Re: Samba or NFS
On Mon, Jun 6, 2011 at 3:32 PM, John A. Sullivan III
<jsullivan@opensourcedevel.com> wrote:
> On Mon, 2011-06-06 at 14:51 -0400, Dan wrote:
>> On Sun, Jun 5, 2011 at 9:30 PM, Nico Kadel-Garcia <nkadel@gmail.com> wrote:
>> > On Sun, Jun 5, 2011 at 5:38 AM, Simon Brandmair <sbrandmair@gmx.net> wrote:
>> >> Hi,
>> >>
>> >> On 3/6/2011 19:50 Axel Freyn wrote:
>> >> [...]
>> >>> For NFSv4 this has changed. You can use NFSv4 in different modes. The
>> >>> easy one has the same problem.
>> >
>> > NFSv4 is a giant pain in the keister, not worth the headaches. The
>> > NFSv4 access published from an actual Linux or other NFSv4 capable
>> > service can be published, it can be passed along via Samba to CIFS
>> > clients, but the CIFS clients cannot *see* or manipulate the NFSv4
>> > permissions due to incompatibilities between thee two ownership
>> > models, and due to the Samba code for this being "spaghetti code".
>> > (http://samba.2283325.n4.nabble.com/viewing-if-not-editing-NFSv4-ACL-s-from-Samba-shares-td2417666.html).
>> >
>> > Overall, NFSv4 has proven itself destabilizing and useless in small
>> > and large environments. It takes a significant investment in complex
>> > infrastructure, and the security benefits have proven to be illusory
>> > in the face of clients who *insist* on making their home directories
>> > publicly accessible, clients who use password free SSH keys, or
>> > clients who store passwords in source controlled software with no
>> > access control. (I've run into all of these in environments that spent
>> > useless years pursuing the "security" of NFSv4 and ignoring gaping
>> > holes in infrastructure security.)
>>
>> Yes, I read the documentation for Kerberos and it seems to be too
>> complicated. I think that it is an overkill to connect to computers.
>> In my case the LAN is the whole University and it is very easy to
>> spoof an IP, I checked that. So NFSv3 might not be such a good idea.
>>
>> How about NFSv3 over a ssh tunnel? That should be easy to implement. I
>> compared the transfer of a file of 700Mb between scp (encrypted) and
>> samba not encrypted, and the result is:
>> -scp: 38 seconds, and 25% of overhead in one of the 4 cores of the computer
>> -samba: 18 seconds and no overhead
>>
>> So in my case I think it can be acceptable to do a ssh tunnel as most
>> of the times most of the cores of the computer are not used and there
>> is not a big traffic of data. Are there other disadvantages of using a
>> ssh tunnel?
> <snip>
> Hmm . . . if you are going to go that route, how about sshfs? Again, I
> don't know a great deal about it but that is how we transfer files
> securely in the X2Go remote desktop project (www.x2go.org) - John
>
>
I think that sshfs is a file system oriented to the user, and NFS can
be used for many users. NFS should be more robust if there are many
users connected.
Moreover, with sshfs each user will have to mount his folder and enter
his password. With nfs you can establish a permanent link that can be
used by all the users.
Dan
Reply to: