Posts Tagged ‘Ubuntu’

Using IPA to provide automount maps for NFSv4 home directories

Saturday, March 14th, 2015

Since the invention of NFSv4, automount NFS home directories is secure. Since the invention of IPA, its easier to set up and maintain. This article guides you trough the steps needed to set it up. The procedures have been tested on RHEL7.1 for the IPA servers, RHEL6.6 and 7.1 as clients but should work on Fedora and CentOS. Unfortunately it seems not to work (yet) for Debian Sid and Ununtu. [Update] Works in Ubuntu 14.04[/Update]

Assumptions

  • Your Domain is example.com
  • Your Kerberos Realm is EXAMPLE.COM
  • The NFS server is nfs.example.com
  • The exported home directories are on /exports/home
  • The client is ipaclient1.example.com
  • A few words about security and kerbrized NFS
    There are basically three different modes: krb5, krb5i and krb5p.

    • krb5 means that the server and client authenticate each other, traffic can be intercepted.
    • krb5i the same as krb5 but providing integrity. It verifies that the data has not been tampered with, but traffic still can be intercepted.
    • krb5p like the two above, plus privacy protection, all traffic is encrypted.

    Depending on the sensitivity of the data to be transferred krb5i or krb5p should be used. Also keep in mind that the higher the security the lower the throughput is.

    Work to do on one of the IPA replicas

    Add the NFS service principal for the server and client to Kerberos.

    [root@ipa1 ~]# ipa service-add nfs/nfs.example.com
    [root@ipa1 ~]# ipa service-add nfs/ipaclient1.example.com
    

    Assume you are only using one location, you can use the default one.

    Add the auto.home map

    [root@ipa1 ~]# ipa automountmap-add default auto.home
    -------------------------------
    Added automount map "auto.home"
    -------------------------------
      Map: auto.home
    [root@ipa1 ~]# 

    And add the auto.home map to auto.master

    [root@ipa1 ~]# ipa automountkey-add default --key "/home" --info auto.home auto.master
    ---------------------------
    Added automount key "/home"
    ---------------------------
      Key: /home
      Mount information: auto.home
    [root@ipa1 ~]# 
    

    Finally add the key to the auto.home map

    [root@ipa1 ~]# ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 nfs.example.com:/exports/home/&" auto.home
    -----------------------
    Added automount key "*"
    -----------------------
      Key: *
      Mount information: -fstype=nfs4,rw,sec=krb5i,soft,rsize=8192,wsize=8192 nfs.example.com:/exports/home/&
    [root@ipa1 ~]# 
    

    Configure the NFS server
    Create a Kerberos Keytab for your NFS server

    [root@nfs ~]# kinit admin
    [root@nfs ~]# ipa-getkeytab -s ipa1.example.com -p nfs/nfs.example.com -k /etc/krb5.keytab
    

    Tell your NFS service to use NFSv4

    [root@nfs ~]# perl -npe 's/#SECURE_NFS="yes"/SECURE_NFS="yes"/g' -i /etc/sysconfig/nfs
    

    Create your NFS share and start the NFS server

    [root@nfs ~]# mkdir /exports/home
    [root@nfs ~]# echo "/exports/home  *(rw,sec=sys:krb5:krb5i:krb5p)" >> /etc/exports
    [root@nfs ~]# service nfs start
    [root@nfs ~]# chkconfig nfs on
    

    Configure your clients

    Get the Kerberos keytab

    [root@ipaclient1 ~]# ipa-getkeytab -s ipa1.example.com -p nfs/ipaclient1.example.com -k /etc/krb5.keytab
    

    Finally you need to configure your client systems to map use of the automount maps provided by IPA

    [root@login ~]# ipa-client-automount --location=default
    Searching for IPA server...
    IPA server: DNS discovery
    Location: default
    Continue to configure the system with these values? [no]: yes
    Configured /etc/nsswitch.conf
    Configured /etc/sysconfig/nfs
    Configured /etc/idmapd.conf
    Started rpcidmapd
    Started rpcgssd
    Restarting sssd, waiting for it to become available.
    Started autofs
    [root@login ~]# 
    

    Strange problems you can run into

    If you run into troubles, enable debugging in the related daemons. In /etc/sysconfig/autofs, add a line LOGGING=debug.
    Add debug_level = 9 in the [autofs] stanza.

    If you have something like this in /var/log/messages

    lookup(file): failed to read included master map auto.master
    

    Then probably your nsswitch.conf does not point to sss. Ensure you have

    automount:  files sss
    

    In your nsswitch.conf. This should actually be configured by ipa-client-automount but it seems that it is not 100% reliable to do so.

    If you have something like this in /var/log/messages:

    Mar 14 20:02:37 ipaclient nfsidmap[3039]: nss_getpwnam: name 'root@example.com' does not map into domain 'localdomain'
    

    Then check your /etc/hosts file if all is correct. Also ensure that the short hostname is not in front of the FQHN. Another mistake can trigger the same error: DNS. Ensure you have a working DNS setup for both A (and/or AAAA) and PTR records.

    Read further
    There are plenty of docs available, there is a choice

    Have fun! :-)

Ubuntu 10.04 LTS released

Sunday, May 2nd, 2010

End of April 2010, Ubuntu 10.04 was released. As always it is based on Debian’s Testing-Release. Canonical “stabilizes” the testing tree of Debian and adds its own look.

This time, Ubuntu radically changed its look. From my point of view it looks ugly, very ugly. Strange colors, low contrasts in menus, orange icons in Nautilus… window buttons on the left side… At the end of the day an usability-horror.

Under the hood Ubuntu is a very stable distribution with recent software. Ubuntu 10.04 is a LTS (Long Term Support) version and is thus suited as a enterprise server. Support for the server variant of Ubuntu is five years. Ubuntu is – like Debian – capable to upgrade to a new major release w/o service interruption.

Managebility

You “can” mirror Debian and Ubuntu repositories locally but it is difficult if you to not like to mirror all architectures available. Unfortunately there is (AFAIK) no software available such as Spacewalk/RHN Satellite to manage your servers.

The best method is to allow each single system installed to talk directly or via proxy to the mirror servers. This is a nightmare for firewall administrators.

To my knowledge there is no convenient way to install Ubuntu over the net. There are rumors that spacewalk and cobbler is going to get Debian/Ubuntu support at some time.

Reliability

Debian and thus Ubuntu has an evidence to be reliable. This also  seems to be true for the current release 10.04. The software came from Debians testing repository but was stabilized during months. Canonical (The sponsor of Ubuntu) has a reputation for its quality management. To use Ubuntu as a server operating system is sane.

Conclusion

As a desktop operating system I’ll avoid Ubuntu, since the usability is focused on dummy-users and not professional Linux users. For server usage you need to ask yourself about your needs. If you are operating Oracle DB’s or other commercial applications you probably want install Red Hat Enterprise Linux (RHEL). For a web server Ununtu is very well suited, even better than RHEL. In two years there will be another LTS variant available and you are free to upgrade online. Reliability is very good, manageability is poor, especially when used in larger companies.

In short: Ubuntu for web servers, RHEL/CentOS for other servers.

As always: Feedback is welcome…

Have fun!

Ready to upstart?

Saturday, October 31st, 2009

upstart

It is time to replace the aged SysV init system with someting better

At the time when  SysV init (pronounced “System five”) appeared, hardware configurations have been quite static, no hot plug and similar fancy stuff.

SysV init is started after the kernel is loaded. The init process reads /etc/inittab and walks trough the runcontrol script and runlevels. This sequential walk-trough takes most of the time when booting a modern Unix system.

Upstart follows another approach: Starting daemons and services in parallel and event driven.  This will speed up the boot process beyond expectations.

A very nice feature of upstart is: All processes will be started in background, no more blocking of the boot process trough hanging run control scripts!

If a service unexpectedly dies, it will be respawned  automatically up to a configurable limit in times per period.

Upstart is event-driven, a event can be e.g. plugging in new hardware which ends up starting the needed service for it. There are also plans to replace cron and atd with upstart since this are basically time-triggered events. The developers also thinking about replacing the inetd, since a network connection can be considered as a event.

Transition

Since most of the software out there do not natively support upstart yet, transition methods are needed for a smooth transition from SysV init to upstart. Traditional SysV run control scrips are fully supported, even distributions slowly switch to the event/job model of upstart. E.g. one of the first distributions switched to upstart was Ubuntu 6.10, and now with Ubuntu 9.10 – three years later – they begin to ship its distribution with the first native upstart scripts.

Splitting Unix systems apart

Years ago there only have been two init systems: SysV init and BSD init, a sysadmin was comfortable to use them on whatever system. Now there are SysV init, Upstart from Ubuntu, lauchd from Apple, SMF (System Management Facility) from Sun Microsystems and possibly others. All of this SysV init replacements are working differently,  different commands, different architecture… This makes the job of a sysadmin not easier when managing a heterogeneous system landscape.

Linux distributions stay together

The good news: On the Linux side it looks like Upstart will be the future standard for system initialization, no balkanization of the Linux Landscape so far.

Linux Distribution with upstart

The following distributions are already shipping upstart:

  • Ubuntu
  • Debian
  • Fedora
  • Others?

Since Fedora 11 and 12 will be the upstream for the upcomming RHEL6 distribution it is most likely that RHEL6 comes with upstart. At openSUSE there are some discussions (see https://features.opensuse.org/305690 for details). Maybe there is a chance for openSUSE 11.3 and later on SLES12.

Further readings:

Upstart web site: http://upstart.ubuntu.com
Wikipedia article: http://en.wikipedia.org/wiki/Upstart

Have fun!