The server uses Kerberos security verification to protect the Network File System (NFS)

In this article, I will discuss how to configure a Unix client based on the Network File System and use Kerberos security verification through the rpcsec_gss protocol to connect to a Windows Server under the Network File System.

Traditional Network File System clients and servers use system integration to authenticate security verification. Most importantly, it allows a client to send verification information indicating the user ID or user group ID of a Unix user to the Network File System server. Each network file system request indicates the user ID or user group ID of a Unix user in the input request. This authentication method provides low security because the client can fool the request by specifying the user ID or user group ID of a different user. This authentication method is also very fragile, because any third party between the client network and the server network may capture Network File System requests.

The rpcsec_gss Protocol provides a general mechanism that combines multiple security mechanisms with the oncrpc protocol. The current Network File System server supports using the rpcsec_gss protocol in the Network File System Using Two Kerberos modes: krb5 and krb5i. Krb5 provides Kerberos authentication at the RPC Request level, while krb5i (ipvo V5 also includes integrated authentication) can prevent the theft of Network File System load.

The best way to explain how to set Kerberos security verification on UNIX clients and Windows servers running network file systems is through a simple example. In this tutorial, we must first clarify the following Architecture:

1. The Windows domain named nfsdomain. com and the Active Directory run on a domain controller named nfsdomain-dc.nfsdomain.com;

2. Windows server running the Network File System server: windowsnfsserver.nfsdomain.com;

3. UNIX client: unixclient.nfsdomain.com;

4. Unix users on unixclient.nfsdomain.com: unixuser1 with a user ID of 500;

5. UNIX user group on unixclient.nfsdomain.com: unixgroup1 and user group ID 500;

6. Windows users: nfsdomain/unixuser1;

7. Windows User Group: nfsdomain/unixgroup1.

To ensure that the Configuration Wizard is demonstrated, we assume that the system running unixclient.nfsdomain.com is opensolaris.

Prerequisites:

First, verify that DNS resolution is normal between the domain controller, Windows Network File System server, and Unix client.

A reminder to the Solaris client is that the host name must be set to the first part of the domain name. Run "hostname" on unixclient.nfsdomain.com. Only unixclient is displayed ". If this is not the case, set the host name to "unixclient ".

Make sure that all the users and user groups mentioned above have been created. At the same time, nfsdomain/unixuser1 must be a member of nfsdomain/unixgroup1. We must set a password for unixuser1. If the user ID on the Unix client is different from the user group ID, we need to specify the corresponding item as the corresponding value, for example, 500 in this example.

Add the Unix client to the Active Directory:

Now we need to configure the Unix client to obtain the Kerberos authentication credential from the nfsdomain. com domain. This can be done by modifying the/etc/krb5/krb5.conf file. In this file, some reserved key values are available for editing. Modify the following parts: "default domain name default_realm", "Domain Controller name KDC", "Administrative server name admin_server", and "Network File System domain name domain_realm ". We also need to add two values under "libdefaults": "default_tkt_enctypes" and "default_tgs_encrypes ". I will explain why these two items need to be added later. Finally, the file will be changed to the following:

[Libdefaults]

Default_realm = nfsdomain. com

Default_tkt_enctypes = arcfour-hmac-md5 des3-cbc-sha1-kd des-cbc-md5

Default_tgs_enctypes = arcfour-hmac-md5 des3-cbc-sha1-kd des-cbc-md5

[Realms]

Nfsdomain. com = {

KDC = nfsdomain-dc.nfsdomain.com

Admin_server = nfsdomain-dc.nfsdomain.com

}

[Domain_realm]

Nfsdomain.com = nfsdomain. com

At this time, we can test to use nfsdomain/unixuser1 on the unixclient client to obtain the verification credential: Run "kinit unixuser1" on the unixclient client, and then enter the user password.

Now we can run "klist" to obtain the verification credential for unixuser1. You can also run "kdestroy" to cancel the verification credential.

How does the network file system use the rpcsec_gss protocol?

Now we have completed the basic Kerberos settings. Next we will introduce the verification process from the perspective of the Network File System.

When the unixclient client needs to complete the verification with windowsnfsserver (Windows Network File System server), it needs some users for verification, which is called a participant in Kerberos protocol. After the Network File System is shared and loaded, the client queries the Domain Name of the Network File System server and uses "nfs/FQDN @ domain_realm" as the participant to try to verify the domain name. In our introduction, the unixclient client will look for users like nfs/windowsnfsserver.nfsdomain.com@NFSDOMAIN.COM for verification. According to the protocol, Unix machines will use the "root" identity to initialize some network file systems. In this article, it is the system administrator account of the local machine. The user's full name is "root/unixclient.nfsdomain.com@NFSDOMAIN.COM" as per the protocol ".

How to Set users and participants?

For users like nfs/windowsnfsserver.nfsdomain.com@NFSDOMAIN.COM, we only need to use the account of the machine that already exists in the Active Directory, and the key is to create an alias for it.

For nfsdomain-DC, run the following command:

Setsps-a nfs/windowsnfsserver

Setsps-a nfs/windowsnfsserver.nfsdomain.com windowsnfsserver

Then execute:

Setsps-l windownfsserver

In this way, we can see the service participation names of all accounts on the machine.

How do I set a unixclient account?

In order to authenticate the participating account, we will create some users in the Active Directory. Because "/" is invalid for the account name of the Active Directory, we must set different names and then use the setspns program to add the service participation name. For the purpose of completeness, we create another account on the basis of the root system administrator account. Create the following users on nfsdomain-DC and set their passwords:

1. unixclienthost (representing the unixclient host );

2. unixclientroot (Root System Administrator account on unixclient );

3. unixclientnfs (the account used by the Network File System server on unixclient ).

After creating these users, right-click each user and select "properties ". On the "Account" tab, change "User Logon Name" to "host/unixclient.nfsdomain.com", "root/unixclient.nfsdomain.com", and "nfs/unixclient.nfsdomain.com ". The following describes how to encrypt virtual networks for these accounts:

Setsps-a host/unixclient unixclienthost
Setsps-a host/unixclient.nfsdomain.com unixclienthost
Setsps-a root/unixclient unixclientroot
Setsps-a root/unixclient.nfsdomain.com unixclientroot
Setsps-a nfs/unixclient unixclientnfs
Setsps-a nfs/unixclient.nfsdomain.com unixclientnfs

Unixclient requires a root/unixclient.nfsdomain.com@NFSDOMAIN.COM identity, but does not need to enter the password for that identity. This is achieved through a key table. Next we will export key table files for these accounts. Run the following command on nfsdomain-DC:

Ktpass-princ host/unixclient.nfsdomain.com@NFSDOMAIN.COM-mapuser unixclienthost-pass -Out unixclienthost. keytab

Ktpass-princ root/unixclient.nfsdomain.com@NFSDOMAIN.COM-mapuser unixclientroot-pass -Out unixclientroot. keytab

Ktpass-princ. nfs/unixclient.nfsdomain.com@NFSDOMAIN.COM-mapuser unixclientnfs-pass -Out unixclientnfs. keytab

Then, we will move the above files from the nfsdomain-DC host to the unixclient host.

On the unixclient host, we need to integrate these files into the local key table file. In the directory where we place these copied files, we can use the "ktutil" command for integration. In this interactive tool, we execute the following command:

RKT/etc/krb5/krb5.keytab

RKT unixclienthost. keytab

RKT unixclientroot. keytab

RKT unixclientnfs. keytab

WKT/etc/krb5/krb5.keytab

Q

Now unixclient can apply for verification creden。 for these accounts, instead of entering the password. We can perform the following tests:

Kinit-K host/unixclient.nfsdomain.com

Kinit-K root/unixclient.nfsdomain.com

Kinit-K nfs/unixclient.nfsdomain.com

Each Command should show that the verification credential is successfully obtained. Because the underlying encryption mechanism for encryption of authentication creden。 must be supported and accepted by both nfsdomain-DC and unixclient, some configurations are more subtle. In the krb5.conf file, add the "default_tkt_enctypes" and "default_tgs_enctypes" parameters to avoid an opensolaris vulnerability. When using the ktpass program, we may need to specify the encryption type explicitly ." -Crypto DES-CBC-MD5 "is basically a widely accepted and supported encryption type. In view of the version of the Active Directory in our application environment, we may also need to check the option "use Kerberos DES encryption type for this account" under the "User Account" tab on the user properties page. Checking Security Event Logs can also help us diagnose logon attempts.

Map user IDs or user group IDs for Kerberos accounts on the unixclient client:

This section describes how the Network File System client on the unixclient maps its local user ID and user group ID to the Kerberos account.

Run the following command on unixclient:

Gsscred-M kerberos_v5-

Gsscred-M kerberos_v5-N host/unixclient.nfsdomain.com-u 0-

Gsscred-M unzip OS _v5-N root/unixclient.nfsdomain.com-u 0-

Gsscred-M unzip OS _v5-N nfs/unixclient.nfsdomain.com-u 0-

Gsscred-M kerberos_v5-N unixuser1-u 500-

Gsscred-M kerberos_v5-N unixgroup1-G 500-

These commands move the public certificate table used to verify the access account into the local user account. We need to ensure that "gssd" is allowed on unixclient first ".

Enable Kerberos security verification on the Network File System:

Kerberos is disabled by default in opensolaris in the Network File System. Obviously, we need to enable it. We can edit "/etc/nfssec. conf" and unannotate all rows containing krb to ensure full execution. We need to change it to this:

Krb5 390003 kerberos_v5 default-# rpcsec_gss

Krb5i 390004 kerberos_v5 default integrity # rpcsec_gss

Krb5 P 390005 kerberos_v5 default privacy # rpcsec_gss

We can note that the Network File System server currently does not support krb5 p.

Configure the ing of the user ID or user group ID of the Network File System server:

On the windows side, we still need to configure the ing between Unix user IDs and user group IDs and Windows accounts. The Network File System server still uses Kerberos authentication when receiving a Network File System request. However, the Network File System Protocol only replies the user ID and user group ID to requests such as getattr and readdir. Without ing, even if the newly created file has an accurate security visibility description on windowsnfsserver, executing "ls-L" on unixclient will not be able to accurately display the user ID and user group ID.

If you want to know how the Network File System server obtains Windows users and groups, refer:

Http://technet.microsoft.com/en-us/library/cc754514.aspx

The following blog post will be helpful for understanding the features of Active Directory parsing:

Http://blogs.msdn.com/sfu/archive/tags/active?directory=lookup/default.aspx.

Provide a share on windowsnfsserver:

Configuration sharing can be used in the following configuration documents:

Http://technet.microsoft.com/en-us/library/cc770569.aspx

After creating the share directory, make sure that all users (including unixuser1) who intend to access it can access it.

Load Sharing:

Finally, we can prepare to load the shares.

When loading shares, remember to use the full name of the server domain. This is why unixclient can precisely point to the corresponding account when searching for windowsnfsserver.

Run the following command as the system administrator root on the unixclient client:

Mount-O sec = krb5, Vers = 3, proto = TCP windowsnfsserver.nfsdomain.com:/share/mnt/share

Once the sharing is loaded, we log on to the unixclient client as unixuser1, Run "kinit", enter the password, and then access "/mnt/share. If everything is correctly configured, we can access sharing. At this point, we can finally say we are very happy, because our Network File System connection is now very secure.

Reference link:

1. Windows Server 2008 R2 Network File System Manual Configuration Wizard:

Http://technet.microsoft.com/en-us/library/dd758767 (ws.10). aspx;

2. Windows/Unix verification Configuration:

Bytes /;

3. Explanation of the quick patch for the Active Directory encryption Vulnerability (if the patch has been installed, you do not need to check it ):

Http://support.microsoft.com/kb/951191;

4. opensolaris encryption vulnerability:

Http://bugs.opensolaris.org/bugdatabase/view_bug.do? Bug_id = 6548599.

Thanks to original author Jeff biseda.

Original article address:

Http://blogs.technet.com/ B /filecab/archive/2010/05/13/using-kerberos-security-with-server-for-nfs.aspx