FreeIPA and NFSv4
From Linux NFS
(Finished the DNS section) |
|||
| Line 19: | Line 19: | ||
I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server! You probably shouldn't do that! You'll need to allow traffic on: | I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server! You probably shouldn't do that! You'll need to allow traffic on: | ||
| + | * port 53 for named(1) | ||
* port 88 for kerberos | * port 88 for kerberos | ||
* port 389 for ldap | * port 389 for ldap | ||
* XXX MORE!! | * XXX MORE!! | ||
| - | = Set up DNS | + | = Set up DNS realm = |
| - | == Install | + | == Create the DNS realm on the server == |
| + | |||
| + | === Install named(1) on the server === | ||
<pre> | <pre> | ||
| Line 31: | Line 34: | ||
</pre> | </pre> | ||
| - | == Configure the | + | === Configure the DNS zone === |
Create the file "/var/named/example.fake.zone": | Create the file "/var/named/example.fake.zone": | ||
| Line 61: | Line 64: | ||
</pre> | </pre> | ||
| - | == Configure the reverse mapping == | + | === Configure the reverse mapping === |
Create the file "/var/named/192-168-56.zone": | Create the file "/var/named/192-168-56.zone": | ||
| Line 81: | Line 84: | ||
| - | == Modify named(1) config to use new zone files == | + | === Modify named(1) config to use new zone files === |
Add the sections to file "/etc/named.conf": | Add the sections to file "/etc/named.conf": | ||
| Line 97: | Line 100: | ||
</pre> | </pre> | ||
| - | == Other named(1) config == | + | === Other named(1) config === |
There are a few other things that I needed to configure in my test setup. You probably don't want to turn off dnssec in real world setups! | There are a few other things that I needed to configure in my test setup. You probably don't want to turn off dnssec in real world setups! | ||
| Line 108: | Line 111: | ||
* change "dnssec-validation" option to "no" | * change "dnssec-validation" option to "no" | ||
| - | == | + | === Restart named(1) === |
| + | <pre> | ||
| + | [root@server ~]# service named restart | ||
| + | Restarting named (via systemctl): [ OK ] | ||
| + | </pre> | ||
| - | + | == Configure the client(s) and server to use the local DNS server == | |
| - | + | The server and all clients should use this name server (with this testing environment). With a real DNS server, clients shouldn't require this configuration. | |
| + | Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the DNS1 line to: | ||
| - | + | <pre> | |
| + | DNS1=192.168.56.20 | ||
| + | </pre> | ||
| - | + | Restart the network service to pick up the change. | |
| - | [root@ | + | |
| + | <pre> | ||
| + | [root@server ~]# service network restart | ||
| + | Restarting network (via systemctl): [ OK ] | ||
| + | </pre> | ||
| + | |||
| + | And verify that it worked: | ||
| + | |||
| + | <pre> | ||
| + | [root@server ~]# cat /etc/resolv.conf | ||
# Generated by NetworkManager | # Generated by NetworkManager | ||
search example.fake | search example.fake | ||
nameserver 192.168.56.20 | nameserver 192.168.56.20 | ||
| + | </pre> | ||
| - | [root@ | + | <pre> |
| + | [root@server ~]# nslookup server.example.fake | ||
Server: 192.168.56.20 | Server: 192.168.56.20 | ||
Address: 192.168.56.20#53 | Address: 192.168.56.20#53 | ||
| - | Name: | + | Name: server.example.fake |
| - | Address: 192.168.56. | + | Address: 192.168.56.20 |
| - | + | </pre> | |
| - | + | ||
| - | + | ||
| - | + | ||
Revision as of 22:12, 18 July 2011
This is a WIP by dros@netapp.com - please let me finish before changing/commenting).
This document describes using NFSv4 with FreeIPA.
Historically, setting up a secure NFSv4 export (or even a client) was challenging, requiring the setup of a Kerberos realm and possibly an LDAP server. FreeIPA provides a packaged service of both Kerberos 5 and LDAP with the purpose of making this process much less painful.
These instructions are for Fedora 15. Other distros will require similar setup - the key differences will be a package installation tool other than yum(1), and a different config file layout.
Contents |
Disclaimer about the testing environment
For this example I've used a private network (192.168.56.0/24) with a fake DNS realm (example.fake). Setup with routable IP addresses and a real DNS realm should be straightforward.
For this example I run the DNS server on the same machine as the NFSv4 export and the IPA server (server.example.fake). Of course, these could all be different machines.
I have not tried setting up freeipa without DNS, or using it's own DNS server.
I'm using VMs on a private NAT'd network, so I just turned off the firewall on the server! You probably shouldn't do that! You'll need to allow traffic on:
* port 53 for named(1) * port 88 for kerberos * port 389 for ldap * XXX MORE!!
Set up DNS realm
Create the DNS realm on the server
Install named(1) on the server
[root@server ~]# sudo yum install bind
Configure the DNS zone
Create the file "/var/named/example.fake.zone":
$TTL 3D
@ IN SOA ns1.example.fake. hostmaster.example.fake. (
201107111 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds
NS ns1 ; Inet Address of nameserver
example.fake. MX 10 mail ; Primary Mail Exchanger
ns1 A 192.168.56.20
server A 192.168.56.20
client1 A 192.168.56.40
ipa CNAME build
mail CNAME build
; DNS auto discovery of services
_ldap._tcp SRV 10 10 389 server.example.fake.
_kerberos._udp SRV 10 10 88 server.example.fake.
_kerberos._tcp SRV 10 10 88 server.example.fake.
Configure the reverse mapping
Create the file "/var/named/192-168-56.zone":
$TTL 2d ; 172800 seconds
$ORIGIN 56.168.192.IN-ADDR.ARPA.
@ IN SOA ns1.example.fake. hostmaster.example.fake. (
201107111 ; serial number
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
IN NS ns1.example.fake.
20 IN PTR server.example.fake.
40 IN PTR client1.example.fake.
Modify named(1) config to use new zone files
Add the sections to file "/etc/named.conf":
zone "example.fake" IN {
type master;
file example.fake.zone;
};
zone "56.168.192.in-addr.arpa" IN {
type master;
file "192-168-56.zone";
};
Other named(1) config
There are a few other things that I needed to configure in my test setup. You probably don't want to turn off dnssec in real world setups!
In the "options" section:
* change the "listen-on" option to include the server's external address ""{ localhost; 192.168.56.20; }"
* change "allow-query" option to "{ localhost; 192.168.56.0/24 }"
* change "dnssec-enable" option to "no"
* change "dnssec-validation" option to "no"
Restart named(1)
[root@server ~]# service named restart Restarting named (via systemctl): [ OK ]
Configure the client(s) and server to use the local DNS server
The server and all clients should use this name server (with this testing environment). With a real DNS server, clients shouldn't require this configuration.
Edit file "/etc/sysconfig/network-scripts/ifcfg-eth0" (or whatever is appropriate) and change the DNS1 line to:
DNS1=192.168.56.20
Restart the network service to pick up the change.
[root@server ~]# service network restart Restarting network (via systemctl): [ OK ]
And verify that it worked:
[root@server ~]# cat /etc/resolv.conf # Generated by NetworkManager search example.fake nameserver 192.168.56.20
[root@server ~]# nslookup server.example.fake Server: 192.168.56.20 Address: 192.168.56.20#53 Name: server.example.fake Address: 192.168.56.20
