Re: Samba or NFS
On Sun, Jun 5, 2011 at 5:38 AM, Simon Brandmair <sbrandmair@gmx.net> wrote:
> Hi,
>
> On 3/6/2011 19:50 Axel Freyn wrote:
> [...]
>> For NFSv4 this has changed. You can use NFSv4 in different modes. The
>> easy one has the same problem.
NFSv4 is a giant pain in the keister, not worth the headaches. The
NFSv4 access published from an actual Linux or other NFSv4 capable
service can be published, it can be passed along via Samba to CIFS
clients, but the CIFS clients cannot *see* or manipulate the NFSv4
permissions due to incompatibilities between thee two ownership
models, and due to the Samba code for this being "spaghetti code".
(http://samba.2283325.n4.nabble.com/viewing-if-not-editing-NFSv4-ACL-s-from-Samba-shares-td2417666.html).
Overall, NFSv4 has proven itself destabilizing and useless in small
and large environments. It takes a significant investment in complex
infrastructure, and the security benefits have proven to be illusory
in the face of clients who *insist* on making their home directories
publicly accessible, clients who use password free SSH keys, or
clients who store passwords in source controlled software with no
access control. (I've run into all of these in environments that spent
useless years pursuing the "security" of NFSv4 and ignoring gaping
holes in infrastructure security.)
>> However, you can switch on strong authentification (based on Kerberos),
>> then it's safe (the server verifies that the client has the correct
>> Kerberos-token of this user -- UID is not sufficient), and even ask to
>> sign all transfers (to block man-in-the-middle-attacks which could
>> change the commands sent to the server) and encryption (to protect data
>> privacy).
>>
>> However, it's much more work to install, as you also need a full
>> Kerberos-setup....
>
> I haven't looked at all into Kerberos, but sort of considering it. So I
> was wondering, if it is worth (or even just work) when I just have a
> server client network and no extra kerberos server? Or is Kerberos
> rendered useless if I let it run on the same server that hosts the nfs
> server?
>
> Cheers,
> Simon
The problem isn't getting it up and running. It's getting people to
actually use it. It's sensitive to time drift on the servers and
clients, and getting people configured with NTP correctly is only a
tiny part of the battle. For a hundred accounts? I can see it. For
half a dozen people in a small office? Unlikely to be worth it.
>From another part of the thread: I've used openAFS, including porting
it and Kerberos to SunOS way the heck back in antiquity. (Whose bright
flipping idea was it to make Kerberos require a fully qualified
hostname as the first entry in /etc/hosts for your IP address rather
than the short name, to make compilation fail if it wasn't, and to set
a timestamp so that the compilation had to *start over from the
beginning? Actually, I think I know, and I've gotten private vengeance
for this.)
Debian's leading edge packaging and integration testing should make
them both vastly easier. You're stuck with policy decisions in setup
that can be.... subtle and awkward.
Reply to: