Difference between revisions of "Mount Homedisk"
m (→Prerequisites) |
m (→Setting-up) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 10: | Line 10: | ||
== Prerequisites == | == Prerequisites == | ||
| − | You need to have your '''krb5.keytab''' file generated by [[Contact | C&CZ]]. If you do not have any, please contact [[Contact | C&CZ]] and one will be generated. | + | You need to have your '''krb5.keytab''' file generated by [[Contact | C&CZ postmaster]]. If you do not have any, please contact [[Contact | C&CZ postmaster]] and one will be generated. |
== Setting-up == | == Setting-up == | ||
| − | For | + | For Kerberos to work you '''must''' be within the '''science.ru.nl''' realm - thus being connected directly to the science.ru.nl network, or be tunneled-in by the [[vpn]]. |
Rename the file provided by the C&CZ to '''krb5.keytab''' and move it to the '''/etc/''' folder, change its mod to '''rw------''' and ownership to '''root:root'''. Finally, the file should look like this: | Rename the file provided by the C&CZ to '''krb5.keytab''' and move it to the '''/etc/''' folder, change its mod to '''rw------''' and ownership to '''root:root'''. Finally, the file should look like this: | ||
| Line 20: | Line 20: | ||
-rw------- 1 root root 1337 Jan 1 00:01 /etc/krb5.keytab | -rw------- 1 root root 1337 Jan 1 00:01 /etc/krb5.keytab | ||
| − | Next you need to configure | + | Next you need to configure Kerberos properly in your '''krb5.conf'''. At the end, the file should look like this in the case of portable PCs (notebooks): |
[chuck@uberpc ~]$ cat /etc/krb5.conf | [chuck@uberpc ~]$ cat /etc/krb5.conf | ||
| Line 46: | Line 46: | ||
In case of the desktop PCs within the university the '''rdns = no''' parameter should be omitted. | In case of the desktop PCs within the university the '''rdns = no''' parameter should be omitted. | ||
| − | After setting | + | After setting up Kerberos, try the command "kinit $USERNAME", where you substitute $USERNAME by your Science login name. For simplicity science user Chuck Norris (thus username cnorris) will be used as an example. Try to '''kinit''' with your science password and check if the ticket has been successfully leased by using the '''klist''' command: |
[chuck@uberpc ~]$ kinit cnorris | [chuck@uberpc ~]$ kinit cnorris | ||
| Line 65: | Line 65: | ||
home2.science.ru.nl:/VGsda66/cnorris on /home/cnorris type nfs (rw,nosuid,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=131.174.30.206,mountvers=3,mountport=656,mountproto=udp,local_lock=none,addr=131.174.30.206) | home2.science.ru.nl:/VGsda66/cnorris on /home/cnorris type nfs (rw,nosuid,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=131.174.30.206,mountvers=3,mountport=656,mountproto=udp,local_lock=none,addr=131.174.30.206) | ||
| − | From the output of above command we can clearly see that Chuck | + | From the output of the above command we can clearly see that Chuck Norris' homedrive is located in '''/VGsda66''', thus we will attempt to mount the '''home2.science.ru.nl:/VGsda66/cnorris''' directory. |
| − | Now that you | + | Now that you know the proper mount path and Kerberos has been set up, you need to get working nfs software on your unix pc. In case of Archlinux that consists of the '''nfs-utils''' package, in other distributions nfs will most probably come preinstalled. Ensure that '''rpc-gssd.service''' is up and running as it is vital for the Kerberos authentication procedure as referred [https://wiki.archlinux.org/index.php/Nfs#Client on the ArchLinux wiki]. |
if '''rpc-gssd.service''' is '''NOT''' running, the output will look similar to this: | if '''rpc-gssd.service''' is '''NOT''' running, the output will look similar to this: | ||
| Line 83: | Line 83: | ||
mount.nfs: an incorrect mount option was specified | mount.nfs: an incorrect mount option was specified | ||
| − | when '''rpc-gssd.service''' is up an running as it should the '''correct output''' will look similar to this: | + | when '''rpc-gssd.service''' is up an running (as it should), the '''correct output''' will look similar to this: |
[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv | [root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv | ||
| Line 90: | Line 90: | ||
[root@uberpc cnorris]# | [root@uberpc cnorris]# | ||
| − | if you have active | + | if you have an active Kerberos ticket, you should be able to list the content of the '''/mnt/''' directory by now. |
[chuck@uberpc ~]$ ls /mnt/ | [chuck@uberpc ~]$ ls /mnt/ | ||
'$RECYCLE.BIN'/ desktop.ini /MK_ultra_results /answer_to_42.txt /cancer_cure | '$RECYCLE.BIN'/ desktop.ini /MK_ultra_results /answer_to_42.txt /cancer_cure | ||
Latest revision as of 14:40, 3 October 2018
Contents
Mounting home (U:) drive on Linux via NFS/Kerberos
About NFS
Quote from the NFS wiki entry:
Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.
On the C&CZ managed fileservers, Kerberos authentication is used for security.
All Science users have a homedrive, see for more info the home directories section.
Prerequisites
You need to have your krb5.keytab file generated by C&CZ postmaster. If you do not have any, please contact C&CZ postmaster and one will be generated.
Setting-up
For Kerberos to work you must be within the science.ru.nl realm - thus being connected directly to the science.ru.nl network, or be tunneled-in by the vpn.
Rename the file provided by the C&CZ to krb5.keytab and move it to the /etc/ folder, change its mod to rw------ and ownership to root:root. Finally, the file should look like this:
[chuck@uberpc ~]$ ls -l /etc/krb5.keytab -rw------- 1 root root 1337 Jan 1 00:01 /etc/krb5.keytab
Next you need to configure Kerberos properly in your krb5.conf. At the end, the file should look like this in the case of portable PCs (notebooks):
[chuck@uberpc ~]$ cat /etc/krb5.conf
# RU krb5config
[libdefaults]
default_realm = SCIENCE.RU.NL
forwardable = yes
forward = yes
encrypt = yes
srv_lookup = no
srv_try_txt = no
no-addresses = yes
rdns = no
allow_weak_crypto = yes
[realms]
SCIENCE.RU.NL = {
admin_server = kerberos.science.ru.nl:749
}
[domain_realm]
.science.ru.nl = SCIENCE.RU.NL
science.ru.nl = SCIENCE.RU.NL
In case of the desktop PCs within the university the rdns = no parameter should be omitted. After setting up Kerberos, try the command "kinit $USERNAME", where you substitute $USERNAME by your Science login name. For simplicity science user Chuck Norris (thus username cnorris) will be used as an example. Try to kinit with your science password and check if the ticket has been successfully leased by using the klist command:
[chuck@uberpc ~]$ kinit cnorris Password for cnorris@SCIENCE.RU.NL: [chuck@uberpc ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: cnorris@SCIENCE.RU.NL Valid starting Expires Service principal 01/01/2018 06:06:06 01/02/2018 06:06:06 krbtgt/SCIENCE.RU.NL@SCIENCE.RU.NL
To proceed further with our mounting, we need to determine which folder we should mount on the server, fast way how to determine that is by executing this command:
[chuck@uberpc ~]$ ssh cnorris@lilo.science.ru.nl """mount | grep nfs | grep cnorris"""
The output should be similar to this:
cnorris@lilo.science.ru.nl's password: home2.science.ru.nl:/VGsda66/cnorris on /home/cnorris type nfs (rw,nosuid,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=131.174.30.206,mountvers=3,mountport=656,mountproto=udp,local_lock=none,addr=131.174.30.206)
From the output of the above command we can clearly see that Chuck Norris' homedrive is located in /VGsda66, thus we will attempt to mount the home2.science.ru.nl:/VGsda66/cnorris directory.
Now that you know the proper mount path and Kerberos has been set up, you need to get working nfs software on your unix pc. In case of Archlinux that consists of the nfs-utils package, in other distributions nfs will most probably come preinstalled. Ensure that rpc-gssd.service is up and running as it is vital for the Kerberos authentication procedure as referred on the ArchLinux wiki.
if rpc-gssd.service is NOT running, the output will look similar to this:
[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv mount.nfs: timeout set for Fri Jan 1 06:23:39 2018 mount.nfs: trying text-based options 'vers=4.2,addr=131.174.30.206,clientaddr=131.174.224.137' mount.nfs: mount(2): Operation not permitted mount.nfs: trying text-based options 'addr=131.174.30.206' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 131.174.30.206 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 131.174.30.206 prog 100005 vers 3 prot UDP port 656 mount.nfs: mount(2): Invalid argument mount.nfs: an incorrect mount option was specified
when rpc-gssd.service is up an running (as it should), the correct output will look similar to this:
[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv mount.nfs: timeout set for Fri Jan 1 06:24:09 2018 mount.nfs: trying text-based options 'vers=4.2,addr=131.174.30.206,clientaddr=131.174.224.137' [root@uberpc cnorris]#
if you have an active Kerberos ticket, you should be able to list the content of the /mnt/ directory by now.
[chuck@uberpc ~]$ ls /mnt/ '$RECYCLE.BIN'/ desktop.ini /MK_ultra_results /answer_to_42.txt /cancer_cure
When finished, please umount the /mnt/ and destroy ticket by kdestroy command.
Further reading
if interested in the topic, you can proceed to:
https://en.wikipedia.org/wiki/Network_File_System
https://en.wikipedia.org/wiki/Kerberos_(protocol)
https://en.wikipedia.org/wiki/Project_Athena
