Labeled NFS/Demo

From SELinux Wiki
Revision as of 12:19, 11 December 2008 by CraigGrube (Talk | contribs)

Jump to: navigation, search

Introduction

The goal of the demonstration is to show passing of security labels over NFSv4 in a configuration similar to what might be found in a typical enterprise environment. Modern enterprise environments provide a number of centralized services for authentication and authorization, directory services, and network storage or user data. The server component of the demonstration provides these services using the following packages:

  • Authentication Services - Kerberos
  • Directory Services / Authorization Services - OpenLDAP
  • Centralized User Data Storage - NFSv4

The client component of the demonstration utilizes the services to provide users login access. Using the automated client installation steps clients can be rapidly installed and configured, differing only by the client kerberos credentials. The demonstration user will be able to access each client, with their user data available on each system.

Under the covers

Once the demo is setup, what happens when a user logs in?

If it the demo was setup properly, and the right username and password are used, the user should be able to login through GDM and have their home directory mounted with a normal and functional GNOME session initiated. Under the covers a complex series of steps involving Kerberos, RPC services, LDAP, automount and NFS that ensures authentication of the user as well as client and server systems and services. In a nutshell, here are the important steps that occur during a 'normal' user login:

  1. User account information is pulled from the LDAP server.
    1. Based on supplied username, the UID, GID, home directory path and login shell, amongst other information is retured to the client system.
  2. User authentication is provided through PAM, which is configured to use Kerberos
    1. Prior to acquiring the user Kerberos ticket, the client and server systems mutually authenticate to ensure the correct systems are being involved in the authentication steps.
    2. Assuming the correct password is supplied, the client system is able to authenticate the user and caches the users Kerberos credentials for later use.
  3. User home directories are mounted via NFSv4 by automount.
    1. Automount attempts to mount the users home directory (provided by the LDAP server) and RPC GSSD provides the user's cached Kerberos credentials to the NFS server as only authenticated users are allowed to mount exported shares.
    2. UID/GID -> user name/group name mapping information (provided by the LDAP server) is used to associated user names with the UIDs and GIDs denoting ownership of the mounted files and directories.


More specific information describing how the services on the clients and servers interact, and mapping between different service namespaces can be found here: Service Interaction and User Name Mapping

Instructions