Re: NFS4 and Kerberos
Hi,
On Thu, Jan 06, 2011 at 10:13:12PM +0100, Mike Gabriel wrote:
> Hi Andreas,
>
> On Do 06 Jan 2011 12:12:35 CET "Andreas B. Mundt" wrote:
[...]
>
> Each client needs a Kerberos setup as well. Is this also already
> coded somewhere? I am sorry that I cannot remember exactly which of
> the services (PAM, NFS, ...) was DNS and host principal critical,
> but a healthy Kerberos setup cannot be setup up with host principals
> on every client. Same for NFS4 sec=krb5p or sec=krb5i.
>
The client setup is also implemented, iirc it only needs preseeding of
the corresponding Kerberos packages. (We might need to add a cf-rule
to have allow_weak_encryption = true in /etc/krb5.conf on the clients).
> >With this setup, users are authenticated to the system via a Kerberos
> >TGT, which works.
>
> I think PAM alone was quite handsome and did not require host
> principals when I set up my servers...
>
Iirc this is how it's done already. So far we have no (and need no) host
principals (only for the services on tjener).
[...]
> >My hope was, that by using Kerberos in combination with nfs4, the
> >machine management would simplify and we could get rid of IP- and
> >netgroup based "security".
>
> What exactly do you mean by this netgroup based ,,security'' (please
> execuse that I have not dived into the details of the lenny-tjener
> that deep)?
see below
>
> The problem about NFSv3 or NFSv4 with sec=sys is: I come to some
> school with my linux netbook, create a local user account with a
> uidNumber of some interesting account on tjener and then I mount the
> user's home dir on my netbook with rw-access.
>
Take a look at <URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/cf/cf.homes>,
i.e. our exports file. If a machine want's to mount the home
directories, it first has to be added to a netgroup that allows
mounting the share. So if you walk into the school with your Laptop to
fake an identity on the net, it will not work the first time, because
your MAC address will be differerent from the machines in the netgroup
you need the membership of. The next day you walk into school you
will be better prepared, you modified the Laptop's MAC. Now, just
plug off the machine you got the MAC from and use your Laptop
instead with the nice user ID. I guess that's how current security is
thought to be.
So using sec=sys in NFS4 is the same as using NFS3 now. It doesn't
help with the netgroups, but it also doesn't hurt.
> However, netgroups are really quite handy, because amongst others
> they allow the group of hosts in a way that can be pulled down on
> libnss level (with usage scenario e.g. with pam_access.so and
> /etc/security/access.conf). Whereas netgroups can help you to set up
> the on-site-systems in a versatile manner, it does not protect you
> against people bringing in their own devices (like my netbook).
>
> >(Which would also resolve the need for very
> >special administrative tools).
>
> Netgroups are not too special... but you may be right about Netgroup
> integration in WebGUI tools...
>
Yes, the GUI administration is the problem right now.
Do you have access to a debian-edu setup? Maybe if you want to take a
look, try a virtual setup with virt-manager + KVM (rsync the DVD image):
<URL:http://wiki.debian.org/DebianEdu/HowTo/TestCDinstall>
You need about a 25GiB image for Tjener+LTSPserver.
Regards,
Andi
Reply to: