111 ; serial number
| + | |
| - | 8H ; refresh, seconds
| + | |
| - | 2H ; retry, seconds
| + | |
| - | 4W ; expire, seconds
| + | |
| - | 1D ) ; minimum, seconds
| + | |
| - | | + | |
| - | IN NS ns1.example.fake.
| + | |
| - | 20 IN PTR server.example.fake.
| + | |
| - | 40 IN PTR client1.example.fake.
| + | |
| - | </pre>
| + | |
| - | | + | |
| - | | + | |
| - | == Modify named(1) config to use new zone files ==
| + | |
| - | | + | |
| - | Add the sections to file "/etc/named.conf":
| + | |
| - | | + | |
| - | <pre>
| + | |
| - | zone "example.fake" IN {
| + | |
| - | type master;
| + | |
| - | file example.fake.zone;
| + | |
| - | };
| + | |
| - | | + | |
| - | zone "56.168.192.in-addr.arpa" IN {
| + | |
| - | type master;
| + | |
| - | file "192-168-56.zone";
| + | |
| - | };
| + | |
| - | </pre>
| + | |
| - | | + | |
| - | == Other named(1) config ==
| + | |
| - | | + | |
| - | There are a few other things that I needed to configure in my test setup. You probably don't want to turn off dnssec in real world setups!
| + | |
| - | | + | |
| - | In the "options" section:
| + | |
| - | | + | |
| - | * change the "listen-on" option to include the server's external address ""{ localhost; 192.168.56.20; }"
| + | |
| - | * change "allow-query" option to "{ localhost; 192.168.56.0/24 }"
| + | |
| - | * change "dnssec-enable" option to "no"
| + | |
| - | * change "dnssec-validation" option to "no"
| + | |
| - | | + | |
| - | == restart named ==
| + | |
| - | | + | |
| - | | + | |
| - | - allow service on port 53 with firewall...
| + | |
| - | | + | |
| - | - change /etc/resolv.conf on both client and server to point to server
| + | |
| - | | + | |
| - | | + | |
| - | - now it works!
| + | |
| - | | + | |
| - | {{{
| + | |
| - | [root@client1 ~]# cat /etc/resolv.conf
| + | |
| - | # Generated by NetworkManager
| + | |
| - | search example.fake
| + | |
| - | nameserver 192.168.56.20
| + | |
| - | | + | |
| - | [root@client1 ~]# nslookup client1.example.fake
| + | |
| - | Server: 192.168.56.20
| + | |
| - | Address: 192.168.56.20#53
| + | |
| - | | + | |
| - | Name: client1.example.fake
| + | |
| - | Address: 192.168.56.40
| + | |
| - | }}}
| + | |
| - | | + | |
| - | | + | |
| - | now DNS should be setup
| + | |
