On Sun, Jun 5, 2011 at 5:38 AM, Simon Brandmair <sbrandm...@gmx.net> wrote: > Hi, > > On 3/6/2011 19:50 Axel Freyn wrote: > [...] >> For NFSv4 this has changed. You can use NFSv4 in different modes. The >> easy one has the same problem.
NFSv4 is a giant pain in the keister, not worth the headaches. The NFSv4 access published from an actual Linux or other NFSv4 capable service can be published, it can be passed along via Samba to CIFS clients, but the CIFS clients cannot *see* or manipulate the NFSv4 permissions due to incompatibilities between thee two ownership models, and due to the Samba code for this being "spaghetti code". (http://samba.2283325.n4.nabble.com/viewing-if-not-editing-NFSv4-ACL-s-from-Samba-shares-td2417666.html). Overall, NFSv4 has proven itself destabilizing and useless in small and large environments. It takes a significant investment in complex infrastructure, and the security benefits have proven to be illusory in the face of clients who *insist* on making their home directories publicly accessible, clients who use password free SSH keys, or clients who store passwords in source controlled software with no access control. (I've run into all of these in environments that spent useless years pursuing the "security" of NFSv4 and ignoring gaping holes in infrastructure security.) >> However, you can switch on strong authentification (based on Kerberos), >> then it's safe (the server verifies that the client has the correct >> Kerberos-token of this user -- UID is not sufficient), and even ask to >> sign all transfers (to block man-in-the-middle-attacks which could >> change the commands sent to the server) and encryption (to protect data >> privacy). >> >> However, it's much more work to install, as you also need a full >> Kerberos-setup.... > > I haven't looked at all into Kerberos, but sort of considering it. So I > was wondering, if it is worth (or even just work) when I just have a > server client network and no extra kerberos server? Or is Kerberos > rendered useless if I let it run on the same server that hosts the nfs > server? > > Cheers, > Simon The problem isn't getting it up and running. It's getting people to actually use it. It's sensitive to time drift on the servers and clients, and getting people configured with NTP correctly is only a tiny part of the battle. For a hundred accounts? I can see it. For half a dozen people in a small office? Unlikely to be worth it. >From another part of the thread: I've used openAFS, including porting it and Kerberos to SunOS way the heck back in antiquity. (Whose bright flipping idea was it to make Kerberos require a fully qualified hostname as the first entry in /etc/hosts for your IP address rather than the short name, to make compilation fail if it wasn't, and to set a timestamp so that the compilation had to *start over from the beginning? Actually, I think I know, and I've gotten private vengeance for this.) Debian's leading edge packaging and integration testing should make them both vastly easier. You're stuck with policy decisions in setup that can be.... subtle and awkward. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktimigeubaqf-l09pced7k72thqw...@mail.gmail.com
