FedFsInstallFedfsd0.10
From Linux NFS
Chucklever (Talk | contribs) (Created page with "== Project: fedfs-utils == [ Project Home | News | Downloads | Docs | [[FedFsUtilsMailingList...") |
Chucklever (Talk | contribs) (→Set up rpc.fedfsd) |
||
Line 29: | Line 29: | ||
rpc.fedfsd can use either AUTH_UNIX or RPCSEC_GSS to authenticate remote users. For RPCSEC_GSS Kerberos authentication to work, you must create a service principal for the "fedfs-admin" service on each host running rpc.fedfsd. Retrieve the key for this service from your KDC and store it in a keytab on each host. The rpc.fedfsd(8) man page has more information about this. | rpc.fedfsd can use either AUTH_UNIX or RPCSEC_GSS to authenticate remote users. For RPCSEC_GSS Kerberos authentication to work, you must create a service principal for the "fedfs-admin" service on each host running rpc.fedfsd. Retrieve the key for this service from your KDC and store it in a keytab on each host. The rpc.fedfsd(8) man page has more information about this. | ||
+ | |||
+ | ''AUTH_UNIX is known to be weak security. It is strongly recommended that only RPCSEC is enabled in /etc/fedfsd/access.conf if rpc.fedfsd is deployed on an open network.'' | ||
== Client tools == | == Client tools == |
Latest revision as of 19:31, 3 February 2014
Contents |
Project: fedfs-utils
[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]
Introduction
As the number of fileservers in a FedFS domain grows, administering them by logging in to each and running a command line tool becomes challenging. FedFS therefore provides an RPC mechanism for handling administrative tasks remotely. FedFS administrators use this mechanism to manage junctions and NSDB connection parameters remotely.
Since the RPC interface duplicates operations that can also be done via command line on the server, it is entirely optional to run the FedFS ADMIN service on fileservers. The equivalent command line tools are the nfsref command and the nsdbparams command.
Set up rpc.fedfsd
On Fedora 20, to enable this interface on Linux NFS servers, simply start rpc.fedfsd:
# systemctl enable rpcfedfsd.service # systemctl start rpcfedfsd.service
If your distribution doesn't package fedfs-utils, after installing with "make install," check the fedfs-utils-0.10/contrib/init directory for an appropriate init script for your Linux distribution.
The file "/etc/fedfsd/access.conf" contains an access control list that determines what users are allowed to perform FedFS ADMIN operations via rpc.fedfsd. This file contains comments that describe the syntax for the access control list.
rpc.fedfsd can use either AUTH_UNIX or RPCSEC_GSS to authenticate remote users. For RPCSEC_GSS Kerberos authentication to work, you must create a service principal for the "fedfs-admin" service on each host running rpc.fedfsd. Retrieve the key for this service from your KDC and store it in a keytab on each host. The rpc.fedfsd(8) man page has more information about this.
AUTH_UNIX is known to be weak security. It is strongly recommended that only RPCSEC is enabled in /etc/fedfsd/access.conf if rpc.fedfsd is deployed on an open network.
Client tools
In fedfs-utils-0.10, the administrative tools that contact this server are commands such as fedfs-create-junction and fedfs-get-nsdb-params. These are simply commands that perform a single RPC against a remote FedFS administrative server. In fedfs-utils-0.10, these remain a primitive mechanism meant for scripting or unit testing.
To enable Kerberos authentication when using these tools, kinit as a principal that is allowed to perform FedFS ADMIN operations (see above for specifying such principals in the rpc.fedfsd server's access control list). Then specify the "--security=" option when running FedFS ADMIN client commands. The man pages for these command has more information.