Nfs kerberos authentication Viewed 2k times 5 . When NFS is configured for Kerberos authentication, CIFS security cannot be configured with ads. Here, we will have one server ru In this article we will walk you through the process of using Kerberos-based authentication for NFS shares. Kerberos on OneFS writes log messages to /var/log/lsassd. 1 SMB authentication methods After fighting for 3 weeks trying to setup a NFS/Kerberos configuration with an ActiveDirectory, and Googling thousands of mailing lists and tutorials, here is my succesfull story. sssd (System Security Services Daemon) is a tool responsible for managing authentication with external providers in Linux. EDIT. When you are accessing an NFS remote file system using Kerberos authentication while running a setuid program, the UID seen at the sec=krb5p uses Kerberos V5 for user authentication and integrity checking. A single set of credentials is used to access all Kerberos datastores mounted on that host. 3-U3. More info here if you want to look at the Kerberos option: 2011 at 16:25. What tests can be used to validate that those Basic NFS seems ridiculously insecure, while NFSv4 with Kerberos looks to be a real pain to set up. The second line shows how to specify multiple export rules for one 现在,您可以将 NFS 共享与基于 Kerberos 的身份验证一起使用。 总结. Create the NFS service principal for the client on the KDC server and copy it to the client system at /etc/krb5. Requirements. Select a shared folder, click Edit > NFS Permissions > Create, and specify the following Security flavors based on your need: . The ticket (or credentials) sent by the KDC are stored in a local store, the credential cache (ccache), which can be checked by Kerberos-aware services. It would be worth Authentication methods. In ONTAP 9, the following Kerberos functionality is supported: Kerberos 5 authentication with integrity checking (krb5i) Krb5i uses checksums to verify the integrity of each NFS message transferred between client and server. This is useful both for security reasons We use FreeIPA for user management, and we have a Kubernetes cluster setup for training our deep learning models. This article describes the performance impact of Kerberos on NFSv4. Modified 2 years, 7 months ago. Authentication: Dogtag Certificate System; 1. In this article, we With all of this in place, we are ready to go through the final few steps to support Kerberos based authentication for NFS v4. 2 - enabled NFSv4 in the NFS settings and set up an NFS share - set up a DNS server running inside a jail (separate IP) on the FreeNAS box. How do you setup an NFS4 server with Kerberos from Active Directory? I can install and configure an NFS4 server and connect to it, but I can not get Kerberos to work under any circumstances where This article guides you through the steps to mount a Synology NFS shared folder on a Linux client with the Kerberos option when a Windows server has been set as the Kerberos server. Description. Red Hat Enterprise Linux 6 and below; NFS protocol versions 3 and 4 NFS Client: Manjaro Linux running a 6. Access to this NFS volume is allowed only to the clients from the 192. When Kerberos authentication is the only allowed security method for an exported directory, the NFS client session must be properly authenticated before gaining access to any of the data in that directory. Skip to main content. Create the credential table by using the gsscred command. Management: NTP; 1. This document also provides practical procedures to integrate Kerberos authentication into OneFS 8. 0 and Server for NFS supports RPCSEC_GSS with Kerberos authentication, including all three levels of RPCSEC_GSS security service: krb5 (for RPCSEC_GSS None), krb5i (for Before you configure Kerberos with NFS on your system, you must verify that certain items in your network and storage environment are properly configured. Server for NFS currently provides support for two Kerberos "flavors" over NFS using RPCSEC_GSS: krb5 and krb5i. Whereas, NFS is the distributed file system to share files among Linux based computers. conf and change the security mechanism. Then, we create a host key for the NFS client: $ sudo kadmin -p baeldung/admin -q "addprinc -randkey host/j-nfs This article guides you through the steps to mount a Synology NFS shared folder on a Linux client with the Kerberos option when a Windows server has been set as the Kerberos server. Scalable Linux File Sharing : NFS efficiently handles large networks, making it suitable for enterprises requiring reliable Linux file sharing solutions. However, NFS doesn't have any password-based authentication mechanism in the first place. Configure the services to start automatically when the system boots: In the ONTAP environment, Kerberos provides authentication between storage virtual machines (SVMs) and NFS clients. ) a) Use kerberos. Kerberos authentication (krb5): Perform Kerberos authentication when et ready toconfigure NFSv4 authentication without Kerberos. It Before you configure Kerberos with NFS on your system, you must verify that certain items in your network and storage environment are properly configured. c:586 kmod_search_moddep() could not open moddep file All of the security options use Kerberos V5 to authenticate users to NFS servers. 0, 7. Complete the prerequisites for configuring a Kerberos NFS server. 1 Kerberos datastores for an NFS user. 1 datastores. Oracle - System Administration Guide: Security Services - Configuring Kerberos NFS Servers Kerberos is an authentication protocol that uses a secret key to validate the identity of principals. Add a principal for the NFS server: This principal is used by the NFS client to authenticate when mounting an NFS directory. . Kerberos for authentication and data integrity (krb5i), in addition to At the end of the day, integrating NFS with Kerberos authentication in a Kubernetes cluster involves configuring the NFS server, setting up a Kerberos infrastructure, configuring Kubernetes nodes as SMB Kerberos authentication 7 Dell EMC PowerScale: Integrating OneFS with Kerberos Environment for Protocols | H17769 2 SMB Kerberos authentication This section will introduce how Kerberos authentication is used on OneFS for SMB, and list the key considerations and configurations on OneFS cluster. Authenticate client users using kerberos with ldap backend. Ein Kerberos Server muss vorhanden sein und auf den Clients muss die Kerberos . Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO). Définissez les règles du pare-feu. 1 storage with Kerberos, you must add each ESXi host to an Active Directory domain and enable Kerberos authentication. It's due to the rights on the Kerberos ticket I guess. But with the standard system authentication, it’s trivial for a remote user to change the UID of a local account on their PC and gain access to someone else’s home directory. 5. conf file. Kerberos integrates with Active Directory to enable single sign-on and provides an extra layer of security when used across an insecure network connection. Unfortunately, by NFS servers always identify client hosts by IP addresses and host names, regardless of the authentication method that you use. Notes for different versions have also been added, where necessary. sec=krb5p uses Kerberos V5 for user authentication and integrity checking. The other two parties being the user and the service the user wishes to authenticate to. It encrypts NFS traffic to prevent traffic sniffing. How to configure NFSv4 with kerberos authentication in Red Hat Enterprise Linux 5? GIDs of users in more than 16 groups are not recognized properly on NFS in RHEL; Environment. By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd. In fact, Kerberos is a popular authentication protocol. See Configure ADDS LDAP with extended groups. 在本文中,我们介绍了如何使用 Kerberos 身份验证设置 NFS。由于该主题的内容远不止于我们在单个指南中所能涵盖的内容,因此请随时查看在线 Kerberos 文档,并且由于 Kerberos 至少可以说有点棘手 The nfs. /etc/krb5. Ask Question Asked 4 years ago. The RPCSEC_GSS Kerberos mechanism is an authentication service. On my test Ubuntu desktop, I installed Kerberos Client and also setup the keytab using the kutil Sign in to the Azure portal and select the storage account you want to enable Microsoft Entra Kerberos authentication for. The master KDC must be configured. CopyCopied! Optionally, configure the NFS server as an NFS client. conf file for authentication to succeed. sudo ufw allow nfs sudo ufw allow 2049 sudo ufw allow kerberos Tester et vérifier - Déterminez si le serveur NFS est accessible et opérationnel. 3. As a vSphere administrator, you specify Active Directory credentials to provide access to NFS 4. Make sure that Microsoft Active Directory (AD) and NFS servers are Before configuring an NFSv4 Kerberos-aware server, you need to install and configure a Kerberos Key Distribution Centre (KDC). Modifiez les règles de pare-feu pour autoriser le trafic NFS et Kerberos. Options. So let’s fix that, too! Then I did the following operations on the NFS client: #su - user1 #kinit #touch file1. When using NFS without kerberos the security of all data in the NFS share depends on the integrity of all clients and the security of the network connections. 1 volumes. Viewed 6k times 4 . The identity of the user in every NFS call is defined by the caller, and the identity isn't verified by a trusted third party. SVM, one of the following security methods must be specified in export rules for volumes or qtrees depending on your NFS client configuration. To access files a user still needs to be authenticated with his . Edit /etc/gss/gsscred. So if you don't want users to manually get tickets, then you'll need to have the host automatically get tickets for them. NFS authentication via LDAP and Kerberos was previously working, however we had trouble with the ID mappings. 3. However, if you want to use Kerberos is an authentication protocol that can provide secure network login or SSO for various services over a non-secure network. You can as well use 3 servers with each service running on a single server. The user's key is used only on the client machine and is not transmitted over the network. keytab: This file contains the security NFS Share with Kerberos Authentication. 7 %âãÏÓ 5645 0 obj > endobj xref 5645 24 0000000016 00000 n 0000003903 00000 n 0000004057 00000 n 0000004101 00000 n 0000004457 00000 n 0000004623 00000 n 0000004676 00000 n 0000004729 00000 n 0000004953 00000 n 0000005438 00000 n 0000006669 00000 n 0000006802 00000 n 0000006831 00000 n 0000007234 00000 n To leverage Domain or LDAP user authentication, ensure that NFSv4. See Synchronizing Clocks Between KDCs and Kerberos Clients for So I thought I'd throw this question out there: When NFS/Kerberos authentication is failing, what is a good way to get more visibility on what's going on and understanding the root cause of the problem. In addition to the standard UNIX authentication system, NFS provides a means to authenticate users and machines in networks on a message-by-message basis. 1 volumes are enabled for LDAP. I'm trying to mount a Persistent Volume on a self hosted Kubernetes cluster using NFS (SMB to be precise). 168. I am not a master of NFS, but a reading of RFC 7530 (and some NFS discussion archives) shows that NFSv4 has callbacks: a NFS server can The login or kinit program on the client then decrypts the TGT using the user's key, which it computes from the user's password. What is Kerberos? Kerberos is a computer network authentication protocol that uses tickets to authenticate computers and let them communicate over a non-secure network. We have our data on an NFS, which is authenticated using Kerberos. An NFS server and an NFS user separately prove their identities to a KDC server, which issues them cryptographically signed tickets asserting their successful authentication. Create an NFS Kerberos Volume. This option is the most secure Without involving an authentication method like Kerberos, NFS on its own has very little in the way of access control - pretty much just restriction by IP address as you noted. The crossmnt option is required to share directories that are sub-directories of an exported directory. We are going to set up a Kerberised NFSv4 server. NFS servers always identify client hosts by IP addresses and host names, regardless of the authentication method that you use. ; Enable SECURE_NFS=yes in the /etc/sysconfig/nfs file. Environment. Articles such as this one seem to point out that Kerberizing NFS(v4) mounts not only prevents machines without a Kerberos service ticket from mounting the shared directory but also uses the user's Kerberos ticket to authorize user actions on the shared files. Under Microsoft Entra Kerberos, select Set up. Utilisez l'authentification Kerberos pour garantir que les clients Linux peuvent accéder au serveur NFS et le partager en toute %PDF-1. Kerberos is a trusted third party authentication service. 1 volume using AUTH_SYS authentication rather than Kerberos from your ESXi hosts. Administrators can use several authentication techniques to keep the NFS shares on a Proxmox server safe, such as: Kerberos: Kerberos is a popular authentication system that enables powerful network authentication. such as setting up NFS to use Kerberos. If you have local users on the Synology NAS, you can manually map the UID (Control Panel -> File Services -> NFS -> Kerberos Settings -> ID Mapping), but then the users are still using the ‘local’ password on the NAS. Red Bevor man jedoch NFS an Kerberos anbinden kann, sollten folgenden Rahmenbedingen erfüllt sein: Das Netzwerk muss einen DNS-Server besitzen, der für alle Clients und Server einen "Reverse Lookup" bereit hält. 3 Unix security, which trusts the NFS client to be truthful about a user's identity, provides only basic security. A time drift among the system components will cause authentication failure. Under Data storage, select File shares. sec=krb5 in nfs_server. In this guide, we will use two servers to set up the NFS client-server application as well as Kerberos. to prove its identity to an NFS server before mounting an NFS share. The steps to configure your Kerberos Server (KDC): 192. Set NFS with Kerberos authentication and encryption. access to the user home directories — a second share of the “/home” filesystem can be made Kerberos is a protocol that relies on time synchronization between system components. keytab. To fully test the process, you need several clients. # gsscred -m kerberos_v5 -a: The short answer is that the current NFS Kerberos authentication mechanism (RPCSEC_GSS) does not support this. 33. Here is what we are trying to achieve: Mount kerberized NFS in a pod. It can be just a stronger authentication mechanism, or it can also be used to sign and encrypt the NFS traffic. Running Kerberos Key Distribution Center (KDC). hosts For NFS clients to mount file systems from an NFS server with Kerberos authentication, this table must be created if the default mapping is not sufficient. We can combine the Kerberos with NFS to configure more secure network shares. Kerberos is a network authentication system based on the principal of a trusted third party. NFSv3 can be used with Kerberos. Modified 7 years, 9 months ago. Authentication methods. When Kerberos is used with NFS, Kerberos writes log messages to /var/log/nfs. Kerberos will know about the NFS server, Kerberos will know about the NFS clients, and Kerberos will know about the user. krb5i computes a hash on every remote procedure (RPC) call request to the server and every response to the client. Make sure that Microsoft Active Oracle - Example Configuration of Kerberos Authentication Using GSSAPI With SASL. UNIX (also known as AUTH_SYS) The default setting, which uses local UNIX UIDs and GIDs by means of AUTH_SYS to authenticate NFS Kerberos is used for authentication and the idea is that within Kerberos, a set of credentials is kept hence we will configure a Kerberized NFS Server. ~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN. 1 provides two security models, krb5 and krb5i, that offer different levels of security. It is assumed that you already This example shares the /export and /home directories in read-write mode with Kerberos authentication enabled. The security isn't In an environment that requires high security for NFS, it is recommended to use NFSv4 instead of NFSv3 and to integrate Kerberos authentication with NFS. conf is as In NFS with RPCSEC_GSS v1, machine and user authentication are independent. This document complements and can be considered an eventual replacement for TR-4073: Secure Unified Authentication for NFS. You could prevent I would like to share the files on my LAN using NFSv4 with Kerberos authentication, as want to control access to the files on a user level. Oracle - Solaris Administration: Security Services - Configuring Kerberos NFS Servers. Ask Question Asked 7 years, 9 months ago. Kerberos authentication: krb5 - How to set up NFS using Kerberos authentication on RHEL 7 using SSSD and Active Directory Solution In Progress - Updated 2024-06-17T12:50:10+00:00 - English Kerberos for authentication and data integrity (krb5i), in addition to identity verification, provides data integrity services. Data Storage: 389 Directory Server; 1. This option is the most secure setting, but it also involves the most performance overhead. 04 or above on Linux client Please note that selecting AUTH_SYS may allow Linux clients to mount the NFS shared folder If you use NFS 4. Any secure NFS network must contain a Kerberos KDC server. To configure Access Appliance for authenticating NFS clients using Kerberos, perform the tasks in the order that is listed in Table: Tasks for configuring Access Appliance for authenticating NFS clients using Kerberos . NFS V4 host authentication This document covers NFS Kerberos support in NetApp® ONTAP® software and configuration steps with Active Directory and Red Hat Enterprise Linux clients. However, since my Linux workstation is the only NFS client it does not matter that the KDC is unavailable for authentication when my workstation is offline. First, we start by installing and configuring the Kerberos krb5-user package on the NFS client: $ sudo apt install krb5-user. Kerberos verlässt sich stark auf ein funktionierendes DNS. Linker3000 Linker3000. A word of advice: At this point, create a volume with an export policy and verify that you can successfully mount this NFS v4. NFSv4 offers a variety of authentication mechanisms like Kerberos. For a Red Kerberos认证原理 简介. Then the server and user can trust each other. It is also our NFS server. ; Configure the /etc/krb5. Kerberos works with the concept of tickets which are encrypted and can help reduce the amount of times passwords need to be sent over the network. 14 – This Linux client will request Kerberos tickets from the KDC. Probably the best way of framing this is: What functionality has to be work correctly for Kerberized NFS to work. Server/Client Discovery: DNS; 1. Synology 知识中心为您提供多方面的技术支持,包含常见问题解答、故障排除步骤、软件应用教程以及您可能需要的所有技术 When NFSv4 is configured to use kerberos authentication is mandatory to have a keytab installed on every client with is own principal. This is necessary to prevent Kerberos authentication failure due to time skew. [UPDATE]: instructions have been tested on RHEL 7. Next to Active Directory, select the configuration status (for example, Not configured). Mount security types. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory. To establish a Kerberised session between NFS client and host, a few things are required (credit goes to Sander van Vugt). We can use the Kerberos in Proxmox to authenticate clients accessing NFS shares. I am using Windows Storage Server as a file server and now have the need to setup NFS sharing for linux client machines. Last updated: Dec 2, 2024; I needed to create a share on my network. However, the full security benefits of Kerberos are only realized in ONTAP deployments of NFSv4 or later. Information on portmap is still included, since Red Hat Enterprise Linux 6 supports NFSv2 and NFSv3, both of which utilize portmap. 28. To use NFSv4. krb5 (Kerberos v5 protocol) Configuring the NFS client with Kerberos authentication is essential for ensuring secure access to NFS shares from the client side. What if this kerberos authentication is required for a service to access the nfs share? Eg, If the DocumentRoot of the web server is an NFS share mounted using kerberos authentication, then user apache need a ticket to access the share because httpd process is run using "apache" user's privileges. 3 kernel. NFS v. 2. Did you know we can configure and integrate the Network File System protocol with Kerberos authentication, with Microsoft Active Directory as the identity and authentication provider? Interestingly, this setup is often used in enterprise environments to boost the security and manageability of NFS file sharing. kerberos是用于身份认证并且能够提供双向认证的协议,使用kerberos,客户端只需要使用一个密码就可以对Kerberos域内所有的服务器进行访问,每个服务器也不需要单独实现自己的认证系统,而是使用他们共信任的Kerberos Distribution Center(KDC)来进行认证服务,因此Kerberos系统中至少包含KDC、Client、Server这三个 implementation of Kerberos for NFS 4. Now here the traditional userPassword field of LDAP become useless, once we start using kerberos to authenticate users. To encrypt NFS data transfer, take the following steps: Configure a NFS shared folder to use Kerberos. Being in a GNU/Linux environment, my natural choice was NFS. Select the Microsoft Entra Kerberos checkbox. # service rpcgssd start Keep the clocks of the KDC server, the # NFS. krb5 provides Kerberos authentication at the RPC In order to offer Linux clients a secure file sharing environment, establishing security mechanisms in place to safeguard file integrity and credibility, an NFS server must be If you use NFS 4. Windows Server 2016 or above; Ubuntu 20. 04 or above on Linux client Please note that selecting AUTH_SYS may allow Linux clients to mount the NFS shared folder The first line contains the fsid=0 option, which define the NFS root directory (/srv/nfs4). How to configure NFSv4 authentication without Kerberos. Secret keys are generated by taking a principal's password and converting it into a hashed cryptographic key format using an agreed upon encryption method by the client and server (such as AES). The File Storage service offers Kerberos authentication to provide a strong authentication option. My Linux systems are already domain-joined to AD via sssd/adcli and I have working keytab, ssh When you are using Kerberos authentication, the credential used in remote procedure calls initiated by a user are associated with the current Kerberos ticket held by the user and is not influenced by the real or effective UID of the process. sec=sys. 6. Add principals: In Kerberos, a principal is a unique identity that is used for authentication. Follow steps in Create Furthermore, Kerberos is a secure authentication protocol that offers secure authentication and encryption over a network. 0/24 subnet. NFS should be mounted with the same permissions as that of the user who deployed the pod. 1 with Kerberos, you must perform several tasks to set up your hosts for Kerberos authentication. Kerberos authentication, NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. Setup ldap_backend for kerberos. Kerberos Client: 192. conf file with the KDC details. NFS also supports the use of Kerberos 5 authentication in addition to DES. with the time on the KDC server within a maximum difference defined by the clockskew relation in the krb5. MENU. 1 with Kerberos, you must configure sssd with AD as the identity provider. 4. /libkmod/libkmod. So far I have done the following: - running FreeNAS-11. 1. Products; Solutions; Support and Services; Company; How To Buy; Login myBroadcom Account: Login If you use NFS 4. NFS Kerberos works separately from SMB services, as the machine Authentication: Kerberos KDC; 1. Management: SSSD; 1. When multiple ESXi. Kerberos is a network authentication system that allows clients This white paper covers basic Kerberos concepts and introduces Dell PowerScale OneFS supported Kerberos types for protocols. This article guides you through the steps to mount a Synology NFS shared folder on a Linux client with the Kerberos option when a Windows server has been set as the Kerberos server. It allows an NFS 4. 3 Unix security, which trusts the NFS client to be truthful about a user’s identity, provides only basic security. In a multi-user network environment you would typically run the KDC on a separate server. systemd(7) manpage has more details on the several systemd units available with the NFS packages. 1 client installed on . NFS Kerberos Authentication Active Directory . The hash is computed on an entire message: RPC header, plus NFS arguments or results. log. ; Set NFS permissions: Go to Control Panel > Shared Folder. NFS with Kerberos¶ Kerberos with NFS adds an extra layer of security on top of NFS. Is there anything similar to NFS you NFS Security Configurations: When data protection is a priority, NFS offers robust security measures like Kerberos authentication to ensure data integrity. Table 1. 04 or above on Linux client Please note that selecting AUTH_SYS may allow Linux clients to mount the NFS shared folder NFSv4 with Kerberos. NFS V4 host authentication If you use NFS 4. I quote the relevant part: Before NFSv4, security on NFS was pretty much non-existant. FR Ticket cache: The File Storage service offers Kerberos authentication to provide a strong authentication option. In fact, using Kerberos with NFSv4 ensures that the transmitted data transmitted is Mounting NFS Persistent Volumes with authentication. Follow the prompts to set up the Kerberos realm. Vincent Danen takes you through the steps to set up Kerberos authentication on NFSv4 for more secure remote access to the server. The principal that's making the call is the one who gets access. Azure NetApp Files supports NFS client encryption in Kerberos modes (krb5, krb5i, and krb5p) with AES-256 encryption. Domain name resolution (DNS) Each UNIX client and each SVM LIF must have a proper service record (SRV) registered with the KDC If possible, use NFSv4 or later if Kerberos authentication is required. 1 and 7. If you join domains by using samba, you must create the /etc/sssd. Relationships Between Servers and Clients The NFS server may be on a Red Hat Enterprise Linux machine in the IdM domain or a different Unix machine. parameters needed to enable kerberos authentication; step You can share NFS home directories without enabling Kerberos for more secure authentication. Kerberos 5 security is provided under a protocol mechanism called RPCSEC_GSS. Our NFS Support team is here to help you with your questions and concerns. - ReadWriteMany persistentVolumeReclaimPolicy: Retain storageClassName: nfs mountOptions: - hard - I'm setting up a NFSv4 shared folder with Kerberos authentication. Oracle - System Administration Guide: Security Services - Configuring Kerberos Clients. 2k 3 3 gold badges 54 54 silver badges 74 74 bronze badges. Hi everybody, I am trying painfully to setup a nfs server with kerberos authentication following thi howto: NFSv4Howto When I try to issue the command: modprobe rpcsec_gss_krb5 I get the following error: modprobe: ERROR: . ; Start the rpcgssd service. The machine keytab is only used for initial mount setup RPCs (and callbacks, and UID 0), whereas RPCs sent on behalf of a non-root user are only authenticated with that user's tickets but not the machine's. 2. The following commands are run on our KDC To mount the NFS client with the Kerberos mount options. ESXi. Configuring Active Directory Authentication by using sssd. Change the mechanism to files. NFSv4 now includes Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module. log and /var/log/lwiod. If you use kerberos the security doesn't depend on all client machines because the server gives access to users with a valid kerberos ticket only. 13 – This Linux server will act as our KDC and serve out Kerberos tickets. The above operations are all successful,But I did not find ganesha and kdc interactive authentication message through tcpdump, How does nfs-ganesha server handle kerberos authentication?Does nfs-ganesha need to communicate with kdc? ganesha. ffy saikapho gfk ifawon ouhl tuee ilhvar qrckxk mhjuy geoj hxjvj aqofy idmvqrtb tawxzdb hzlfm