|
|
(99 intermediate revisions not shown) |
Line 1: |
Line 1: |
- | This is a WIP by dros@netapp.com - please let me finish before changing/commenting). | + | This has been moved to [[NFS and FreeIPA]]. |
- | | + | |
- | This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA].
| + | |
- | | + | |
- | Historically, setting up a secure NFSv4 export (or even a client) was challenging, requiring the setup of a [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos] realm and possibly an [http://en.wikipedia.org/wiki/LDAP LDAP] server. FreeIPA provides a packaged service of both [http://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos 5] and [http://en.wikipedia.org/wiki/LDAP LDAP] with the purpose of making this process much less painful.
| + | |
- | | + | |
- | These instructions are for [http://www.fedora.org/ Fedora 15]. Other distros will require similar setup - the key differences will be a package installation tool other than yum(1), and a different config file layout.
| + | |
- | | + | |
- | | + | |
- | | + | |
- | = Disclaimer about the testing environment =
| + | |
- | | + | |
- | For this example I've used a private network (192.168.56.0/24) with a fake DNS realm (example.fake).
| + | |
- | Setup with routable IP addresses and a real DNS realm should be straightforward.
| + | |
- | | + | |
- | For this example I run the DNS server on the same machine as the NFSv4 export and the IPA server (server.example.fake). Of course, these could all be different machines.
| + | |
- | | + | |
- | I have not tried setting up freeipa without DNS, or using it's own DNS server.
| + | |
- | | + | |
- | I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server! You probably shouldn't do that! You'll need to allow traffic on:
| + | |
- | * port 53 for named(1)
| + | |
- | * port 88 for kerberos
| + | |
- | * port 389 for ldap
| + | |
- | * XXX MORE!!
| + | |
- | | + | |
- | = Set up DNS realm =
| + | |
- | | + | |
- | == Create the DNS realm on the server ==
| + | |
- | | + | |
- | === Install named(1) on the server ===
| + | |
- | | + | |
- | <pre>
| + | |
- | [root@server ~]# sudo yum install bind
| + | |
- | </pre>
| + | |
- | | + | |
- | === Configure the DNS zone ===
| + | |
- | | + | |
- | Create the file "/var/named/example.fake.zone":
| + | |
- | | + | |
- | <pre>
| + | |
- | $TTL 3D
| + | |
- | @ IN SOA ns1.example.fake. hostmaster.example.fake. (
| + | |
- | 201107111 ; serial#
| + | |
- | 3600 ; refresh, seconds
| + | |
- | 3600 ; retry, seconds
| + | |
- | 3600 ; expire, seconds
| + | |
- | 3600 ) ; minimum, seconds
| + | |
- | | + | |
- | NS ns1 ; Inet Address of nameserver
| + | |
- | example.fake. MX 10 mail ; Primary Mail Exchanger
| + | |
- | | + | |
- | ns1 A 192.168.56.20
| + | |
- | server A 192.168.56.20
| + | |
- | | + | |
- | client1 A 192.168.56.40
| + | |
- | | + | |
- | ipa CNAME build
| + | |
- | mail CNAME build
| + | |
- | | + | |
- | ; DNS auto discovery of services
| + | |
- | _ldap._tcp SRV 10 10 389 server.example.fake.
| + | |
- | _kerberos._udp SRV 10 10 88 server.example.fake.
| + | |
- | _kerberos._tcp SRV 10 10 88 server.example.fake.
| + | |
- | </pre>
| + | |
- | | + | |
- | === Configure the reverse mapping ===
| + | |
- | | + | |
- | Create the file "/var/named/192-168-56.zone":
| + | |
- | | + | |
- | <pre>
| + | |
- | $TTL 2d ; 172800 seconds
| + | |
- | $ORIGIN 56.168.192.IN-ADDR.ARPA.
| + | |
- | @ IN SOA ns1.example.fake. hostmaster.example.fake. (
| + | |
- | 201107111 ; serial number
| + | |
- | 8H ; refresh, seconds
| + | |
- | 2H ; retry, seconds
| + | |
- | 4W ; expire, seconds
| + | |
- | 1D ) ; minimum, seconds
| + | |
- | | + | |
- | IN NS ns1.example.fake.
| + | |
- | 20 IN PTR server.example.fake.
| + | |
- | 40 IN PTR client1.example.fake.
| + | |
- | </pre>
| + | |
- | | + | |
- | | + | |
- | === Modify named(1) config to use new zone files ===
| + | |
- | | + | |
- | Add the sections to file "/etc/named.conf":
| + | |
- | | + | |
- | <pre>
| + | |
- | zone "example.fake" IN {
| + | |
- | type master;
| + | |
- | file example.fake.zone;
| + | |
- | };
| + | |
- | | + | |
- | zone "56.168.192.in-addr.arpa" IN {
| + | |
- | type master;
| + | |
- | file "192-168-56.zone";
| + | |
- | };
| + | |
- | </pre>
| + | |
- | | + | |
- | === Other named(1) config ===
| + | |
- | | + | |
- | There are a few other things that I needed to configure in my test setup. You probably don't want to turn off dnssec in real world setups!
| + | |
- | | + | |
- | In the "options" section:
| + | |
- | | + | |
- | * change the "listen-on" option to include the server's external address ""{ localhost; 192.168.56.20; }"
| + | |
- | * change "allow-query" option to "{ localhost; 192.168.56.0/24 }"
| + | |
- | * change "dnssec-enable" option to "no"
| + | |
- | * change "dnssec-validation" option to "no"
| + | |
- | | + | |
- | === Restart named(1) ===
| + | |
- | | + | |
- | <pre>
| + | |
- | [root@server ~]# service named restart
| + | |
- | Restarting named (via systemctl): [ OK ]
| + | |
- | </pre>
| + | |
- | | + | |
- | == Configure the client(s) and server to use the local DNS server ==
| + | |
- | | + | |
- | The server and all clients should use this name server (with this testing environment). With a real DNS server, clients shouldn't require this configuration.
| + | |
- | | + | |
- | Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the DNS1 line to:
| + | |
- | | + | |
- | <pre>
| + | |
- | DNS1=192.168.56.20
| + | |
- | </pre>
| + | |
- | | + | |
- | Restart the network service to pick up the change.
| + | |
- | | + | |
- | <pre>
| + | |
- | [root@server ~]# service network restart
| + | |
- | Restarting network (via systemctl): [ OK ]
| + | |
- | </pre>
| + | |
- | | + | |
- | And verify that it worked:
| + | |
- | | + | |
- | <pre>
| + | |
- | [root@server ~]# cat /etc/resolv.conf
| + | |
- | # Generated by NetworkManager
| + | |
- | search example.fake
| + | |
- | nameserver 192.168.56.20
| + | |
- | </pre>
| + | |
- | | + | |
- | <pre>
| + | |
- | [root@server ~]# nslookup server.example.fake
| + | |
- | Server: 192.168.56.20
| + | |
- | Address: 192.168.56.20#53
| + | |
- | | + | |
- | Name: server.example.fake
| + | |
- | Address: 192.168.56.20
| + | |
- | </pre>
| + | |