Labeled NFS/Demo/UserMapping

From SELinux Wiki
Jump to: navigation, search

The network users are mapped between the Kerberos, NFS, and LDAP server and the network hosts (i.e. Kerberos, NFS and LDAP clients) using several different sub-systems. The key to connecting them all is the user-name, the string of text that uniquely identifies an individual on the network. This string is shared across the hosts and between the three servers. The use of user-name can further be broken down between identity authentication and identity mapping services.

The two 'Basic Steps' sections below show the basic authentication and identity mapping steps taken when a user logs on to a client machine. The sections following offer a more detailed explanation of what is going on how the machines were configured to do it.

Simplified Authentication Steps for User Login

on the Client

  • PAM is used to authenticate users, which is configured to use Kerberos.
  • Kerberos credentials are associated with a username, which require the correct password to be accessed.

on the Server

  • Kerberos server responds to client requests to check the user's password and return credentials.

Note: The password is not sent across the network. It is checked locally on the client using response from the Kerberos server.

Simplified User Mapping Steps

on the Client

  • Examine /etc/idmapd.conf to find how where to do user translations
    • Default configuration indicates nsswitch
  • Examine /etc/nsswitch.conf to find out what to use for translations
    • Default configuration indicates LDAP for user info and auto-mounting
  • User enters user-name, look up user-name on LDAP server
    • returns UID, GID, shell, home directory path
  • Mount users NFS home directory using the LDAP values for path, UID, GID, etc...
  • Complete user login

on the NFS Server

  • NFS server maps user-name and group names to local UID and GID values (i.e. LDAP values are not used).

Identity Authentication Service

The authentication service is provided mainly by the Kerberos server. The realm structure can be more complicated, but in this example, the network user-name matches the Kerberos principal of user-name@REALM (e.g. newuser@EXAMPLE.COM).

Authentication Service, Server Side

The identity of the user-name is authenticated by the Kerberos server interacting with the host machines and the NFS and LDAP servers. Principals are added and deleted on the Kerberos server and it is responsible for checking that a user-name is in fact that user. It then hands out credentials for that user that can in turn be checked by the host machines and the other servers.

Authentication Service, Client Side

Hosts can be configured using authentication-tui and checking a box to turn on Kerberos authentication.

Below that, what was actually happening was changes within the /etc/pam.d/system-auth file. This is part of the authentication system on the machines, the Plug-able Authentication Module (PAM). This file was changed so that system authentication would additionally use the library which authenticates a user-name using the Kerberos service.

Identity Mapping Services

The identity information is provided by the NFS and LDAP servers and is mapped using a user-name. LDAP provides the user information necessary for the client hosts to instantiate a user. NFS provides the users' personal files. It provides the files within their home directories.

LDAP Identity

The user-name is used to look up that user-name within the LDAP directory. The LDAP server maps that user-name to the information needed by the host machines to instantiate that user locally. In this example the main information stored is:

  • User ID (a unique number identifying the user)
  • Groups to which the user-name is a member.
  • User's shell
  • Path to the user's home directory
  • Group information
    • Group-name to Group ID (unique group number)

NFS Server User Mapping

The server in this example uses independent User IDs (UIDs) and Group IDs (GIDs). These are associated with user-names and group names on its local system and do not use LDAP provided numerical values for UID/GID. When a client connects to the NFS server, the user-name and group-name values are mapped to the local file system's UID and GIDs.

Host Machine Identity Mapping

The host machines are configured in several different ways in order to map user Identity. One of the first sources is the /etc/idmapd.conf file's Translation section:

Method = nsswitch

The client configuration for this file was shown in one of the NFS install instruction sections, but since 'nsswitch' is the current default for Fedora Core 9, it probably did not need to be changed.

/etc/rc.d/nsswitch.conf is the file that configures nsswitch. Nsswitch is the Name Service Switch configuration for the host. This configuration file sets the options available, and their order, when using the GNU C library API's (e.g. to lookup user information. authconfig-tui can be run to update the nsswitch.conf file to indicate that LDAP is to be used for user information on that host. The pertinent changes to include LDAP were to the following nsswitch subsystems:

  • passwod (user,shell,UID,GIDs)
  • shadow
  • group (group-name<->GID)
  • automount