Front cover Securing NFS in AIXIX An Introduction to NFS V4 in AIX 5L Version 5.3 Set up and administer NFS V4 on your systems Command use changes and other differences since V3 Learn to use NFS V4 in a clustered environment Chris Almond Lutz Denefleh Sridhar Murthy Aniket Patel John Trindle ibm.com/redbooks International Technical Support Organization Securing NFS in AIX November 2004 SG24-7204-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (November 2004) This edition applies to NFS Volume 4 running on AIX 5L. © Copyright International Business Machines Corporation 2004. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . x Preface . xi The team that wrote this redbook. xiii Acknowledgements . xiv Become a published author . xv Comments welcome. xv Part 1. NFS V4 fundamentals . 1 Chapter 1. NFS Version 4 overview . 3 1.1 What is NFS? . 4 1.2 NFS V2 and NFS V3 History . 4 1.3 NFS V4 design motivations . 5 1.4 Objectives of NFS V4 (RFC3530) . 5 1.5 AIX 5.3 specific implementation of NFS V4. 6 1.5.1 Mandatory features . 6 1.5.2 Optional features. 7 1.6 Planning and implementation considerations . 7 1.6.1 Pre-implementation design considerations . 7 1.7 Looking ahead to the rest of the book . 8 Chapter 2. What’s new in NFS V4? . 11 2.1 How NFS works. 12 2.2 Protocols used by NFS . 12 2.2.1 UDP or TCP . 13 2.2.2 Remote Procedure Call (RPC) . 14 2.2.3 eXternal Data Representation (XDR) . 14 2.3 NFS daemons . 14 2.3.1 The portmap daemon . 15 2.3.2 The rpc.mountd daemon . 16 2.3.3 The rpc.statd daemon . 16 2.3.4 The rpc.lockd daemon. 16 2.3.5 The nfsd daemon . 16 2.3.6 The block I/O daemon (biod). 17 2.4 NFS V3 . 17 2.5 The NFS Lock Manager protocol . 19 2.6 NFS V4 . 20 © Copyright IBM Corp. 2004. All rights reserved. iii 2.6.1 Attribute classes . 20 2.6.2 Username to UID mapping . 24 2.6.3 Better namespace handling . 25 2.6.4 Built-in security . 27 2.6.5 Client-side caching and delegation . 28 2.6.6 Compound RPC procedures . 29 2.6.7 File locking . 29 2.6.8 Internationalization . 30 2.6.9 Volatile file handles . 30 2.7 AIX 5L v5.3 implementation of NFS V4. 30 2.8 NFS V4 supported features in AIX 5.3 . 31 2.8.1 Mandatory feature support . 31 2.8.2 Other unsupported features . 32 2.8.3 Optional feature support . 32 2.8.4 NFS4 ACL . 32 2.8.5 AIXC ACLs . 33 2.8.6 External name space (exname) . 34 2.8.7 Protocol differences: server exporting and client mounting . 35 2.8.8 NFS files . 36 2.8.9 Restricting NFS port ranges . 41 2.8.10 Use of NFS_NOBODY . 41 2.9 NFS daemons, files, and commands: a quick reference. 41 Chapter 3. Enhanced security in NFS V4 . 45 3.1 General security concepts and terminology . 46 3.1.1 Broad security categories . 46 3.1.2 Information security components . 46 3.1.3 RPC security flavors . 47 3.1.4 RPCSEC_GSS protection levels. 47 3.1.5 RPCSEC_GSS protection mechanisms . 47 3.1.6 Looking ahead to the rest of the chapter. 48 3.2 NFS V4 user/group identification. 48 3.2.1 User identity management options . 48 3.2.2 User/group identities and NFS V4. 50 3.3 NFS V4 user authentication . 59 3.3.1 AUTH_SYS user authentication . 59 3.3.2 RPCSEC_GSS user authentication using Kerberos . 59 3.4 NFS V4 user authorization . 62 3.4.1 Standard UNIX file permissions . 63 3.4.2 AIXC ACLs . 63 3.4.3 NFS V4 ACLs: description . 65 3.4.4 NFS V4 ACLs: ACL evaluation . 69 3.4.5 NFS V4 ACLs: administration . 72 iv Securing NFS in AIX 3.4.6 NFS V4 ACLs: permissions scenarios . 85 3.4.7 NFS V4 ACLs: NFS V3 clients . 87 3.5 NFS V4 host identification . 87 3.5.1 Basic host identification. 87 3.5.2 Kerberos host identification. 88 3.6 NFS V4 host authentication. 88 3.7 NFS V4 host authorization . 88 Part 2. Implementing NFS V4 . 91 Chapter 4. Planning for NFS V4 . 93 4.1 Deployment of NFS V4 in general. ..