This is the last of a few loosely coupled posts to install and test a kerberized nfs4 environment with EMC Isilon. To test nfs4 with Isilon I required an active domain joined and nfsv4 enable linux client. This post will show the required configuration tasks.
I used a basic Redhat Enterprise Linux 6.5 installation and for this to work you will have to use at least RHEL 6.4.
The first thing we are doing after installation is to configure network by editing “/etc/sysconfig/network-scripts/ifcfg-eth0”. We are going to use the Windows 2012 R2 Active Directory server configure in the previous post.
DEVICE="eth0" IPADDR=192.168.186.5 NETMASK=255.255.255.0 ONBOOT="yes" BOOTPROTO=none DNS1=192.168.186.2 DOMAIN=EMC.LAB
Next we are configuring the hostname and gateway in “/etc/sysconfig/network”:
NETWORKING=yes HOSTNAME=client1 GATEWAY=192.168.1.254
To change the hostname withou a reboot use following command:
It is crucial NOT to use a FQDN as the hostname!
This is important as the “rpc gssd” service relies on a proper set <hostname>. On the bottom of the post I added some insights to this service.
Next add following line to the “/etc/hosts” file:
192.168.186.5 client1 client1.emc.lab
A kerberos infrastructure will only work if the difference between client and server time is not greater than 5 minutes. The best way to keep the in sync is to use ntp by editing the file “/etc/ntp.conf” and add:
Afterward start the ntpdate service and make sure that the service starts by default:
$> service ntpdate start $> chkconfig ntpdate on
To finish network configuration issue a “service network restart” and validate the content of the file “/etc/resolv.conf”, which should be automatically updated to this:
; generated by /sbin/dhclient-script nameserver 192.168.186.2 search EMC.LAB
Starting with RHEL 6.4 did Redhat improve the system security services daemon (sssd) greatly.
At first we are using “authconfig” to configure our client to use sssd and to create homedirs if nonexistent:
$> authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
Next we have to edit/create some files:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EMC.LAB dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] [domain_realm]
[global] workgroup = EMC client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log realm = EMC.LAB security = ads
[domain/emc.lab] id_provider = ad ldap_id_mapping = False [sssd] services = nss, pam config_file_version = 2 domains = emc.lab [nss] [pam]
If you don’t want to maintain UID+GID in active directory, like described in previous post, you can also set “ldap_id_mapping” to “true”. This will ignore any manually configure UID and GID in the active directory and generate them using the object SID. The target NFS server also will have to be capable of this feature, EMC Isilon doesn’t. There are more caveats on this topic that I won’t cover. Please have a look here for more information.
Make sure that the sssd.conf is only readable by root and that the service starts by default:
$> chmod 0600 /etc/sssd/sssd.conf $> chkconfig sssd on
Now it is time to join our active directory domain with user “administrator”:
$> net ads join -k -U Administrator Using short domain name -- EMC Joined 'CLIENT1' to dns domain 'emc.lab'
If the command was successful we are ready to start the “sssd” daemon.
$> service sssd start
Enumerating a user should now be possible:
$> id user1 uid=10001(user1) gid=20000(linux_user) groups=20000(linux_user)
Also you can now login to your client as an active directory user!
Now lets configure NFSv4 on the client.
First we have to enable NFSv4 in the file “/etc/sysconfig/nfs”:
To be able to correctly resolve uid and gid, the file “/etc/idmapd.conf” has to be edited:
The last part is to configure the “rpcgssd” and “rpcidmapd” to start automatically and actually start them:
$> chkconfig rpcgssd on $> chkconfig rpcidmapd on $> service rpcgssd start $> service rpcidmapd start
Now you should be able to mount securely our isilon nfsv4 export configured in this post:
$> mount -o vers=4,sec=krb5p isilonc1.emc.lab:/ifs/data/test /mnt $> nfsstat -m /mnt from isilonc1.emc.lab:/ifs/data/test/ Flags: rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.186.6,minorversion=0,local_lock=none,addr=192.168.186.23
I think the hardest part in this series for configuring and testing NFSv4 was getting the linux client running.
But after many frustrating hours of research and troubleshooting I was quite proud to get this running! 🙂
“rpc gssd” is used to establish a secure connection to our nfs server using kerberos. Keys are used for communication and are saved by default in “/etc/krb5.keytab”. This file is generated by joining the domain with “net ads join”. The rpcgssd service will look in this file for proper machine credentials using a specific order and format:
<HOSTNAME>$@<REALM> root/<hostname>@<REALM> nfs/<hostname>@<REALM> host/<hostname>@<REALM> root/<anyname>@<REALM> nfs/<anyname>@<REALM> host/<anyname>@<REALM>
Rpcgssd is searching for an UPN and NOT a SPN in our Active Directory database! When you join a computer to a windows domain, the computer account does get a default UPN in the format <netbiosname>$@<REALM>. For our host it would be “client1$@EMC.LAB”.
And here is the problem: “<HOSTNAME>” is substituted by the name defined in “/etc/sysconfig/network”. Therefore you will either have to use a hostname without the domain extension or you’ll have to set a custom UPN when joining the domain with one of the formats specified above . This can be done for example by adding “createupn=’host/CLIENT1.EMC.LAB@EMC.LAB’ ” to the “net ads join” command.