FreeIPA and NFSv4
From Linux NFS
(Created page with "This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA]. Historically, setting up a secure NFSv4 export (or even a client) was challenging, requirin...") |
|||
Line 1: | Line 1: | ||
+ | This is a WIP by dros@netapp.com - please let me finish before changing/commenting). | ||
+ | |||
This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA]. | This document describes using NFSv4 with [http://freeipa.org/page/Main_Page FreeIPA]. | ||
Revision as of 21:48, 18 July 2011
This is a WIP by dros@netapp.com - please let me finish before changing/commenting).
This document describes using NFSv4 with FreeIPA.
Historically, setting up a secure NFSv4 export (or even a client) was challenging, requiring the setup of a Kerberos realm and possibly an LDAP server. FreeIPA provides a packaged service of both Kerberos 5 and LDAP with the purpose of making this process much less painful.
These instructions are for Fedora 15. Other distros will require similar setup - the key differences will be a package installation tool other than yum(1), and a different config file layout.
Contents |
Disclaimer about the testing environment
For this example I've used a private network (192.168.56.0/24) with a fake DNS realm (example.fake). Setup with routable IP addresses and a real DNS realm should be straightforward.
For this example I run the DNS server on the same machine as the NFSv4 export and the IPA server (server.example.fake). Of course, these could all be different machines.
I have not tried setting up freeipa without DNS, or using it's own DNS server.
I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server! You probably shouldn't do that! You'll need to allow traffic on:
* port 88 for kerberos * port 389 for ldap * XXX MORE!!
Set up DNS Realm on the SERVER
Install bind on the server
[root@server ~]# sudo yum install bind
Configure the dns zone
Create the file "/var/named/example.fake.zone":
$TTL 3D @ IN SOA ns1.example.fake. hostmaster.example.fake. ( 201107111 ; serial# 3600 ; refresh, seconds 3600 ; retry, seconds 3600 ; expire, seconds 3600 ) ; minimum, seconds NS ns1 ; Inet Address of nameserver example.fake. MX 10 mail ; Primary Mail Exchanger ns1 A 192.168.56.20 server A 192.168.56.20 client1 A 192.168.56.40 ipa CNAME build mail CNAME build ; DNS auto discovery of services _ldap._tcp SRV 10 10 389 server.example.fake. _kerberos._udp SRV 10 10 88 server.example.fake. _kerberos._tcp SRV 10 10 88 server.example.fake.
Configure the reverse mapping
Create the file "/var/named/192-168-56.zone":
$TTL 2d ; 172800 seconds $ORIGIN 56.168.192.IN-ADDR.ARPA. @ IN SOA ns1.example.fake. hostmaster.example.fake. ( 201107111 ; serial number 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds IN NS ns1.example.fake. 20 IN PTR server.example.fake. 40 IN PTR client1.example.fake.
Modify named(1) config to use new zone files
Add the sections to file "/etc/named.conf":
zone "example.fake" IN { type master; file example.fake.zone; }; zone "56.168.192.in-addr.arpa" IN { type master; file "192-168-56.zone"; };
Other named(1) config
There are a few other things that I needed to configure in my test setup. You probably don't want to turn off dnssec in real world setups!
In the "options" section:
* change the "listen-on" option to include the server's external address ""{ localhost; 192.168.56.20; }" * change "allow-query" option to "{ localhost; 192.168.56.0/24 }" * change "dnssec-enable" option to "no" * change "dnssec-validation" option to "no"
restart named
- allow service on port 53 with firewall...
- change /etc/resolv.conf on both client and server to point to server
- now it works!
{{{ [root@client1 ~]# cat /etc/resolv.conf
- Generated by NetworkManager
search example.fake nameserver 192.168.56.20
[root@client1 ~]# nslookup client1.example.fake Server: 192.168.56.20 Address: 192.168.56.20#53
Name: client1.example.fake Address: 192.168.56.40 }}}
now DNS should be setup