diff options
author | Niels de Vos <ndevos@redhat.com> | 2016-02-20 19:05:43 +0100 |
---|---|---|
committer | Kaleb KEITHLEY <kkeithle@redhat.com> | 2016-02-23 12:26:24 -0800 |
commit | e10b96cad215c137a729afc9a27c103854435d0e (patch) | |
tree | 63df9bb4629eec4c6daca2b2d888c8a2b4a82d6c /under_review | |
parent | 799e06265ed29c1d685763cfd86374c8f603fee0 (diff) |
Kerberos: clarify some details
Incorperate some more changes based on feedback from Simo Sorce.
Change-Id: I5ebbfcfa25ee917f0457ccd83d1a5c54a7ece293
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: http://review.gluster.org/13478
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Tested-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Diffstat (limited to 'under_review')
-rw-r--r-- | under_review/Kerberos.md | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/under_review/Kerberos.md b/under_review/Kerberos.md index 8dda497..7953c4f 100644 --- a/under_review/Kerberos.md +++ b/under_review/Kerberos.md @@ -149,8 +149,8 @@ can be used for mounting. Kerberized Samba- or NFS-clients should be able to connect to a filesystem service (Same or NFS-Ganesha), and get authenticated by their User Principal Name at the Gluster processes. GSSAPI supports this through constraint -delegation. Not all Kerberos Domain Controllers support this feature, but -Active Directory and FreeIPA do. +delegation (the "S4U2Proxy protocol"). Not all Kerberos Domain Controllers +support this feature, but Active Directory and FreeIPA do. There is a difficulty where a filesystem service (like NFS-Ganesha or Samba) receive connections from a non-Kerberos client, but do need to communicate @@ -191,6 +191,11 @@ To solve this problem, `COMPOUND` procedures can be used. A new `SETFSUID` and UID/GID. This requires trusting the Gluster-client fully, and should only be used as a fall-back solution when constrained delegation is not possible. +By default I/O is not allowed when the `glusterfs/${client}@REALM` SPN is used. +This would make it possible for any client to do I/O as any user. The option +`krb5.unconstrained-clients` needs to be configured to allow specific clients +to use the SPN for I/O. + ### Username mapping @@ -280,15 +285,15 @@ The steps to configure Kerberos access to Gluster volumes would look like: 1. enable NTP or similar time-syncing between servers 1. configure Kerberos system-wide in `/etc/krb5.conf` 1. configure idmapping through `/etc/nsswitch.conf` (LDAP, AD, ..) and `/etc/idmapd.conf` -1. add Kerberos TGTs to the `/etc/krb5.keytab` file +1. add Kerberos long term keys to the `/etc/krb5.keytab` file 1. enable Kerberos through GlusterD Performing I/O over a FUSE with Kerberos mountpoint: -1. `[root]` mount the volume, uses Kerberos TGT from `/etc/krb5.keytab` +1. `[root]` mount the volume, uses Kerberos long term keys from `/etc/krb5.keytab` 1. `[user]` should have a valid Kerberos TGT (obtained with `kinit`) 1. `[user]` I/O should be permitted as normal -1. `[user]` after invalidating the Kerberos TGT (with `kdestroy`), I/O should be denied +1. `[user]` after the Kerberos TGT has expired, I/O should be denied Different ways of Kerberos usage can be inspected with [Wireshark](https://wireshark.org). The RPC-headers will not list the @@ -304,6 +309,8 @@ servers and enable Kerberos support for the GlusterD and the Gluster Volumes. Users with a valid Kerberos TGT should not notice any difference while doing I/O. +An administrator can set the `krb5.required` option (TODO: descripe this and +other configuration values) to require clients to connect over Kerberos only. # Dependencies |