-----Original Message----- From: Brian Parent [mailto:bparent@calvin.ucsd.edu] Sent: Thursday, March 16, 2006 4:04 PM To: toasters@mathworks.com Subject: NFSv4 [was: Re: Mixed Mode]
A year or so ago, I was successful in getting NFSv4 to work between a R100 (DOT 6.4.5) using CIFS and NFS and a Solaris 8 client. I don't
Do you mean NFSv4 or do you mean NFSv3 with Kerberos?
The thing is, Sun never shipped NFSv4 for Solaris 8. There was an early access NFSv4 implementation that predated Solaris 10, but I think it was only for Solaris 9, and wasn't generally available.
However, in Solaris before Solaris 10, you can specify:
vers=4
on the mount command line, and it will be accepted. That's because the mount command is internally changing the 4 to a 3.
recall many of the details now, except that it was less than straight forward. And I do recall that I had difficulty repeating my success. Trouble shooting the layout included sniffing the network for clues, but even then it wasn't clear what was missing. Since we were using AD for authentication, one of the requirements was that the kerberos realm on the Solaris client had to be the same as our AD domain. My lack of AD expertise was likely a large part of the reason for my troubles.
Setting up AD as the KDC for UNIX systems in indeed quite challenging.
I documented in painful detail the steps for doing this for Linux 2.6 FC3 in http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for....
The steps for Solaris will have a lot in common. If there's popular demand, I'll repeat the exercise for Solaris 10.
I think it was tricky to get the initial key set up on the AD server, and then propogated to the filer.
Yeah that can be somewhat tricky, but given the filer knows how to talk directly to AD, less hassle I think than getting the keytabs for a Linux or UNIX client from AD.
So, I can confirm that it can be done, but am unfortunately short on nitty-gritty too. I'm hoping to transition to DOT 7.x soon. I may give it another go, against Solaris 10, and MacOS X, and RedHat
There's no Kerberized NFS or NFSv4 in MacOS X.
clients. The way we share filesystems to all types of clients, it doesn't make sense to bother with kerberos at all, unless we can make it work against all of our clients, and for some reason, MacOS X support for NFSv4 seems to come and go.
Maybe OS X has the same bug as pre-Solaris 10.
Re:
Subject: Re: Mixed Mode To: tmacmd@gmail.com (Tim McCarthy) Date: Thu, 16 Mar 2006 16:50:10 +0000 (GMT) Cc: toasters@mathworks.com From: Chris Thompson cet1@cus.cam.ac.uk
What is nice is that the ACL is obeyed by nfsv3 clients
as well. I bet a
lucky side-effect.
Nope, fully intended.
Re:
Date: Thu, 16 Mar 2006 23:02:50 -0800 (PST) From: Mike Eisler email2mre-toasters@yahoo.com Subject: RE: NFSv4 [was: Re: Mixed Mode] To: toasters@mathworks.com
-----Original Message----- From: Brian Parent [mailto:bparent@calvin.ucsd.edu] Sent: Thursday, March 16, 2006 4:04 PM To: toasters@mathworks.com Subject: NFSv4 [was: Re: Mixed Mode]
A year or so ago, I was successful in getting NFSv4 to work between a R100 (DOT 6.4.5) using CIFS and NFS and a Solaris 8 client. I don't
Do you mean NFSv4 or do you mean NFSv3 with Kerberos?
The thing is, Sun never shipped NFSv4 for Solaris 8. There was an early access NFSv4 implementation that predated Solaris 10, but I think it was only for Solaris 9, and wasn't generally available.
However, in Solaris before Solaris 10, you can specify:
vers=4
on the mount command line, and it will be accepted. That's because the mount command is internally changing the 4 to a 3.
I can't speak to the internals, as I haven't viewed the code, but I do recall that when using vers=4 in the mount option, I observed a change in the packets on the network. It was pretty clear that no packets were exchanged between the NFS client and server during the mount operation. The first packets exchanged were triggered only when file access was attempted.
recall many of the details now, except that it was less than straight forward. And I do recall that I had difficulty repeating my success. Trouble shooting the layout included sniffing the network for clues, but even then it wasn't clear what was missing. Since we were using AD for authentication, one of the requirements was that the kerberos realm on the Solaris client had to be the same as our AD domain. My lack of AD expertise was likely a large part of the reason for my troubles.
Setting up AD as the KDC for UNIX systems in indeed quite challenging.
I documented in painful detail the steps for doing this for Linux 2.6 FC3 in http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for....
The steps for Solaris will have a lot in common. If there's popular demand, I'll repeat the exercise for Solaris 10.
I think it was tricky to get the initial key set up on the AD server, and then propogated to the filer.
Yeah that can be somewhat tricky, but given the filer knows how to talk directly to AD, less hassle I think than getting the keytabs for a Linux or UNIX client from AD.
So, I can confirm that it can be done, but am unfortunately short on nitty-gritty too. I'm hoping to transition to DOT 7.x soon. I may give it another go, against Solaris 10, and MacOS X, and RedHat
There's no Kerberized NFS or NFSv4 in MacOS X.
We actually got kerberized NFS working between our filer and a MacOS X box running 10.3.9. In 10.4 (Tiger), Apple seemed to have removed some key libraries, and we're trying to work with Apple to get the libraries put back in.
Currently, we're using IPsec with non-kerberized NFS to deal with the vulnerabilities inherent in trusting IP address for authorization in an environment where network jacks in public places exist (e.g. most Universities).
clients. The way we share filesystems to all types of clients, it doesn't make sense to bother with kerberos at all, unless we can make it work against all of our clients, and for some reason, MacOS X support for NFSv4 seems to come and go.
Maybe OS X has the same bug as pre-Solaris 10.
Re:
Subject: Re: Mixed Mode To: tmacmd@gmail.com (Tim McCarthy) Date: Thu, 16 Mar 2006 16:50:10 +0000 (GMT) Cc: toasters@mathworks.com From: Chris Thompson cet1@cus.cam.ac.uk
What is nice is that the ACL is obeyed by nfsv3 clients
as well. I bet a
lucky side-effect.
Nope, fully intended.
--- Brian Parent bparent@calvin.ucsd.edu wrote:
Re:
Date: Thu, 16 Mar 2006 23:02:50 -0800 (PST) From: Mike Eisler email2mre-toasters@yahoo.com Subject: RE: NFSv4 [was: Re: Mixed Mode] To: toasters@mathworks.com
-----Original Message----- From: Brian Parent [mailto:bparent@calvin.ucsd.edu] Sent: Thursday, March 16, 2006 4:04 PM To: toasters@mathworks.com Subject: NFSv4 [was: Re: Mixed Mode]
A year or so ago, I was successful in getting NFSv4 to work between a R100 (DOT 6.4.5) using CIFS and NFS and a Solaris 8 client. I don't
Do you mean NFSv4 or do you mean NFSv3 with Kerberos?
The thing is, Sun never shipped NFSv4 for Solaris 8. There was an early access NFSv4 implementation that predated Solaris 10, but I think it was only for Solaris 9, and wasn't generally available.
However, in Solaris before Solaris 10, you can specify:
vers=4
on the mount command line, and it will be accepted. That's because the mount command is internally changing the 4 to a 3.
I can't speak to the internals, as I haven't viewed the code, but I do recall that when using vers=4 in the mount option, I observed a change in the packets on the network. It was pretty clear that no packets were exchanged between the NFS client and server during the mount operation. The first packets exchanged were triggered only when file access was attempted.
Just checked with Solaris engineering. They did indeed first implement NFSv4 on Solaris 8, but it was a development build that should have never escaped Sun's premises.
There's no Kerberized NFS or NFSv4 in MacOS X.
I should have been specific: there's no Kerberized V5 NFS or NFSv4 in MacOS X.
We actually got kerberized NFS working between our filer and a MacOS X box running 10.3.9. In 10.4 (Tiger), Apple seemed to have removed some key libraries, and we're trying to work with Apple to get the libraries put back in.
Yes, Apple tells me this 10.3 had NFSv3 over AUTH_KERB4, using Kerberos V4 authentication. ONTAP never has had Kerberos V4.
Currently, we're using IPsec with non-kerberized NFS to deal with the vulnerabilities inherent in trusting IP address for authorization in an environment where network jacks in public places exist (e.g. most Universities).
How is the performance of this? Are you using AH or ESP?
Re:
Date: Fri, 17 Mar 2006 17:43:34 -0800 (PST) From: Mike Eisler email2mre-toasters@yahoo.com Subject: Re: NFSv4 [was: Re: Mixed Mode] To: Brian Parent bparent@calvin.ucsd.edu, toasters@mathworks.com
--- Brian Parent bparent@calvin.ucsd.edu wrote:
Currently, we're using IPsec with non-kerberized NFS to deal with the vulnerabilities inherent in trusting IP address for authorization in an environment where network jacks in public places exist (e.g. most Universities).
How is the performance of this? Are you using AH or ESP?
We're only using AH, thinking the performance hit wouldn't be as large, plus our main focus was to authenticate the endpoints as opposed to privacy of the data. We sufferred quite a bit, and purchased a IPsec hardware accelerator for the R100 which helped. However, there was a compound problem that cleared up at about the same time as the installation of the accelerator, so it's hard to accurately attribute which problem to what amount of extra load. I tend to think that the IPsec accelerator would not have been necessary had the other problem not surfaced.
Re:
Date: Fri, 17 Mar 2006 17:43:34 -0800 (PST) From: Mike Eisler email2mre-toasters@yahoo.com Subject: Re: NFSv4 [was: Re: Mixed Mode] To: Brian Parent bparent@calvin.ucsd.edu, toasters@mathworks.com
--- Brian Parent bparent@calvin.ucsd.edu wrote:
Currently, we're using IPsec with non-kerberized NFS to deal with the vulnerabilities inherent in trusting IP address for authorization in an environment where network jacks in public places exist (e.g. most Universities).
How is the performance of this? Are you using AH or ESP?
We're only using AH, thinking the performance hit wouldn't be as large, plus our main focus was to authenticate the endpoints as opposed to privacy of the data. We sufferred quite a bit, and purchased a IPsec hardware accelerator for the R100 which helped. However, there was a compound problem that cleared up at about the same time as the installation of the accelerator, so it's hard to accurately attribute which problem to what amount of extra load. I tend to think that the IPsec accelerator would not have been necessary had the other problem not surfaced.
We have a FAS3050c running 7.0.1R1 and some Solaris 8 NFS clients on a physically insecure network. We would LOVE to set up IPSEC using AH between them, but I have not had any luck so far. We have a Solaris 10 system that I can play with, since Solaris 8 does not seem to have IKE (required by ONTAP). If I can get the Solaris 10 system working, then we will gladly upgrade the Solaris 8 systems.
Do you have any hints or notes or anything that you can give me explaining how you got IPSEC to work? If your NFS clients aren't Solaris, then I'm probably out of luck.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
Sorry Steve, I haven't yet done this for our Solaris 10 boxes, though I'd really like to. I recall making it work between Solaris 8 boxes, and I recall the need for IKE when interacting with the filers.
I'd also like to see any hints or gotchas if someone else has already done this. If I get around to it first, I'll post my notes here.
Re:
To: Brian Parent bparent@calvin.ucsd.edu Cc: Mike Eisler email2mre-toasters@yahoo.com, toasters@mathworks.com Subject: Re: NFSv4 [was: Re: Mixed Mode] Date: Tue, 21 Mar 2006 15:16:23 -0500 From: Steve Losen scl@sasha.acc.virginia.edu
Re:
Date: Fri, 17 Mar 2006 17:43:34 -0800 (PST) From: Mike Eisler email2mre-toasters@yahoo.com Subject: Re: NFSv4 [was: Re: Mixed Mode] To: Brian Parent bparent@calvin.ucsd.edu, toasters@mathworks.com
--- Brian Parent bparent@calvin.ucsd.edu wrote:
Currently, we're using IPsec with non-kerberized NFS to deal with the vulnerabilities inherent in trusting IP address for authorization in an environment where network jacks in public places exist (e.g. most Universities).
How is the performance of this? Are you using AH or ESP?
We're only using AH, thinking the performance hit wouldn't be as large, plus our main focus was to authenticate the endpoints as opposed to privacy of the data. We sufferred quite a bit, and purchased a IPsec hardware accelerator for the R100 which helped. However, there was a compound problem that cleared up at about the same time as the installation of the accelerator, so it's hard to accurately attribute which problem to what amount of extra load. I tend to think that the IPsec accelerator would not have been necessary had the other problem not surfaced.
We have a FAS3050c running 7.0.1R1 and some Solaris 8 NFS clients on a physically insecure network. We would LOVE to set up IPSEC using AH between them, but I have not had any luck so far. We have a Solaris 10 system that I can play with, since Solaris 8 does not seem to have IKE (required by ONTAP). If I can get the Solaris 10 system working, then we will gladly upgrade the Solaris 8 systems.
Do you have any hints or notes or anything that you can give me explaining how you got IPSEC to work? If your NFS clients aren't Solaris, then I'm probably out of luck.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
-
Brian Parent -
Mike Eisler -
Steve Losen