Re: NFS4 and Kerberos
Hi Mike,
On Sat, Jan 08, 2011 at 12:31:16AM +0100, Mike Gabriel wrote:
> Hi Andi,
>
> On Fr 07 Jan 2011 10:41:41 CET "Andreas B. Mundt" wrote:
>
> >Take a look at <URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/cf/cf.homes>,
> >i.e. our exports file. If a machine want's to mount the home
> >directories, it first has to be added to a netgroup that allows
> >mounting the share. So if you walk into the school with your Laptop to
> >fake an identity on the net, it will not work the first time, because
> >your MAC address will be differerent from the machines in the netgroup
> >you need the membership of. The next day you walk into school you
> >will be better prepared, you modified the Laptop's MAC. Now, just
> >plug off the machine you got the MAC from and use your Laptop
> >instead with the nice user ID. I guess that's how current security is
> >thought to be.
^^^^^^^^^^
Sorry, this was meant ironic, I should have put an ";-)" there ...
> This setup is not really secure. If you have access to one of the
> school computers (Skolelinux clients) you boot it, use ifconfig and
> look up its IP. Then you shut the Skolelinux client down, take over
> its IP (static IP, not DHCP) and then you can mount the NFS share(s)
> on tjener.
Ok, that's an even easier way.
> And if you ask me: I would be quite happy about service principals
> on each client. With service principal and user principal you gain
> NFS access, without... you do not get access...
I absolutely agree with you. Just don't know yet how to implement the
automatic creation/distribution of the principals/keytabs. That's why
I prefer a two steps approach, first implementing nfs4 with sec=sys
and if that works nicely with the automounter, then trying the next
step (sec=krb5X stuff). Perhaps it can be done in the same way as with
the users, a script called after adding the machines in GOsa ...
And there are perhaps open issues for the diskless clients ...
> >So using sec=sys in NFS4 is the same as using NFS3 now. It doesn't
> >help with the netgroups, but it also doesn't hurt.
>
> >>Netgroups are not too special... but you may be right about Netgroup
> >>integration in WebGUI tools...
> >>
> >
> >Yes, the GUI administration is the problem right now.
>
> For a flexible system having netgroups available (and configurable)
> is always an advantage!!! So, if there is some work to be done, we
> should try to include netgroups into the effort.
I tried to implement some "proof of principle" for GOsa a while ago:
<URL:http://lists.debian.org/debian-edu/2010/04/msg00124.html>
(take a look at the picture :-)
I think, that if there is support from someone with PHP knowledge and
the project in general, something like that can be implemented in GOsa
upstream in the long run:
<URL:https://oss.gonicus.de/pipermail/gosa/2010-May/004547.html>
> >Do you have access to a debian-edu setup? Maybe if you want to take a
> >look, try a virtual setup with virt-manager + KVM (rsync the DVD image):
> ><URL:http://wiki.debian.org/DebianEdu/HowTo/TestCDinstall>
> >You need about a 25GiB image for Tjener+LTSPserver.
>
> My friend Andreas (www.logo-edv.de) in Kiel has provided me an 8
> core, 16gb Virt-Server that hums (well, it really hums quite
> hummingly) in my home. There currently is a Debian Edu (lenny) setup
> installed on it and I also tried a Debian Edu (squeeze) which,
> however, partially failed. I used one of the nightly built ISOs
> which might not be appropriate, though. If there are any ISO
> recommendations for squeeze, I'll be happy to use those for setting
> up a Debian squeeze Skolelinux.
I (unfortunately) only use kvm so far. Please report installation
failures especially on real hardware to the list or on irc, as we
should do probably much more testing on real hardware. Not that in the
end everything works in the "lab" but fails in "reality" ...
Cheers,
Andi
Reply to: