Hi Andreas, On Do 06 Jan 2011 12:12:35 CET "Andreas B. Mundt" wrote:
I am really interested in NFSv4+Kerberos5 integration in Skolelinux. So if I can be of any help, let me know.
Many thanks for your input and your interest. It would be great if you could help with the Kerberos integration. To give you a starting point, let me outline from my point of view what has been done so far, what the current status is, and what needs (or should) to be done.
Each client needs a Kerberos setup as well. Is this also already coded somewhere? I am sorry that I cannot remember exactly which of the services (PAM, NFS, ...) was DNS and host principal critical, but a healthy Kerberos setup cannot be setup up with host principals on every client. Same for NFS4 sec=krb5p or sec=krb5i.
With this setup, users are authenticated to the system via a Kerberos TGT, which works.
I think PAM alone was quite handsome and did not require host principals when I set up my servers...
Further more, services like imap (dovecot), exim and ldap were kerberized. (It seems that this has been broken in the meantime).
OK...
My hope was, that by using Kerberos in combination with nfs4, the machine management would simplify and we could get rid of IP- and netgroup based "security".
What exactly do you mean by this netgroup based ,,security'' (please execuse that I have not dived into the details of the lenny-tjener that deep)?
The problem about NFSv3 or NFSv4 with sec=sys is: I come to some school with my linux netbook, create a local user account with a uidNumber of some interesting account on tjener and then I mount the user's home dir on my netbook with rw-access.
However, netgroups are really quite handy, because amongst others they allow the group of hosts in a way that can be pulled down on libnss level (with usage scenario e.g. with pam_access.so and /etc/security/access.conf). Whereas netgroups can help you to set up the on-site-systems in a versatile manner, it does not protect you against people bringing in their own devices (like my netbook).
(Which would also resolve the need for very special administrative tools).
Netgroups are not too special... but you may be right about Netgroup integration in WebGUI tools...
However, to come back to the issue, the next step concerning kerberos would be to switch to nfs4. Even if we don't use kerberos immediately, (start with sec=sys), it would help implementing the kerberos part, because you would not need to implement nfs4 before you can start trying the kerberos stuff).
+1 from me. It is also quite some benefit to get rid of the portmapper daemon, as well. The NFS4 rewrite is said to be much more clear in terms of coding.
If things work manually, how can it be implemented during installation and for diskless workstations? It would be nice not to create principals by hand, the same applies to the distribution of keytabs.
Agreed!
Perhaps it's possible to avoid host principals and allow a user with a valid TGT to mount his home directory. That would be a nice thing
As far as I know this is not possible. NFS4+krb5p or +krb5i needs an nfs service principal for each client individually (not sure about the host principal though). And the nfs principal needs to be issued by tjener (kadmind or kadmin.local).
which would simplify things a lot. Imagine you plug in a machine into the skole-net. There is no need to add it to the network manually, but the machine can access services and data only if a valid Kerberos TGT is presented. Is something like that possible in a secure way?
SSHFS should be your choice then... Or Samba...
Best regards,
Andi
Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgp6HkhE9ZEA0.pgp
Description: Digitale PGP-Unterschrift