@@ Line 1: / Line 1: @@
-This is a WIP by dros@netapp.com - please let me finish before changing/commenting).
+This has been moved to [[NFS and FreeIPA]].
-This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA].
-Historically, setting up a secure NFSv4 export (or even a client) was challenging, requiring the setup of a [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos] realm and possibly an [http://en.wikipedia.org/wiki/LDAP LDAP] server.   FreeIPA provides a packaged service of both [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos 5] and [http://en.wikipedia.org/wiki/LDAP LDAP] with the purpose of making this process much less painful.
-These instructions are for [http://www.fedora.org/ Fedora 15].  Other distros will require similar setup - the key differences will be a package installation tool other than yum(1), and a different config file layout.
-= Disclaimer about the testing environment =
-For this example I've used a private network (192.168.56.0/24) with a fake DNS realm (example.fake) and
-there is one server (server.example.fake) and one client (client1.example.fake).
-Setup with routable IP addresses and a real DNS realm should be straightforward.
-In this example, the DNS server is running on the same machine as the NFSv4 export and the IPA server (server.example.fake).  Of course, these could all be different machines.
-I have not tried setting up FreeIPA without DNS, or using it's own DNS server.
-= Notes =
-I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server!  You probably shouldn't do that!  You'll need to allow traffic on:
-* port 53 for named
-* port 88 for kerberos
-* port 389 for ldap
-* XXX MORE!! (ipa web interface, etc?)
-For the following example, I'm logged in as root on both the client and server.  Either login as root or prepend "sudo " to each command.
-= Set up DNS realm =
-Again, you might not need to do this.  If you're just setting up a client of FreeIPA, you can skip this section entirely.  If you already have a name server running for your domain, you can just merge the few key items in this section:
-* full DNS names for server(s) and client(s)
-* reverse mapping for said hosts
-* the service entries for FreeIPA auto discovery
-== Create the DNS realm on the server ==
-=== Install named(1) on the server ===
-<pre>
- [root@server ~]# sudo yum install bind
- </pre>
-=== Configure the DNS zone ===
-Create the file "/var/named/example.fake.zone":
-<pre>
-$TTL 3D
-@       IN      SOA     ns1.example.fake. hostmaster.example.fake. (
-                       201107111       ; serial#
-            ; refresh, seconds
-            ; retry, seconds
-            ; expire, seconds
-)          ; minimum, seconds
-                NS      ns1             ; Inet Address of nameserver
-example.fake.   MX      10 mail         ; Primary Mail Exchanger
-ns1             A       192.168.56.20
-server          A       192.168.56.20
-client1         A       192.168.56.40
-ipa             CNAME   build
-mail            CNAME   build
-; DNS auto discovery of services
-_ldap._tcp      SRV 10 10 389 server.example.fake.
-_kerberos._udp  SRV 10 10 88 server.example.fake.
-_kerberos._tcp  SRV 10 10 88 server.example.fake.
-</pre>
-=== Configure the reverse mapping ===
-Create the file "/var/named/192-168-56.zone":
-<pre>
-$TTL 2d  ; 172800 seconds
-$ORIGIN 56.168.192.IN-ADDR.ARPA.
-@       IN        SOA        ns1.example.fake.  hostmaster.example.fake. (
-                            201107111          ; serial number
-H                 ; refresh, seconds
-H                 ; retry, seconds
-W                 ; expire, seconds
-D )               ; minimum, seconds
-                IN      NS      ns1.example.fake.
-              IN      PTR     server.example.fake.
-              IN      PTR     client1.example.fake.
-</pre>
-=== Modify named(1) config ===
-Add these sections to file "/etc/named.conf":
-<pre>
-zone "example.fake" IN {
-	type master;
-	file "example.fake.zone";
-};
-zone "56.168.192.in-addr.arpa" IN {
-	type master;
-	file "192-168-56.zone";
-};
-</pre>
-There are a few other things that I needed to configure in my test setup.  You probably don't want to turn off dnssec in real world setups!
-In the "options" section:
-* change the "listen-on" option to include the server's external address ""{ localhost; 192.168.56.20; }"
-* change "allow-query" option to "{ localhost; 192.168.56.0/24 }"
-* change "dnssec-enable" option to "no"
-* change "dnssec-validation" option to "no"
-The resulting /etc/named.conf:
-<pre>
-//
-// named.conf
-//
-// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
-// server as a caching only nameserver (as a localhost DNS resolver only).
-//
-// See /usr/share/doc/bind*/sample/ for example named configuration files.
-//
-options {
-	listen-on port 53 { 127.0.0.1; 192.168.56.20; };
-	listen-on-v6 port 53 { ::1; };
-	directory 	"/var/named";
-	dump-file 	"/var/named/data/cache_dump.db";
-        statistics-file "/var/named/data/named_stats.txt";
-        memstatistics-file "/var/named/data/named_mem_stats.txt";
-	allow-query     { localhost; 192.168.56.0/24; };
-	recursion yes;
-	dnssec-enable yes;
-	dnssec-validation no;
-	dnssec-lookaside auto;
-	/* Path to ISC DLV key */
-	bindkeys-file "/etc/named.iscdlv.key";
-	managed-keys-directory "/var/named/dynamic";
-};
-logging {
-        channel default_debug {
-                file "data/named.run";
-                severity dynamic;
-        };
-};
-zone "." IN {
-	type hint;
-	file "named.ca";
-};
-zone "example.fake" IN {
-        type master;
-        file "example.fake.zone";
-};
-zone "56.168.192.in-addr.arpa" IN {
-        type master;
-        file "192-168-56.zone";
-};
-include "/etc/named.rfc1912.zones";
-include "/etc/named.root.key";
-</pre>
-=== Restart named(1) ===
-<pre>
-[root@server ~]# service named restart
-Restarting named (via systemctl):                          [  OK  ]
-</pre>
-== Configure the client(s) and server to use the local DNS server ==
-The server and all clients should use this name server (with this testing environment).  With a real DNS server, clients shouldn't require this configuration.
-Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the DNS1 line to:
-<pre>
-DNS1=192.168.56.20
-</pre>
-Restart the network service to pick up the change.
-<pre>
-[root@server ~]# service network restart
-Restarting network (via systemctl):                        [  OK  ]
-</pre>
-And verify that it worked:
-<pre>
-[root@server ~]# cat /etc/resolv.conf
-# Generated by NetworkManager
-search example.fake
-nameserver 192.168.56.20
-</pre>
-<pre>
-[root@server ~]# nslookup server.example.fake
-Server:		192.168.56.20
-Address:	192.168.56.20#53
-Name:	server.example.fake
-Address: 192.168.56.20
-</pre>
-= Install and configure the FreeIPA server =
-Install and configure the FreeIPA software on the server (server.example.fake).
-== Install the FreeIPA server and admintools package ==
-This step fetches and installs FreeIPA and it's dependencies.  It will install around 100 packages, depending on what you already have installed.
-<pre>
-[root@server ~]# yum install freeipa-server freeipa-admintools
-</pre>
-== Configure FreeIPA server ==
-Run the ipa-server-install(1) program.  This takes a while.  All of the default answers should work if DNS hostnames and services are set up correctly and the full domain name is returned by hostname(1).
-<pre>
-[root@server ~]# ipa-server-install
-The log file for this installation can be found in /var/log/ipaserver-install.log
-==============================================================================
-This program will set up the FreeIPA Server.
-This includes:
-  * Configure the Network Time Daemon (ntpd)
-  * Create and configure an instance of Directory Server
-  * Create and configure a Kerberos Key Distribution Center (KDC)
-  * Configure Apache (httpd)
-To accept the default shown in brackets, press the Enter key.
-Enter the fully qualified domain name of the computer
-on which you're setting up server software. Using the form
-<hostname>.<domainname>
-Example: master.example.com.
-Server host name [server.example.fake]:
-The domain name has been calculated based on the host name.
-Please confirm the domain name [example.fake]:
-The IPA Master Server will be configured with
-Hostname:    server.example.fake
-IP address:  192.168.56.20
-Domain name: example.fake
-The kerberos protocol requires a Realm name to be defined.
-This is typically the domain name converted to uppercase.
-Please provide a realm name [EXAMPLE.FAKE]:
-Certain directory server operations require an administrative user.
-This user is referred to as the Directory Manager and has full access
-to the Directory for system management tasks and will be added to the
-instance of directory server created for IPA.
-The password must be at least 8 characters long.
-Directory Manager password:
-Password (confirm):
-The IPA server requires an administrative user, named 'admin'.
-This user is a regular system account used for IPA server administration.
-IPA admin password:
-Password (confirm):
-The following operations may take some minutes to complete.
-Please wait until the prompt is returned.
-Configuring ntpd
-  [1/4]: stopping ntpd
-  [2/4]: writing configuration
-  [3/4]: configuring ntpd to start on boot
-  [4/4]: starting ntpd
-done configuring ntpd.
-Configuring directory server for the CA: Estimated time 30 seconds
-  [1/3]: creating directory server user
-  [2/3]: creating directory server instance
-  [3/3]: restarting directory server
-done configuring pkids.
-Configuring certificate server: Estimated time 6 minutes
-  [1/17]: creating certificate server user
-  [2/17]: creating pki-ca instance
-  [3/17]: restarting certificate server
-  [4/17]: configuring certificate server instance
-  [5/17]: restarting certificate server
-  [6/17]: creating CA agent PKCS#12 file in /root
-  [7/17]: creating RA agent certificate database
-  [8/17]: importing CA chain to RA certificate database
-  [9/17]: restarting certificate server
-  [10/17]: requesting RA certificate from CA
-  [11/17]: issuing RA agent certificate
-  [12/17]: adding RA agent as a trusted user
-  [13/17]: fixing RA database permissions
-  [14/17]: setting up signing cert profile
-  [15/17]: set up CRL publishing
-  [16/17]: configuring certificate server to start on boot
-  [17/17]: restarting certificate server
-done configuring pki-cad.
-Configuring directory server: Estimated time 1 minute
-  [1/32]: creating directory server user
-  [2/32]: creating directory server instance
-  [3/32]: adding default schema
-  [4/32]: enabling memberof plugin
-  [5/32]: enabling referential integrity plugin
-  [6/32]: enabling winsync plugin
-  [7/32]: configuring replication version plugin
-  [8/32]: enabling IPA enrollment plugin
-  [9/32]: enabling ldapi
-  [10/32]: configuring uniqueness plugin
-  [11/32]: configuring uuid plugin
-  [12/32]: configuring modrdn plugin
-  [13/32]: enabling entryUSN plugin
-  [14/32]: configuring lockout plugin
-  [15/32]: creating indices
-  [16/32]: configuring ssl for ds instance
-  [17/32]: configuring certmap.conf
-  [18/32]: configure autobind for root
-  [19/32]: restarting directory server
-  [20/32]: adding default layout
-  [21/32]: adding delegation layout
-  [22/32]: adding replication acis
-  [23/32]: configuring user private groups
-  [24/32]: configuring netgroups from hostgroups
-  [25/32]: creating default Sudo bind user
-  [26/32]: creating default HBAC rule allow_all
-  [27/32]: initializing group membership
-  [28/32]: adding master entry
-  [29/32]: configuring Posix uid/gid generation
-  [30/32]: enabling compatibility plugin
-  [31/32]: tuning directory server
-  [32/32]: configuring directory to start on boot
-done configuring dirsrv.
-Configuring Kerberos KDC: Estimated time 30 seconds
-  [1/14]: setting KDC account password
-  [2/14]: adding sasl mappings to the directory
-  [3/14]: adding kerberos entries to the DS
-  [4/14]: adding default ACIs
-  [5/14]: configuring KDC
-  [6/14]: adding default keytypes
-  [7/14]: adding default password policy
-  [8/14]: creating a keytab for the directory
-  [9/14]: creating a keytab for the machine
-  [10/14]: exporting the kadmin keytab
-  [11/14]: adding the password extension to the directory
-  [12/14]: adding the kerberos master key to the directory
-  [13/14]: starting the KDC
-  [14/14]: configuring KDC to start on boot
-done configuring krb5kdc.
-Configuring ipa_kpasswd
-  [1/2]: starting ipa_kpasswd
-  [2/2]: configuring ipa_kpasswd to start on boot
-done configuring ipa_kpasswd.
-Configuring the web interface: Estimated time 1 minute
-  [1/12]: disabling mod_ssl in httpd
-  [2/12]: setting mod_nss port to 443
-  [3/12]: setting mod_nss password file
-  [4/12]: adding URL rewriting rules
-  [5/12]: configuring httpd
-  [6/12]: setting up ssl
-  [7/12]: setting up browser autoconfig
-  [8/12]: publish CA cert
-  [9/12]: creating a keytab for httpd
-  [10/12]: configuring SELinux for httpd
-  [11/12]: restarting httpd
-  [12/12]: configuring httpd to start on boot
-done configuring httpd.
-Setting the certificate subject base
-restarting certificate server
-Applying LDAP updates
-Restarting the directory server
-Restarting the KDC
-Restarting the web server
-Sample zone file for bind has been created in /tmp/sample.zone.I_fDwT.db
-==============================================================================
-Setup complete
-Next steps:
-. You must make sure these network ports are open:
-		TCP Ports:
-		  * 80, 443: HTTP/HTTPS
-		  * 389, 636: LDAP/LDAPS
-		  * 88, 464: kerberos
-		UDP Ports:
-		  * 88, 464: kerberos
-		  * 123: ntp
-. You can now obtain a kerberos ticket using the command: 'kinit admin'
-	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
-	   and the web user interface.
-Be sure to back up the CA certificate stored in /root/cacert.p12
-This file is required to create replicas. The password for this
-file is the Directory Manager password
-</pre>
-= Install and configure FreeIPA client(s) =
-Install the freeipa-client package on each machine (besides the FreeIPA server) that want to participate in the FreeIPA domain.
-== Install the FreeIPA client package ==
-This step fetches just the client-side software needed to connect to a FreeIPA server.
-<pre>
-[root@client1 ~]# yum install freeipa-client
-...
-</pre>
-== Configure the FreeIPA client package (OOPS!) ==
-Again, if DNS is setup correctly and hostname(1) returns the full DNS name, the default answers should work.
-You want to use "admin" (the administrator user you created when configuring the FreeIPA server) as the enrollment principal.
-Oh no! Currently, Fedora 15 gives me this problem:
-<pre>
-[root@client1 ~]# ipa-client-install
-Discovery was successful!
-Hostname: client1.example.fake
-Realm: EXAMPLE.FAKE
-DNS Domain: example.fake
-IPA Server: server.example.fake
-BaseDN: dc=example,dc=fake
-Continue to configure the system with these values? [no]: yes
-Enrollment principal: admin
-Password for admin@EXAMPLE.FAKE:
-Joining realm failed because of failing XML-RPC request.
-  This error may be caused by incompatible server/client major versions.
-</pre>
-This problem is easily worked around, but you may not need to - I'm sure this will be fixed soon.
-== Configure the FreeIPA client package (The Workaround) ==
-The problem and workaround are described here: https://www.redhat.com/archives/freeipa-users/2011-July/msg00029.html
-=== Get credentials and add the host to FreeIPA ===
-Both of these commands should be run on the *server*.
-First, get admin credentials.  If you are configuring multiple clients, this only needs to be run the first time.
-<pre>
-[root@server ~]# kinit admin
-Password for admin@EXAMPLE.FAKE:
-</pre>
-Now that you have credentials, you can add the (client) host to FreeIPA.
-<pre>
-[root@server ~]# ipa host-add client1.example.fake
----------------------------------
-Added host "client1.example.fake"
----------------------------------
-  Host name: client1.example.fake
-  Principal name: host/client1.example.fake@EXAMPLE.FAKE
-  Managed by: client1.example.fake
-</pre>
-=== (Force) Configure FreeIPA client ===
-Back on the client now.  Run ipa-client-install again, but this time use the --force flag:
-<pre>
-[root@client1 ~]# ipa-client-install --force
-Discovery was successful!
-Hostname: client1.example.fake
-Realm: EXAMPLE.FAKE
-DNS Domain: example.fake
-IPA Server: server.example.fake
-BaseDN: dc=example,dc=fake
-Continue to configure the system with these values? [no]: yes
-Enrollment principal: admin
-Password for admin@EXAMPLE.FAKE:
-Joining realm failed because of failing XML-RPC request.
-  This error may be caused by incompatible server/client major versions.
-  Use ipa-getkeytab to obtain a host principal for this server.
-Created /etc/ipa/default.conf
-Configured /etc/sssd/sssd.conf
-Configured /etc/krb5.conf for IPA realm EXAMPLE.FAKE
-Failed to configure automatic startup of the NSCD daemon
-SSSD enabled
-nss_ldap is not able to use DNS discovery!
-Changing configuration to use hardcoded server name: server.example.fake
-Kerberos 5 enabled
-NTP enabled
-Client configuration complete.
-</pre>
-=== Manually fetch the keytab entry for the client ===
-Still on the client, the last step is to fetch the keytab entry that ipa-client-install(1) wasn't able to get.
-To do this, you'll need to authenticate as admin again (but this time on the client):
-<pre>
-[root@client1 ~]# kinit admin
-Password for admin@EXAMPLE.FAKE:
-</pre>
-Now run ipa-getkeytab:
-<pre>
-[root@client1 ~]# ipa-getkeytab -s server.example.fake -p host/client1.example.fake -k /etc/krb5.keytab
-Keytab successfully retrieved and stored in: /etc/krb5.keytab
-</pre>
-Now, FreeIPA should be setup on the client.
-= Add FreeIPA NFS service for each host =
-The next step is to setup kerberos principals for the NFS service on each host - the server and the client(s).
-== Add FreeIPA NFS service for server ==
-<pre>
-[root@server ~]# ipa service-add nfs/server.example.fake
-----------------------------------------------------
-Added service "nfs/server.example.fake@EXAMPLE.FAKE"
-----------------------------------------------------
-  Principal: nfs/server.example.fake@EXAMPLE.FAKE
-  Managed by: server.example.fake
-</pre>
-== Add FreeIPA NFS service for client(s) ==
-<pre>
-[root@server ~]# ipa service-add nfs/client1.example.fake
------------------------------------------------------
-Added service "nfs/client1.example.fake@EXAMPLE.FAKE"
------------------------------------------------------
-  Principal: nfs/client1.example.fake@EXAMPLE.FAKE
-  Managed by: client1.example.fake
-</pre>
-== Import FreeIPA NFS service tickets on the server ==
-<pre>
-[root@server ~]# ipa-getkeytab -s server.example.fake -p nfs/server.example.fake -k /etc/krb5.keytab
-Keytab successfully retrieved and stored in: /etc/krb5.keytab
-</pre>
-You can check to see what's in the keytab like this:
-<pre>
-[root@server ~]# ktutil
-ktutil:  read_kt /etc/krb5.keytab
-ktutil:  list
-slot KVNO Principal
----- ---- ---------------------------------------------------------------------
-    2    host/server.example.fake@EXAMPLE.FAKE
-    2    host/server.example.fake@EXAMPLE.FAKE
-    2    host/server.example.fake@EXAMPLE.FAKE
-    2    host/server.example.fake@EXAMPLE.FAKE
-    2    host/server.example.fake@EXAMPLE.FAKE
-    2    host/server.example.fake@EXAMPLE.FAKE
-    1     nfs/server.example.fake@EXAMPLE.FAKE
-    1     nfs/server.example.fake@EXAMPLE.FAKE
-    1     nfs/server.example.fake@EXAMPLE.FAKE
-    1     nfs/server.example.fake@EXAMPLE.FAKE
-ktutil:  q
-</pre>
-== Import FreeIPA NFS service tickets on the client(s) ==
-<pre>
-[root@client1 ~]# ipa-getkeytab -s server.example.fake -p nfs/client1.example.fake -k /etc/krb5.keytab
-Keytab successfully retrieved and stored in: /etc/krb5.keytab
-</pre>
-And here's what /etc/krb5.kettab has in it:
-<pre>
-[root@client1 ~]# ktutil
-ktutil:  read_kt /etc/krb5.keytab
-ktutil:  list
-slot KVNO Principal
----- ---- ---------------------------------------------------------------------
-    1   host/client1.example.fake@EXAMPLE.FAKE
-    1   host/client1.example.fake@EXAMPLE.FAKE
-    1   host/client1.example.fake@EXAMPLE.FAKE
-    1   host/client1.example.fake@EXAMPLE.FAKE
-    1    nfs/client1.example.fake@EXAMPLE.FAKE
-    1    nfs/client1.example.fake@EXAMPLE.FAKE
-    1    nfs/client1.example.fake@EXAMPLE.FAKE
-    1    nfs/client1.example.fake@EXAMPLE.FAKE
-ktutil:  q
-</pre>
-= ??? =
-   - host/
-   - nfs/
-   - root/ (is this needed?)
- - configure client/server with right tickets
-   - klist -ea
-       ...
-= Turn on "Secure NFS" =
-This turns on NFS secure mounts and enables rpc.gssd and rpc.svcgssd.
-Edit these lines in file "/etc/sysconfig/nfs":
-<pre>
-# Set to turn on Secure NFS mounts.
-SECURE_NFS="yes"
-# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
-RPCGSSDARGS="-vvv"
-# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
-RPCSVCGSSDARGS="-vvv"
-</pre>
-The -vvv flags are for better debugging output.
-To pick up the changes, you must restart nfs services:
-<pre>
-[root@client1 ~]# service nfs restart
-Restarting nfs (via systemctl):                            [  OK  ]
-[root@client1 ~]# service rpcgssd restart
-Restarting rpcgssd (via systemctl):                        [  OK  ]
-[root@client1 ~]# service rpcsvcgssd restart
-Restarting rpcsvcgssd (via systemctl):                     [  OK  ]
-</pre>
-This must be run on both clients (XXX ?) and servers.
-= Add full entry for the local host in /etc/hosts =
-rpc.gssd(1) (???) requires that the full dns name of the host be in /etc/hosts.  The full DNS name must be the only entry on that line.
-On the server:
-<pre>
-[root@server ~]# cat /etc/hosts
-.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-.168.56.20 server.example.fake
-</pre>
-This must be done on the client(s) as well:
-<pre>
-[root@client1 ~]# cat /etc/hosts
-.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-.168.56.40 client1.example.fake
-</pre>
-= Set up /etc/exports on the server =
-Edit file "/etc/exports":
-<pre>
-[root@server ~]# cat /etc/exports
-/export gss/krb5(rw,fsid=0,insecure,no_subtree_check,no_root_squash)
-[root@server ~]# exportfs -av
-exportfs: scandir /etc/exports.d: No such file or directory
-exporting gss/krb5:/export
-</pre>
-restart nfs service:
-<pre>
-[root@server ~]# service nfs restart
-Restarting nfs (via systemctl):                            [  OK  ]
-</pre>
- - common debugging problems
-   - named starts *after*
- - clock skew

FreeIPA and NFSv4

From Linux NFS

Latest revision as of 02:48, 1 March 2012

Views

Personal tools

Navigation

Search

Toolbox