book

Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3

Name: Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3
ISBN: 0738490806

by Chris Almond, Lutz Denefleh, Sridhar Murthy, Aniket Patel, John Trindle

November 2004

Intermediate to advanced

328 pages

8h 12m

English

IBM Redbooks

Read now

Unlock full access

Notices
Trademarks
Preface
The team that wrote this redbook
Acknowledgements
Become a published author
Comments welcome
Part 1: NFS V4 fundamentals
Chapter 1: NFS Version 4 overview
What is NFS?
NFS V2 and NFS V3 History
NFS V4 design motivations
Objectives of NFS V4 (RFC3530)

AIX 5.3 specific implementation of NFS V4
Mandatory features
Optional features
Planning and implementation considerationsPre-implementation design considerations
Looking ahead to the rest of the book
Chapter 2: What’s new in NFS V4?
How NFS works
Protocols used by NFSUDP or TCP
Remote Procedure Call (RPC)
eXternal Data Representation (XDR)NFS daemonsThe portmap daemonThe rpc.mountd daemonThe rpc.statd daemonThe rpc.lockd daemonThe nfsd daemon
The block I/O daemon (biod)
NFS V3
The NFS Lock Manager protocol
NFS V4 (1/2)
Attribute classesUsername to UID mapping
NFS V4 (2/2)
Better namespace handlingBuilt-in securityClient-side caching and delegationCompound RPC proceduresFile locking
Internationalization
Volatile file handlesAIX 5L v5.3 implementation of NFS V4
NFS V4 supported features in AIX 5.3 (1/2)
Mandatory feature supportOther unsupported featuresOptional feature supportNFS4 ACLAIXC ACLsExternal name space (exname)Protocol differences: server exporting and client mounting
NFS V4 supported features in AIX 5.3 (2/2)
NFS files
Restricting NFS port ranges
Use of NFS_NOBODYNFS daemons, files, and commands: a quick reference
Chapter 3: Enhanced security in NFS V4
General security concepts and terminology
Broad security categoriesInformation security componentsRPC security flavorsRPCSEC_GSS protection levelsRPCSEC_GSS protection mechanisms
Looking ahead to the rest of the chapter
NFS V4 user/group identification (1/3)User identity management optionsUser/group identities and NFS V4
NFS V4 user/group identification (2/3)
NFS V4 user/group identification (3/3)
NFS V4 user authentication
AUTH_SYS user authenticationRPCSEC_GSS user authentication using Kerberos
NFS V4 user authorization (1/5)
Standard UNIX file permissionsAIXC ACLsNFS V4 ACLs: description
NFS V4 user authorization (2/5)
NFS V4 ACLs: ACL evaluation
NFS V4 user authorization (3/5)
NFS V4 ACLs: administration
NFS V4 user authorization (4/5)
NFS V4 user authorization (5/5)
NFS V4 ACLs: permissions scenarios
NFS V4 ACLs: NFS V3 clients
NFS V4 host identificationBasic host identification
Kerberos host identification
NFS V4 host authenticationNFS V4 host authorization
Part 2: Implementing NFS V4
Chapter 4: Planning for NFS V4
Deployment of NFS V4 in general
Mandatory requirements
What is your name resolution type?Choosing your NFS domain
Identification methods
Selecting the user/group repositoryOther identification considerations
NFS Authentication methods (1/2)
AUTH_SYS methodDeploying Kerberos
NFS Authentication methods (2/2)
Default types of encryption for KDC and security flavorsNFS client considerations when using KerberosDeployment of LDAP
Authorization methods
Choosing your user authorization method
Other user authorization considerations
Choosing the appropriate file system types
NFS protocols and namespace considerations
Pseudo-root FS - alias tree versus classic model
Sizing and capacity planning considerations
Migration considerations
Chapter 5: Sample implementation scenarios
Setup of the sample environment
PATH variable for NAS deploymentsyslogd settings
Using NFS V4 as you did with NFS V3
How to unmount an exported NFS V4 file system
Setting up the NFS domain name
The pseudo-root FSSetting up the pseudo-root FS on an NFS V4 serverAdvantages of using the NFS V4 pseudo-root
Setting up the alias tree extension on an NFS V4 server
Setting up the NAS with a legacy database (1/2)
Setup of a KDC serverInstalling the IBM NAS file setsInitial basic KDC functions test
Setting up the NAS with a legacy database (2/2)
Create user principals on the KDC serverCreate the NFS server principals on the KDC server
Setting up an NFS V4 server with NAS on a different KDC server
Create the NFS server keytab file entryCheck the NFS V4 server before client accessSet up the NFS registry daemonSet up the gssd daemon on the NFS V4 server
Setting up an NFS V4 client with NAS (1/2)
General steps for all types of clientsInstall the NAS client codeSet up the NFS domainSet up the NFS domain-to-realm mapFull client installation steps
Setting up an NFS V4 client with NAS (2/2)
Slim client installation stepsConfiguring RPCSEC_GSS on the clients
Preparing the system for Tivoli Directory Server and Kerberos V5 (1/5)
Set up procedure
Preparing the system for Tivoli Directory Server and Kerberos V5 (2/5)
Configure IBM Tivoli Directory Server
Preparing the system for Tivoli Directory Server and Kerberos V5 (3/5)
Configure the KDC server with LDAP backend
Preparing the system for Tivoli Directory Server and Kerberos V5 (4/5)
Configure the NFS V4 client for integrated login services
Preparing the system for Tivoli Directory Server and Kerberos V5 (5/5)
Integrating NFS V4 with a Linux client (1/3)
NFS server and client setup
Integrating NFS V4 with a Linux client (2/3)
Read-only NFS V4 mountRead/write NFS V4 mounts on Linux
Integrating NFS V4 with a Linux client (3/3)
Pseudo-file system in NFS V4 Linux client
Windows KDC and NFS V4 AIX 5.3 (1/2)
Windows KDC and NFS V4 AIX 5.3 (2/2)
Setting up Kerberos cross-realm access (1/2)
Add the krbtgt service principal to every KDC serverKerberos configuration file changes on the KDC server, NFS V4 client and server
Setting up Kerberos cross-realm access (2/2)
Add NFS domain-to-realm map on NFS V4 client and serverClient access verificationClient access mount using cross-realms
Chapter 6: Problem determination
Problem determination tools and techniques
AIX problem determination tools and aids for NFSEnabling syslogdUsing iptrace and ipreportUsing the fuser commandUsing the rpcinfo command
Using the showmount command
Using the nfs4cl commandUsing the nfsstat commandUsing the errpt commandIBM NAS problem determination tools
Tivoli Directory Server problem determination tools
Third-party problem determination toolsUsing the lsof commandUsing the Ethereal utility
General NFS V4 problems
Warning: EIM is not configuredRealm is already mapped to domain
Exporting file systems
Exportfs: cannot change the v4 root...Exportfs: /: Invalid argumentExportfs: /var/: Too many levels of symbolic links...
Mount problems (1/3)
General mount problemPseudo-root and nfs4cl problems‘vers’ mount option error: “...Program not registered”‘vers’ mount option error: “...server not responding”Mount command hangs - no system responseMount with sec=krb5: “vmount: The file access permissions do not allow the specified action”
Mount problems (2/3)
Mount with sec=krb5: “RPC: 1832-016 Unknown host...”File and directory access: cd, ls, etc. return “permission denied”
Mount problems (3/3)
File and directory access: file ownership is “nobody:nobody”NAS problem: kadmin: “Unable to initialize kadmin interface”
GSS-API error codes (1/2)
Major GSS-API error codesKerberos v5 status codes
GSS-API error codes (2/2)
Part 3: Appendixes
Appendix A: Kerberos
Overview
Kerberos keys and initial setup
Authenticating to the Kerberos server
Authenticating to an application server
Kerberos terminology
Where to find more information about Kerberos
IBM RedbooksOther IBM publications
Non-IBM publications
Other information sources
Appendix B: Sample scripts, files, and output
Sample administrative scripts
Change the pseudo-root FS sample scriptCreate a KDC server with NFS V4 server
Create a full client with legacy KDC server backend
Create a Full Client with KDC and LDAP backend
Script to copy ACLs to an entire directory structure
Windows command script to run ktpass
Script to gather additional information for local AIX software support
Sample client Kerberos configuration files
Kerberos configuration file /etc/krb5/krb5.conf with legacy backend
Kerberos configuration file /etc/krb5/krb5.conf with LDAP backend
Kerberos configuration file /etc/krb5/krb5.conf with Windows Active Directory backend
LDIF sample file for KDC
Sample iptrace output
Successful authentication during mount request
Unsuccessful authentication during mount request (1/2)
Unsuccessful authentication during mount request (2/2)
Appendix C: AIX 5.3 NFS quick reference
NFS configuration files
NFS daemons
NFS commands
Export options
mount command options
nfso command options
Abbreviations and acronyms
Glossary
Related publications
IBM RedbooksOther publications
Online resources
How to get IBM Redbooks
Help from IBM
Index (1/3)
Index (2/3)
Index (3/3)
Back cover

Content preview from Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3

72 Securing NFS in AIX

For example, as with UNIX permissions, the w permission bit in a directory’s ACL

has to do with creating, deleting, and renaming files and subdirectories within

that directory, rather than changing the contents of those files and subdirectories.

The difference comes into play when mapping the rwx bits to user (owner),

group, and other. This mapping is unspecified in RFC 3530. Here is an example

of the mapping we observe in AIX.

Consider a file with the following ACL:

* ACL_type NFS4

* Owner: sally

* Group: staff

s:(OWNER@): a cCs

s:(OWNER@): d o

s:(GROUP@): a rRxadcs

s:(GROUP@): d wpWDACo

s:(EVERYONE@): a rwpRxadcs

s:(EVERYONE@): d WDACo

Applying ls -l to the file shows:

-rwxr-xrwx 1 sally staff 0 Jul 30 11:20 testf ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

IBM eServer Certification Study Guide - pSeries AIX System Administration

Publisher Resources

ISBN: 0738490806Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3

by Chris Almond, Lutz Denefleh, Sridhar Murthy, Aniket Patel, John Trindle

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.