Howdy, I may be approaching this problem entirely wrong, or not. Was hoping for a little guidance one way or the other. I've got this AS/400 with gobs of unused file storage on it that I want to share across as a file server to a FreeBSD box. The AS/400 side of things supports NFS and kinda pretends to be a Unix like machine in this role. Users will be booting from diskless clients hosted from the FreeBSD box. The base directories like /usr and such will come from there. I want to have user alterable stuff like /home and shared directories to be hosted over on the AS/400, as it's got all the space. My primary problem with this is insuring one login gets you access to both the FreeBSD box as well as the shares on the AS/400. I don't want to have users log into the FreeBSD box then need to again do a login again to the AS/400. From what I've read thus far it "seems" that configuring Kerberos between the two is the way to go about this. The handbook talks about setting up a remote loging kind of thing, but nothing about how to handle NFS permissions. I also don't quite get how to automate the process of authenticating and mounting upon initial login. Question 1: Am I heading down the right road, or are there other options I should be considering first? Question 2: If I'm on the correct path where should I look for some kind of a tutorial for the mechanics of getting this to happen? Thanks, -- "In theory, there is no difference between theory and practice. In practice, there is." - Yogi Berra
On Wed, 30 Jul 2003, Michael Collette wrote:> From what I've read thus far it "seems" that configuring Kerberos > between the two is the way to go about this. The handbook talks about > setting up a remote loging kind of thing, but nothing about how to > handle NFS permissions. I also don't quite get how to automate the > process of authenticating and mounting upon initial login. > > Question 1: Am I heading down the right road, or are there other options > I should be considering first?What you're doing should work just fine. I can't see any difference between a netbooted client and a regular PC client.> Question 2: If I'm on the correct path where should I look for some kind > of a tutorial for the mechanics of getting this to happen?NFS doesn't really /do/ permissions, so the easiest (and probably least safe) is to export as400:/home to all the clients, and make it root-writable to the FreeBSD master server. All the clients would individually mount the NFS share from as400 on boot, and since the FreeBSD box has root-write, you can manage the files from it. The as400 wouldn't even need to know about the users at all (unless as400's nfs has rules about uids having to match something in its own password file, which isn't standard). A safer way would be to use AFS, since it does proper authentication, but I have no idea if as400 would make a nice AFS server. And this isn't strictly speaking a freebsd-security@ question, for that matter. Reply to me directly if you have questions. -- Matt Piechota
On Wednesday 30 July 2003 03:53 pm, Michael Collette wrote:> I've got this AS/400 with gobs of unused file storage on it that I want to > share across as a file server to a FreeBSD box. The AS/400 side of things > supports NFS and kinda pretends to be a Unix like machine in this role.Since I've received a number of off list replies to this I thought I'd post some additional information about what all I've dug up. Still not working yet, but getting a little smarter about this. Sorry if this folks think this is off-topic, but as this involves both authentication and authorization to a foreign system I still believe this is applicable. As was pointed out to me on and off list, I can connect to the shared NFS files on the AS/400 without Kerberos. The next obvious problem (obvious to me now) is the issue of file ownership. Just getting a connection across doesn't provide any user id mapping by itself. This is where IBM's EIM (Enterprise Identity Manager) kicks in. It provides for a user name translation table so a user on one system is a user on all. In order to make use of EIM a Kerberos based authentication needs to take place. Apparently once this happens, FreeBSD users become AS/400 users in so far as file ownership goes. For those who may be interested: http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzalv/rzalvmst.htm That's all of what I've managed to dig up thus far. Here's where I'm lost. The FreeBSD Handbook has a Kerberos tutorial, but it's apparently out of date or something just ain't right. http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kerberos.html First thing it asks me to do is initialize the Kerberos database with the "kdb_init" command. I don't have a kdb_init command on this system. I then just installed the krb5 port, and it doesn't have that command either. Double checked the package list. It looks like a number of things don't match up to the tutorial. Is there some new procedure out there to configure a Kerberos enabled machine, or am I just missing some key component in a perfectly fine tutorial? Thanks, -- "In theory, there is no difference between theory and practice. In practice, there is." - Yogi Berra