[Klug-general] General advice for NFS4 authentication on SOHO

[jwmartnet .]

Hi David,

Thanks for the links, you have some useful information in there.

I don't see a way, using NFS + Kerberos to do what I want. It seems
that with NFS4 + Kerberos, it's the machine not user which is
authenticated, with that machine being authenticated for access to NFS
shares on the server without any specificity...

Or so I thought... Testing with two different users, the first
authenticated via kinit command before mounting the share (using
systemd automount - ie mounting share on access), the second user gets
permission-denied until using kinit to authenticate... BUT I don't
think it is possible to give the first RW access and the second RO
access, /etc/exports can't do that, nor can two shares be unique to
two users of the same machine.

It looks ideally like I should keep NFS use for when I want the
fastest possible transfer rates and limit to only trusted machines and
users.. ie me and my machine.  Unauthenticated RO NFS access would be
removed for untrusted users.

Samba would then be used for everyone else, and through this I can
control who can see what and be very selective over write access.

But I'm kinda confused over what I need to accomplish this. I keep
going round in circles searching on skim-reading guides which either
seem incomplete, potentially out of date, but the most confusing part
is knowing which recipe to use to combine it all:
NFS,Samba,Kerberos,LDAP,Pam, and I'm not sure there's a guide for
figuring that out!


James