Difference between revisions of "Mount Homedisk"

From Cncz
Jump to navigation Jump to search
m
Line 1: Line 1:
put somehtimg in here test.
+
= Mounting home (U:) drive on Linux via NFS/Kerberos =
 +
 
 +
== About NFS ==
 +
Quote from the [https://en.wikipedia.org/wiki/Network_File_System NFS wiki entry]:
 +
    Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.
 +
 
 +
On C&CZ, [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos] ticket system is used to ensure the security.
 +
 
 +
Every @science user has its own shared homedrive as referred [[Diskruimte | here]].
 +
 
 +
== Prerequisities ==
 +
You need to have your '''krb5.keytab''' file generated from the [[Contact | C&CZ]]. If you do not have any, please contact [[Contact | C&CZ]] and one will be generated.
 +
 
 +
== Setting-up ==
 +
For kerberos to work you must be within the science.ru.nl realm - thus being connected directly to science.ru.nl network or be tunneled-in via [vpn| vpn].
 +
 
 +
Rename the file provided by CNCZ to '''krb5.keytab''' and move it to the '''/etc/''' folder, change its mod to rw------ and ownership to root:root. Finally, the file should look like this:
 +
 
 +
[chuck@uberpc ~]$ ls -l /etc/krb5.keytab
 +
-rw------- 1 root root 1337 Jan 1 00:01 /etc/krb5.keytab
 +
 
 +
Next you need to configure kerberos properly in your krb5.conf. At the end, the file should look like this in the case of portable pcs (notebooks):
 +
 
 +
[chuck@uberpc ~]$ cat /etc/krb5.conf
 +
# RU krb5config
 +
 
 +
[libdefaults]
 +
        default_realm = SCIENCE.RU.NL
 +
        forwardable = yes
 +
        forward = yes
 +
        encrypt = yes
 +
        srv_lookup = no
 +
        srv_try_txt = no
 +
        no-addresses = yes
 +
        rdns = no
 +
        allow_weak_crypto = yes
 +
 
 +
[realms]
 +
    SCIENCE.RU.NL = {
 +
            admin_server = kerberos.science.ru.nl:749
 +
    }
 +
 
 +
[domain_realm]
 +
    .science.ru.nl = SCIENCE.RU.NL
 +
    science.ru.nl = SCIENCE.RU.NL
 +
 
 +
In case of the destkop PCs within university the "rdns = no" parameter should be ommited.
 +
After setting-up kerberos try "kinit $USERNAME" command where you substitute $USERNAME by your science login name. For simplicity science user Chuck Norris (thus username cnorris) will be used as an example. Try to '''kinit''' with your science password and check if the ticked has been leased by '''klist''' command:
 +
 
 +
[chuck@uberpc ~]$ kinit cnorris
 +
Password for cnorris@SCIENCE.RU.NL:
 +
[chuck@uberpc ~]$ klist
 +
Ticket cache: FILE:/tmp/krb5cc_1000
 +
Default principal: cnorris@SCIENCE.RU.NL
 +
 
 +
Valid starting      Expires              Service principal
 +
01/01/2018 06:06:06  01/02/2018 06:06:06  krbtgt/SCIENCE.RU.NL@SCIENCE.RU.NL
 +
 
 +
To proceed further with our mounting, we need to determine which folder we should mount on the server, fast way how to determine that is by executing this command:
 +
 
 +
[chuck@uberpc ~]$ ssh cnorris@lilo.science.ru.nl """mount | grep nfs | grep cnorris"""
 +
 
 +
The output should be similar to this:
 +
cnorris@lilo.science.ru.nl's password:
 +
home2.science.ru.nl:/VGsda66/cnorris on /home/cnorris type nfs (rw,nosuid,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=131.174.30.206,mountvers=3,mountport=656,mountproto=udp,local_lock=none,addr=131.174.30.206)
 +
 
 +
From the output of above command we can clearly see that Chuck Norrises homedrive is located on /VGsda66, thus we will try to mount the home2.science.ru.nl:/VGsda66/cnorris directory by our command.
 +
 
 +
Now that you now the proper mount path and kerberos is setted-up, you need to get working nfs sw on your unix pc. In case of Archlinux that consists of nfs-utils package, in other distributions nfs will most probably come preinstalled. Ensure that rpc-gssd.service is up and running as it is vital for the kerberos authentication procedure as referred [https://wiki.archlinux.org/index.php/Nfs#Client |here]
 +
 
 +
if rpc-gssd.service is **NOT** running the output will look similar to this:
 +
 
 +
[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv
 +
mount.nfs: timeout set for Fri Jan 1 06:23:39 2018
 +
mount.nfs: trying text-based options 'vers=4.2,addr=131.174.30.206,clientaddr=131.174.224.137'
 +
mount.nfs: mount(2): Operation not permitted
 +
mount.nfs: trying text-based options 'addr=131.174.30.206'
 +
mount.nfs: prog 100003, trying vers=3, prot=6
 +
mount.nfs: trying 131.174.30.206 prog 100003 vers 3 prot TCP port 2049
 +
mount.nfs: prog 100005, trying vers=3, prot=17
 +
mount.nfs: trying 131.174.30.206 prog 100005 vers 3 prot UDP port 656
 +
mount.nfs: mount(2): Invalid argument
 +
mount.nfs: an incorrect mount option was specified
 +
 
 +
when rpc-gssd.service is up an running as it should the correct output will look similar to this:
 +
 
 +
[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv
 +
mount.nfs: timeout set for Fri Jan 1 06:24:09 2018
 +
mount.nfs: trying text-based options 'vers=4.2,addr=131.174.30.206,clientaddr=131.174.224.137'
 +
[root@uberpc cnorris]#
 +
 
 +
if you have active kerberos ticket you should be able to list content of the /mnt/ directory by now.
 +
[chuck@uberpc ~]$ ls /mnt/
 +
'$RECYCLE.BIN'/  desktop.ini    /MK_ultra_results    /answer_to_42.txt    /cancer_cure
 +
 
 +
When finished, please umount the /mnt/ and destroy ticket by kdestroy command.
 +
 
 +
== Further reading ==
 +
if interested in the topic, you can proceed to:
 +
 
 +
https://en.wikipedia.org/wiki/Network_File_System
 +
 
 +
https://en.wikipedia.org/wiki/Kerberos_(protocol)
 +
 
 +
https://en.wikipedia.org/wiki/Project_Athena
 +
 
 +
https://wiki.archlinux.org/index.php/Nfs
 +
 
 +
https://wiki.archlinux.org/index.php/Kerberos

Revision as of 10:07, 1 October 2018

Mounting home (U:) drive on Linux via NFS/Kerberos

About NFS

Quote from the NFS wiki entry:

   Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.

On C&CZ, Kerberos ticket system is used to ensure the security.

Every @science user has its own shared homedrive as referred here.

Prerequisities

You need to have your krb5.keytab file generated from the C&CZ. If you do not have any, please contact C&CZ and one will be generated.

Setting-up

For kerberos to work you must be within the science.ru.nl realm - thus being connected directly to science.ru.nl network or be tunneled-in via [vpn| vpn].

Rename the file provided by CNCZ to krb5.keytab and move it to the /etc/ folder, change its mod to rw------ and ownership to root:root. Finally, the file should look like this:

[chuck@uberpc ~]$ ls -l /etc/krb5.keytab
-rw------- 1 root root 1337 Jan 1 00:01 /etc/krb5.keytab

Next you need to configure kerberos properly in your krb5.conf. At the end, the file should look like this in the case of portable pcs (notebooks):

[chuck@uberpc ~]$ cat /etc/krb5.conf
# RU krb5config
[libdefaults]
        default_realm = SCIENCE.RU.NL
        forwardable = yes
        forward = yes
        encrypt = yes
        srv_lookup = no
        srv_try_txt = no
        no-addresses = yes
        rdns = no
        allow_weak_crypto = yes
[realms]
    SCIENCE.RU.NL = {
            admin_server = kerberos.science.ru.nl:749
    }
[domain_realm]
    .science.ru.nl = SCIENCE.RU.NL
    science.ru.nl = SCIENCE.RU.NL

In case of the destkop PCs within university the "rdns = no" parameter should be ommited. After setting-up kerberos try "kinit $USERNAME" command where you substitute $USERNAME by your science login name. For simplicity science user Chuck Norris (thus username cnorris) will be used as an example. Try to kinit with your science password and check if the ticked has been leased by klist command:

[chuck@uberpc ~]$ kinit cnorris
Password for :
[chuck@uberpc ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: 
Valid starting       Expires              Service principal
01/01/2018 06:06:06  01/02/2018 06:06:06  krbtgt/

To proceed further with our mounting, we need to determine which folder we should mount on the server, fast way how to determine that is by executing this command:

[chuck@uberpc ~]$ ssh  """mount | grep nfs | grep cnorris"""

The output should be similar to this:

's password:
home2.science.ru.nl:/VGsda66/cnorris on /home/cnorris type nfs (rw,nosuid,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=131.174.30.206,mountvers=3,mountport=656,mountproto=udp,local_lock=none,addr=131.174.30.206)

From the output of above command we can clearly see that Chuck Norrises homedrive is located on /VGsda66, thus we will try to mount the home2.science.ru.nl:/VGsda66/cnorris directory by our command.

Now that you now the proper mount path and kerberos is setted-up, you need to get working nfs sw on your unix pc. In case of Archlinux that consists of nfs-utils package, in other distributions nfs will most probably come preinstalled. Ensure that rpc-gssd.service is up and running as it is vital for the kerberos authentication procedure as referred |here

if rpc-gssd.service is **NOT** running the output will look similar to this:

[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv
mount.nfs: timeout set for Fri Jan 1 06:23:39 2018
mount.nfs: trying text-based options 'vers=4.2,addr=131.174.30.206,clientaddr=131.174.224.137'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'addr=131.174.30.206'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 131.174.30.206 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 131.174.30.206 prog 100005 vers 3 prot UDP port 656
mount.nfs: mount(2): Invalid argument
mount.nfs: an incorrect mount option was specified

when rpc-gssd.service is up an running as it should the correct output will look similar to this:

[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv
mount.nfs: timeout set for Fri Jan 1 06:24:09 2018
mount.nfs: trying text-based options 'vers=4.2,addr=131.174.30.206,clientaddr=131.174.224.137'
[root@uberpc cnorris]#

if you have active kerberos ticket you should be able to list content of the /mnt/ directory by now.

[chuck@uberpc ~]$ ls /mnt/
'$RECYCLE.BIN'/   desktop.ini    /MK_ultra_results    /answer_to_42.txt    /cancer_cure

When finished, please umount the /mnt/ and destroy ticket by kdestroy command.

Further reading

if interested in the topic, you can proceed to:

https://en.wikipedia.org/wiki/Network_File_System

https://en.wikipedia.org/wiki/Kerberos_(protocol)

https://en.wikipedia.org/wiki/Project_Athena

https://wiki.archlinux.org/index.php/Nfs

https://wiki.archlinux.org/index.php/Kerberos