[Klug-general] General advice for NFS4 authentication on SOHO

jwmartnet . jwm.art.net at gmail.com
Mon Jun 15 20:17:48 UTC 2015 

Well if I had a precise understanding of permissions I suspect it
would probably be possible to achieve more with NFS than I have...

I've found this 'Simple Samba file sharing server setup':

https://wiki.debian.org/SambaServerSimple

which should be enough to get me started with finer grained access
control albeit without all the "bells & whistles".

Cheers.




On 15 June 2015 at 20:22, David Halliday <david.halliday at gmail.com> wrote:
> I thought NFS  allowed that (although my experience was with an old version
> and many years ago).
>
> I remember having difficulty with kerberos and often deciding to let users
> authenticate each time they connected to a share.
>
> Sadly I don't think I'm going to have time to fire up a VM and try it out.
>
>
> On Mon, 15 Jun 2015 20:15 jwmartnet . <jwm.art.net at gmail.com> wrote:
>>
>> Hi David,
>>
>> Thanks for the links, you have some useful information in there.
>>
>> I don't see a way, using NFS + Kerberos to do what I want. It seems
>> that with NFS4 + Kerberos, it's the machine not user which is
>> authenticated, with that machine being authenticated for access to NFS
>> shares on the server without any specificity...
>>
>> Or so I thought... Testing with two different users, the first
>> authenticated via kinit command before mounting the share (using
>> systemd automount - ie mounting share on access), the second user gets
>> permission-denied until using kinit to authenticate... BUT I don't
>> think it is possible to give the first RW access and the second RO
>> access, /etc/exports can't do that, nor can two shares be unique to
>> two users of the same machine.
>>
>> It looks ideally like I should keep NFS use for when I want the
>> fastest possible transfer rates and limit to only trusted machines and
>> users.. ie me and my machine.  Unauthenticated RO NFS access would be
>> removed for untrusted users.
>>
>> Samba would then be used for everyone else, and through this I can
>> control who can see what and be very selective over write access.
>>
>> But I'm kinda confused over what I need to accomplish this. I keep
>> going round in circles searching on skim-reading guides which either
>> seem incomplete, potentially out of date, but the most confusing part
>> is knowing which recipe to use to combine it all:
>> NFS,Samba,Kerberos,LDAP,Pam, and I'm not sure there's a guide for
>> figuring that out!
>>
>>
>> James
>>
>> _______________________________________________
>> Kent mailing list
>> Kent at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/kent
>
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent

More information about the Kent mailing list