[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Samba or NFS

On Mon, 2011-06-06 at 14:51 -0400, Dan wrote:
> On Sun, Jun 5, 2011 at 9:30 PM, Nico Kadel-Garcia <nkadel@gmail.com> wrote:
> > On Sun, Jun 5, 2011 at 5:38 AM, Simon Brandmair <sbrandmair@gmx.net> wrote:
> >> Hi,
> >>
> >> On 3/6/2011 19:50 Axel Freyn wrote:
> >> [...]
> >>> For NFSv4 this has changed. You can use NFSv4 in different modes. The
> >>> easy one has the same problem.
> >
> > NFSv4 is a giant pain in the keister, not worth the headaches. The
> > NFSv4 access published from an actual Linux or other NFSv4 capable
> > service can be published, it can be passed along via Samba to CIFS
> > clients, but the CIFS clients cannot *see* or manipulate the NFSv4
> > permissions due to incompatibilities between thee two ownership
> > models, and due to the Samba code for this being "spaghetti code".
> > (http://samba.2283325.n4.nabble.com/viewing-if-not-editing-NFSv4-ACL-s-from-Samba-shares-td2417666.html).
> >
> > Overall, NFSv4 has proven itself destabilizing and useless in small
> > and large environments. It takes a significant investment in complex
> > infrastructure, and the security benefits have proven to be illusory
> > in the face of clients who *insist* on making their home directories
> > publicly accessible, clients who use password free SSH keys, or
> > clients who store passwords in source controlled software with no
> > access control. (I've run into all of these in environments that spent
> > useless years pursuing the "security" of NFSv4 and ignoring gaping
> > holes in infrastructure security.)
> Yes, I read the documentation for Kerberos and it seems to be too
> complicated. I think that it is an overkill to connect to computers.
> In my case the LAN is the whole University and it is very easy to
> spoof an IP, I checked that. So NFSv3 might not be such a good idea.
> How about NFSv3 over a ssh tunnel? That should be easy to implement. I
> compared the transfer of a file of 700Mb between scp (encrypted) and
> samba not encrypted, and the result is:
> -scp: 38 seconds, and 25% of overhead in one of the 4 cores of the computer
> -samba: 18 seconds and no overhead
> So in my case I think it can be acceptable to do a ssh tunnel as most
> of the times most of the cores of the computer are not used and there
> is not a big traffic of data. Are there other disadvantages of using a
> ssh tunnel?
Hmm . . . if you are going to go that route, how about sshfs? Again, I
don't know a great deal about it but that is how we transfer files
securely in the X2Go remote desktop project (www.x2go.org) - John

Reply to: