Re: NFS4 and Kerberos interrest and our diskless RW AUFS overlaid root
thanks much for reply.
On Tuesday 08 March 2011 10:26:21 Mike Gabriel wrote:
> Hi Pavel,
> On Di 08 Mär 2011 02:09:40 CET Pavel Pisa wrote:
> > I have noticed that you work on switching to NFS4+krb5 for homes
> > on school workstations. I am very interrested to switch to similar
> > for our university labs setup. We use Debian servers and diskless
> > workstations in our setups.
> Actually, it is rather Andreas Mundt who is currently doing all the
> brain+manual work around NFSv4 and Krb5. However, I have setups up and
> running that use a similar setup.
Have you some more pointers to other actual documentation, examples
and people willing to discuss these topics?
> > I would be extremely happy if we could use single export of all homes
> > and protect access form individual client machines by logged in user
> > credential.
> Let me rephrase the expression ,,single export of all homes''. What I
> recommend to people using NFSv4+Krb5 is:
> o store automount setup in LDAP
> o mount home dirs individually on a per-user-basis
> o take the (auto)mount info from LDAP
> o in LDAP automount configs store the sec=krb5x property on a
> I will propose a setup like that for Debian Edu wheezy and provide a
> cookbook as a basis for discussion once squeeze is out.
Some cookbook would be great. I think, that for our use
pre-build solution as Debian Edu is not optimal.
We have vitalization setup already, quite complex VLANs
and specific use - embedded/cross-development/real-time/FPGA etc.
Automount according LDAP would be nice, but how can be configured
server to check for valid user and create home on fly?
Some PAM-exec ssh from client to server before mount?
We use central NetWare based LDAP for our campus location
now. It has advantage, that campus dedicated admins are responsible
for automated import of attending students into that database
and we create homes on NFS after authentication on fly.
We could not use NetWare for kerberos authentication as I understand.
One option is to try to use some central Eduroam radius server
at our university or to setup new LDAP+Kerberos server for our campus.
We would like to collect ideas/experience/examples before