Hi,
we want to setup several PCs in a way that they are accessible by
different (untrusted, i.e. not with root rights) people.
In principal, the requirements are:
- Each person gets an unique (UNIX) account that is managed at a server.
- Each person gets a home directory that is shared across all PCs,
comes from a central server. Ideally, the home directory is only
mounted when someone logs in and checks in the process the
authenticity of the user, the authenticity of the client and that of
the server.
- Ideally, one person is not able to access any data from the other
person.
- The PCs should authenticate to the server. All communication should be
encrypted (at least all communication regarding authentication).
- I should hold that only a user with a valid account can login on a PC
with a valid key and mount data from a server with a valid key.
This seems to be a classical problem for LDAP, Kerberos, NFSv4 with sssd
as the client side daemon to manage all that.
However, I'm not quite sure, if I understood the interworkings
completely and if sssd is capable of working in the wanted way.
- We have an LDAP database which stores the users (of class
posixAccount).
- We have set up a Kerberos daemon which uses this LDAP as database.
- We have set up an NFSv4 server that has an Kerberos principal and a
keytab.
In my understanding the next steps now would be:
- Each user in the LDAP database also gets a Kerberos keytab (which can
be different from their login password).
- SSSD now has to do the following steps:
- When the user types in their password in the login manager, PAM in
connection with sssd use this to bind to the LDAP server (so sssd
uses LDAP as id_provider and LDAP as auth_provider).
- After the successful authentication, sssd gets the Kerberos key from
the Kerberos database and uses that key to securely mount the NFSv4
home directory on the PC (the target folder is also specific as part
of the user attributes, but where can sssd find the folder on the host?).
Is that possible? I also read that Kerberos in connection with NFSv4 can
be used to authenticate the NFSv4 server, the NFSv4 client _and_ the
specific user. Can that happen all simultaneously, so in one mount
command? I only find the `sec=krb5x` mount options where the NFSv4
client and the NFSv4 server authenticates to the Kerberos server but
without using anything from the user.
Best,
Gerion