Labeled NFS/Demo

From SELinux Wiki
Revision as of 18:43, 10 December 2008 by CraigGrube (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

The goal of the demonstration is to show functional passing of security labels over NFS in a configuration similar to what might be found in a typical enterprise environment. Modern enterprise environments provide a number of centralized services for authentication and authorization, directory services, and user data storage. The demonstration server provides the following services:

  • Authentication Services - Kerberos
  • Directory Services / Authorization Services - Open LDAP
  • Centralized User Data Storage - NFSv4

The client systems in the demonstration, from the user perspective, can be considered identical. No user specific information resides on the clients, instead it is dynamically accessed from the particular clients in use. This allows users to seamlessly move between systems as needed.

Under the covers

Once the demo is setup, what happens when a user logs in?

If it the demo was setup properly, and the right username and password are used, the user should be able to login through GDM and have their home directory mounted with a normal and functional GNOME session initiated. Under the covers a complex series of steps involving Kerberos, RPC services, LDAP, automount and NFS that ensures authentication of the user as well as client and server systems and services. In a nutshell, here are the important steps that occur during a 'normal' user login:

  1. User account information is pulled from the LDAP server.
    1. Based on supplied username, the UID, GID, home directory path and login shell, amongst other information is retured to the client system.
  2. User authentication is provided through PAM, which is configured to use Kerberos
    1. Prior to acquiring the user Kerberos ticket, the client and server systems mutually authenticate to ensure the correct systems are being involved in the authentication steps.
    2. Assuming the correct password is supplied, the client system is able to authenticate the user and caches the users Kerberos credentials for later use.
  3. automount mounts user's home directory using NFS4
    1. Automount attempts to mount the users home directory (provided by the LDAP server) and RPC GSSD provides the user's cached Kerberos credentials to the NFS server as only authenticated users are allowed to mount exported shares.
    2. UID/GID -> user name/group name mapping information (provided by the LDAP server) is used to associated user names with the UIDs and GIDs denoting ownership of the mounted files and directories.


More specific information describing how the services on the clients and servers interact, and mapping between different service namespaces can be found here: Service Interaction and User Name Mapping


Instructions

Retrieved from "http://selinuxproject.org/w/?title=Labeled_NFS/Demo&oldid=320"