Re: [Freeipa-users] insecure IPA'd NFS
On 05/09/2012 06:18 PM, Steven Jones wrote: Hi, Thanks so I will remove the sec=sys bit and re-test..and then I assume it will be kerberos only. This is not true, it's documented in the exports man page how you can assign different permissions depending on the security type. For example: /nfsroot/stuff *(crossmnt,no_subtree_check,async,sec=krb5p,rw,root_squash,sec=sys,ro,all_squash) This makes it so users with valid kerberos creds have rw access (though root is squashed). W/o a kerberos ticket, a user can still read stuff, but all ownership information is squashed. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
On 05/09/2012 08:47 PM, Steven Jones wrote: Removed the sys: and now no IPA'd client can mount.oh joy Hehe, this is typical (and frustrating) for fresh NFS+Kerberos setups. it's very easy to miss a little detail and not get much back as to why it's not working. I'd suggest going through the setup step-by-step again to see what's missing. Does both client and server have valid nfs/fqdn@DOMAIN keys in /etc/krb5.keytab? Is /etc/krb5.keytab accessible (i.e. no SELinux problems)? Is port 2049 open on firewall? What's the state of rpc.svcgssd process on server and rpc.gssd process on client? Can you manually mount the export on the server? What shows in krb5kdc.log when trying to manually mount on client? If none of those localize the problem area further, you can go down the road of bumping the rpc debug levels on both sides to see where the issue is. Hope that helps. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
Hi, Pretty sure I followed the RH 6.3beta doc exactly...it all worked until I found that non-IPA'd clients could also connectso if I put sys: back it should be fineso its the kerberos bit or export options. I have raised a case with RH support for help and also the IPA NFS will need updating if something is missingthanks. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Chris Evich [cev...@redhat.com] Sent: Friday, 11 May 2012 1:37 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS On 05/09/2012 08:47 PM, Steven Jones wrote: Removed the sys: and now no IPA'd client can mount.oh joy Hehe, this is typical (and frustrating) for fresh NFS+Kerberos setups. it's very easy to miss a little detail and not get much back as to why it's not working. I'd suggest going through the setup step-by-step again to see what's missing. Does both client and server have valid nfs/fqdn@DOMAIN keys in /etc/krb5.keytab? Is /etc/krb5.keytab accessible (i.e. no SELinux problems)? Is port 2049 open on firewall? What's the state of rpc.svcgssd process on server and rpc.gssd process on client? Can you manually mount the export on the server? What shows in krb5kdc.log when trying to manually mount on client? If none of those localize the problem area further, you can go down the road of bumping the rpc debug levels on both sides to see where the issue is. Hope that helps. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
Steven Jones wrote: I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3betaall good until I use a Ubuntu client to 'attack it I find the non-IPA's ubuntu client can delete, alter and edit files..kind of OopsI think there is a stage missing in the doc or a bug...can someone have a look at that doc and tell me if a step is missing please? I think more details are needed on what you set up. How is the Ubuntu client mounting the NFS mount? As what user are you changing files? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
On Wed, May 09, 2012 at 09:16:45PM +, Steven Jones wrote: I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3betaall good until I use a Ubuntu client to 'attack it I find the non-IPA's ubuntu client can delete, alter and edit files..kind of OopsI think there is a stage missing in the doc or a bug...can someone have a look at that doc and tell me if a step is missing please? What was the exact command used to mount the filesystem at the client, and what are the contents of the mountpoint's entry in /proc/mounts on the client after it's been mounted? The guide lists sys as one of the security flavors when it shows an example entry in /etc/exports (I guess, because it's demonstrating adding Kerberos settings to a previously-configured export), which I suspect is at least part of it. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
-bash: cd: thing2: Permission denied [jonesst1@vuwunicorh6ws05 nfs1]$ === So an IPA user jonesst1 getting into IPA user thing2 is denied...so login as thing2, === [jonesst1@8kxl72s ~]$ ssh vuwunicorh6ws05.ods.vuw.ac.nz -l thing2 thi...@vuwunicorh6ws05.ods.vuw.ac.nz's password: Last login: Thu May 10 10:05:46 2012 from 130.195.245.249 Kickstarted on 2012-02-08 [thing2@vuwunicorh6ws05 ~]$ cd nfs1 [thing2@vuwunicorh6ws05 nfs1]$ ls -l total 0 lrwxrwxrwx. 1 thing2 thing2 12 May 9 15:34 thing2 - /nfs1/thing2 [thing2@vuwunicorh6ws05 nfs1]$ cd thing2 [thing2@vuwunicorh6ws05 thing2]$ ls -aln total 8 drwx--. 2 125800040 125800040 4096 May 10 09:54 . drwxr-xr-x. 3 0 00 May 9 16:19 .. -rw-rw-r--. 1 125800040 1258000400 May 9 14:45 file -rw---. 1 125800040 125800040 112 May 10 09:54 file2 -rw-rw-r--. 1 125800040 1258000400 May 9 15:34 file3 [thing2@vuwunicorh6ws05 thing2]$ tail file2 blah blah blah4 blah5 dubuntu ubuntu2 blah5 no2 ubuntu2 chmod is 0600 ubuntu via ssh add [thing2@vuwunicorh6ws05 thing2]$ === so...Im confused === [root@vuwuniconfsipa1 thing2]# more /etc/exports #/home *(rw,sync,all_squash,insecure) /home *(rw,sec=sys:krb5:krb5i:krb5p) [root@vuwuniconfsipa1 thing2]# == Should sec=sys be there? No idea what Im doing wrong regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 10 May 2012 9:38 a.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS Steven Jones wrote: I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3betaall good until I use a Ubuntu client to 'attack it I find the non-IPA's ubuntu client can delete, alter and edit files..kind of OopsI think there is a stage missing in the doc or a bug...can someone have a look at that doc and tell me if a step is missing please? I think more details are needed on what you set up. How is the Ubuntu client mounting the NFS mount? As what user are you changing files? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
Hi, Thanks so I will remove the sec=sys bit and re-test..and then I assume it will be kerberos only. However in effect what we are saying is we cant protect an IPA user's files if we have to allow a non-IPA user to connect? its ALL kerberos or nothing? kind of makes sense. Also then the 6.3admin beta manual is wrong then IMHO, all that work to do kerberos and adding sec=sys negates it all, so its pointless...dont think that should be there myself in that case. The next phase is for me to connect to a BLUEARC NAS, in which case its suggesting I cant secure NFS ie users data at all regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Nalin Dahyabhai [na...@redhat.com] Sent: Thursday, 10 May 2012 9:43 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS On Wed, May 09, 2012 at 09:16:45PM +, Steven Jones wrote: I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3betaall good until I use a Ubuntu client to 'attack it I find the non-IPA's ubuntu client can delete, alter and edit files..kind of OopsI think there is a stage missing in the doc or a bug...can someone have a look at that doc and tell me if a step is missing please? What was the exact command used to mount the filesystem at the client, and what are the contents of the mountpoint's entry in /proc/mounts on the client after it's been mounted? The guide lists sys as one of the security flavors when it shows an example entry in /etc/exports (I guess, because it's demonstrating adding Kerberos settings to a previously-configured export), which I suspect is at least part of it. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
Removed the sys: and now no IPA'd client can mount.oh joy regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 10 May 2012 10:18 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS Hi, Thanks so I will remove the sec=sys bit and re-test..and then I assume it will be kerberos only. However in effect what we are saying is we cant protect an IPA user's files if we have to allow a non-IPA user to connect? its ALL kerberos or nothing? kind of makes sense. Also then the 6.3admin beta manual is wrong then IMHO, all that work to do kerberos and adding sec=sys negates it all, so its pointless...dont think that should be there myself in that case. The next phase is for me to connect to a BLUEARC NAS, in which case its suggesting I cant secure NFS ie users data at all regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Nalin Dahyabhai [na...@redhat.com] Sent: Thursday, 10 May 2012 9:43 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS On Wed, May 09, 2012 at 09:16:45PM +, Steven Jones wrote: I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3betaall good until I use a Ubuntu client to 'attack it I find the non-IPA's ubuntu client can delete, alter and edit files..kind of OopsI think there is a stage missing in the doc or a bug...can someone have a look at that doc and tell me if a step is missing please? What was the exact command used to mount the filesystem at the client, and what are the contents of the mountpoint's entry in /proc/mounts on the client after it's been mounted? The guide lists sys as one of the security flavors when it shows an example entry in /etc/exports (I guess, because it's demonstrating adding Kerberos settings to a previously-configured export), which I suspect is at least part of it. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
