Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3

Book description

NFS Version 4 (NFS V4) is the latest defined client-to-server protocol for NFS. A significant upgrade from NFS V3, it was defined under the IETF framework by many contributors. NFS V4 introduces major changes to the way NFS has been implemented and used before now, including stronger security, wide area network sharing, and broader platform adaptability.

This IBM Redbooks publication is intended to provide a broad understanding of NFS V4 and specific AIX NFS V4 implementation details. It discusses considerations for deployment of NFS V4, with a focus on exploiting the stronger security features of the new protocol.

In the initial implementation of NFS V4 in AIX 5.3, the most important functional differences are related to security. Chapter 3 and parts of the planning and implementation chapters in Part 2 cover this topic in detail.

Table of contents

  1. Notices
    1. Trademarks
  2. Preface
    1. The team that wrote this redbook
    2. Acknowledgements
    3. Become a published author
    4. Comments welcome
  3. Part 1: NFS V4 fundamentals
    1. Chapter 1: NFS Version 4 overview
      1. What is NFS?
      2. NFS V2 and NFS V3 History
      3. NFS V4 design motivations
      4. Objectives of NFS V4 (RFC3530)
      5. AIX 5.3 specific implementation of NFS V4
        1. Mandatory features
        2. Optional features
      6. Planning and implementation considerations
        1. Pre-implementation design considerations
      7. Looking ahead to the rest of the book
    2. Chapter 2: What’s new in NFS V4?
      1. How NFS works
      2. Protocols used by NFS
        1. UDP or TCP
        2. Remote Procedure Call (RPC)
        3. eXternal Data Representation (XDR)
      3. NFS daemons
        1. The portmap daemon
        2. The rpc.mountd daemon
        3. The rpc.statd daemon
        4. The rpc.lockd daemon
        5. The nfsd daemon
        6. The block I/O daemon (biod)
      4. NFS V3
      5. The NFS Lock Manager protocol
      6. NFS V4 (1/2)
      7. NFS V4 (2/2)
        1. Attribute classes
        2. Username to UID mapping
        3. Better namespace handling
        4. Built-in security
        5. Client-side caching and delegation
        6. Compound RPC procedures
        7. File locking
        8. Internationalization
        9. Volatile file handles
      8. AIX 5L v5.3 implementation of NFS V4
      9. NFS V4 supported features in AIX 5.3 (1/2)
      10. NFS V4 supported features in AIX 5.3 (2/2)
        1. Mandatory feature support
        2. Other unsupported features
        3. Optional feature support
        4. NFS4 ACL
        5. AIXC ACLs
        6. External name space (exname)
        7. Protocol differences: server exporting and client mounting
        8. NFS files
        9. Restricting NFS port ranges
        10. Use of NFS_NOBODY
      11. NFS daemons, files, and commands: a quick reference
    3. Chapter 3: Enhanced security in NFS V4
      1. General security concepts and terminology
        1. Broad security categories
        2. Information security components
        3. RPC security flavors
        4. RPCSEC_GSS protection levels
        5. RPCSEC_GSS protection mechanisms
        6. Looking ahead to the rest of the chapter
      2. NFS V4 user/group identification (1/3)
      3. NFS V4 user/group identification (2/3)
      4. NFS V4 user/group identification (3/3)
        1. User identity management options
        2. User/group identities and NFS V4
      5. NFS V4 user authentication
        1. AUTH_SYS user authentication
        2. RPCSEC_GSS user authentication using Kerberos
      6. NFS V4 user authorization (1/5)
      7. NFS V4 user authorization (2/5)
      8. NFS V4 user authorization (3/5)
      9. NFS V4 user authorization (4/5)
      10. NFS V4 user authorization (5/5)
        1. Standard UNIX file permissions
        2. AIXC ACLs
        3. NFS V4 ACLs: description
        4. NFS V4 ACLs: ACL evaluation
        5. NFS V4 ACLs: administration
        6. NFS V4 ACLs: permissions scenarios
        7. NFS V4 ACLs: NFS V3 clients
      11. NFS V4 host identification
        1. Basic host identification
        2. Kerberos host identification
      12. NFS V4 host authentication
      13. NFS V4 host authorization
  4. Part 2: Implementing NFS V4
    1. Chapter 4: Planning for NFS V4
      1. Deployment of NFS V4 in general
      2. Mandatory requirements
        1. What is your name resolution type?
        2. Choosing your NFS domain
      3. Identification methods
        1. Selecting the user/group repository
        2. Other identification considerations
      4. NFS Authentication methods (1/2)
      5. NFS Authentication methods (2/2)
        1. AUTH_SYS method
        2. Deploying Kerberos
        3. Default types of encryption for KDC and security flavors
        4. NFS client considerations when using Kerberos
        5. Deployment of LDAP
      6. Authorization methods
        1. Choosing your user authorization method
        2. Other user authorization considerations
      7. Choosing the appropriate file system types
      8. NFS protocols and namespace considerations
        1. Pseudo-root FS - alias tree versus classic model
      9. Sizing and capacity planning considerations
      10. Migration considerations
    2. Chapter 5: Sample implementation scenarios
      1. Setup of the sample environment
        1. PATH variable for NAS deployment
        2. syslogd settings
      2. Using NFS V4 as you did with NFS V3
      3. How to unmount an exported NFS V4 file system
      4. Setting up the NFS domain name
      5. The pseudo-root FS
        1. Setting up the pseudo-root FS on an NFS V4 server
        2. Advantages of using the NFS V4 pseudo-root
        3. Setting up the alias tree extension on an NFS V4 server
      6. Setting up the NAS with a legacy database (1/2)
      7. Setting up the NAS with a legacy database (2/2)
        1. Setup of a KDC server
        2. Installing the IBM NAS file sets
        3. Initial basic KDC functions test
        4. Create user principals on the KDC server
        5. Create the NFS server principals on the KDC server
      8. Setting up an NFS V4 server with NAS on a different KDC server
        1. Create the NFS server keytab file entry
        2. Check the NFS V4 server before client access
        3. Set up the NFS registry daemon
        4. Set up the gssd daemon on the NFS V4 server
      9. Setting up an NFS V4 client with NAS (1/2)
      10. Setting up an NFS V4 client with NAS (2/2)
        1. General steps for all types of clients
        2. Install the NAS client code
        3. Set up the NFS domain
        4. Set up the NFS domain-to-realm map
        5. Full client installation steps
        6. Slim client installation steps
        7. Configuring RPCSEC_GSS on the clients
      11. Preparing the system for Tivoli Directory Server and Kerberos V5 (1/5)
      12. Preparing the system for Tivoli Directory Server and Kerberos V5 (2/5)
      13. Preparing the system for Tivoli Directory Server and Kerberos V5 (3/5)
      14. Preparing the system for Tivoli Directory Server and Kerberos V5 (4/5)
      15. Preparing the system for Tivoli Directory Server and Kerberos V5 (5/5)
        1. Set up procedure
        2. Configure IBM Tivoli Directory Server
        3. Configure the KDC server with LDAP backend
        4. Configure the NFS V4 client for integrated login services
      16. Integrating NFS V4 with a Linux client (1/3)
      17. Integrating NFS V4 with a Linux client (2/3)
      18. Integrating NFS V4 with a Linux client (3/3)
        1. NFS server and client setup
        2. Read-only NFS V4 mount
        3. Read/write NFS V4 mounts on Linux
        4. Pseudo-file system in NFS V4 Linux client
      19. Windows KDC and NFS V4 AIX 5.3 (1/2)
      20. Windows KDC and NFS V4 AIX 5.3 (2/2)
      21. Setting up Kerberos cross-realm access (1/2)
      22. Setting up Kerberos cross-realm access (2/2)
        1. Add the krbtgt service principal to every KDC server
        2. Kerberos configuration file changes on the KDC server, NFS V4 client and server
        3. Add NFS domain-to-realm map on NFS V4 client and server
        4. Client access verification
        5. Client access mount using cross-realms
    3. Chapter 6: Problem determination
      1. Problem determination tools and techniques
      2. AIX problem determination tools and aids for NFS
        1. Enabling syslogd
        2. Using iptrace and ipreport
        3. Using the fuser command
        4. Using the rpcinfo command
        5. Using the showmount command
        6. Using the nfs4cl command
        7. Using the nfsstat command
        8. Using the errpt command
      3. IBM NAS problem determination tools
      4. Tivoli Directory Server problem determination tools
      5. Third-party problem determination tools
        1. Using the lsof command
        2. Using the Ethereal utility
      6. General NFS V4 problems
        1. Warning: EIM is not configured
        2. Realm is already mapped to domain
      7. Exporting file systems
        1. Exportfs: cannot change the v4 root...
        2. Exportfs: /: Invalid argument
        3. Exportfs: /var/: Too many levels of symbolic links...
      8. Mount problems (1/3)
      9. Mount problems (2/3)
      10. Mount problems (3/3)
        1. General mount problem
        2. Pseudo-root and nfs4cl problems
        3. ‘vers’ mount option error: “...Program not registered”
        4. ‘vers’ mount option error: “...server not responding”
        5. Mount command hangs - no system response
        6. Mount with sec=krb5: “vmount: The file access permissions do not allow the specified action”
        7. Mount with sec=krb5: “RPC: 1832-016 Unknown host...”
        8. File and directory access: cd, ls, etc. return “permission denied”
        9. File and directory access: file ownership is “nobody:nobody”
        10. NAS problem: kadmin: “Unable to initialize kadmin interface”
      11. GSS-API error codes (1/2)
      12. GSS-API error codes (2/2)
        1. Major GSS-API error codes
        2. Kerberos v5 status codes
  5. Part 3: Appendixes
    1. Appendix A: Kerberos
      1. Overview
      2. Kerberos keys and initial setup
      3. Authenticating to the Kerberos server
      4. Authenticating to an application server
      5. Kerberos terminology
      6. Where to find more information about Kerberos
      7. IBM Redbooks
      8. Other IBM publications
      9. Non-IBM publications
      10. Other information sources
    2. Appendix B: Sample scripts, files, and output
      1. Sample administrative scripts
      2. Change the pseudo-root FS sample script
      3. Create a KDC server with NFS V4 server
      4. Create a full client with legacy KDC server backend
      5. Create a Full Client with KDC and LDAP backend
      6. Script to copy ACLs to an entire directory structure
      7. Windows command script to run ktpass
      8. Script to gather additional information for local AIX software support
      9. Sample client Kerberos configuration files
      10. Kerberos configuration file /etc/krb5/krb5.conf with legacy backend
      11. Kerberos configuration file /etc/krb5/krb5.conf with LDAP backend
      12. Kerberos configuration file /etc/krb5/krb5.conf with Windows Active Directory backend
      13. LDIF sample file for KDC
      14. Sample iptrace output
      15. Successful authentication during mount request
      16. Unsuccessful authentication during mount request (1/2)
      17. Unsuccessful authentication during mount request (2/2)
    3. Appendix C: AIX 5.3 NFS quick reference
      1. NFS configuration files
      2. NFS daemons
      3. NFS commands
      4. Export options
      5. mount command options
      6. nfso command options
  6. Abbreviations and acronyms
  7. Glossary
  8. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. How to get IBM Redbooks
    5. Help from IBM
  9. Index (1/3)
  10. Index (2/3)
  11. Index (3/3)
  12. Back cover

Product information

  • Title: Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3
  • Author(s): Chris Almond, Lutz Denefleh, Sridhar Murthy, Aniket Patel, John Trindle
  • Release date: November 2004
  • Publisher(s): IBM Redbooks
  • ISBN: None