[Klug-general] General advice for NFS4 authentication on SOHO
David Halliday
david.halliday at gmail.com
Mon Jun 15 19:23:11 UTC 2015
I thought NFS allowed that (although my experience was with an old version
and many years ago).
I remember having difficulty with kerberos and often deciding to let users
authenticate each time they connected to a share.
Sadly I don't think I'm going to have time to fire up a VM and try it out.
On Mon, 15 Jun 2015 20:15 jwmartnet . <jwm.art.net at gmail.com> wrote:
> Hi David,
>
> Thanks for the links, you have some useful information in there.
>
> I don't see a way, using NFS + Kerberos to do what I want. It seems
> that with NFS4 + Kerberos, it's the machine not user which is
> authenticated, with that machine being authenticated for access to NFS
> shares on the server without any specificity...
>
> Or so I thought... Testing with two different users, the first
> authenticated via kinit command before mounting the share (using
> systemd automount - ie mounting share on access), the second user gets
> permission-denied until using kinit to authenticate... BUT I don't
> think it is possible to give the first RW access and the second RO
> access, /etc/exports can't do that, nor can two shares be unique to
> two users of the same machine.
>
> It looks ideally like I should keep NFS use for when I want the
> fastest possible transfer rates and limit to only trusted machines and
> users.. ie me and my machine. Unauthenticated RO NFS access would be
> removed for untrusted users.
>
> Samba would then be used for everyone else, and through this I can
> control who can see what and be very selective over write access.
>
> But I'm kinda confused over what I need to accomplish this. I keep
> going round in circles searching on skim-reading guides which either
> seem incomplete, potentially out of date, but the most confusing part
> is knowing which recipe to use to combine it all:
> NFS,Samba,Kerberos,LDAP,Pam, and I'm not sure there's a guide for
> figuring that out!
>
>
> James
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/kent/attachments/20150615/4a8e8866/attachment.html>
More information about the Kent
mailing list