[ale] NFSv4, Kerberos, and OpenLDAP

Jerry Yu jjj863 at gmail.com
Mon Mar 24 13:29:03 EDT 2008 

wonder if you have a user defined on client box, with UID=1000 ?
rpc.idmapd man page didn't say how it'd map remote UID to local UID/name.


2008/3/23 Michael B. Trausch <mike at trausch.us>:

> On Sun, 2008-03-23 at 00:27 -0400, Brian Pitts wrote:
> > Are you actually going to use any kerberized services, or could you
> > get away with a simpler setup like OpenLDAP + NFSv3 ?
>
> One of the reasons that I was looking to use NFSv4 was that it has
> in-protocol support for file locks and all that, and the last time I
> tried an NFSv3 setup under Ubuntu, some of the functionality was rather
> curtailed.  This included various random breakages surrounding file
> locking issues and so forth, and (probably fixed by now) GNOME being
> broken in strange ways.
>
> However, NFSv4 would be worth it from everything that I have read, and
> have the added bonus of being able to be used when I am out of town,
> albeit a bit slowly (so I'd probably still just take an rsync of my home
> when I go away and rsync it back when I get back).  OpenLDAP+NFSv3 might
> work, if all the bugs have been fixed, but my understanding is that some
> of the bugs were issues (particularly file-locking issues) were due to
> the way that NFSv3 works inherently.
>
> I could see leveraging Kerberos for other things in the long run though,
> seeing that there is a good amount of software that seems to support
> using it for various things.
>
> For now, I am back to just running locally, because I do have other
> things that I have to do and I can't spend (all) my time trying to
> figure out the nuances of what's broken currently.  I would like to just
> get it working though, and what I am probably going to wind up doing is
> creating a new subnetwork for a few virtual machines and try to use
> those as a sandbox to get things working, and then if I can get it
> working there, try again on my main network.
>
> Part of it, by the way, is that I would like to (in the long run) be
> able to actually require that the network be signed into in some form or
> fashion so that the NFS mounts can be used.  NFSv3 is too easy to get
> into, and I wouldn't want to have it so that my next door neighbor can
> simply crack the key on my wireless router (which we all know is trivial
> anyway) and get access to the shares by saying "hey, I am UID 1000!".
> Kerberos would at least make sure that doesn't happen, by requiring that
> access be authenticated by having the ticket to access the filesystem.
> The only filesystem that I intend on having open (e.g., not relying on
> Kerberos for its use) is one that I plan on using eventually to support
> netbooting and having a root partition via NFS.  Though, I am a ways
> away from that...
>
>        --- Mike
>
> --
> Michael B. Trausch                                   mike at trausch.us
> home: 404-592-5746, 1                                 www.trausch.us
> cell: 678-522-7934                       im: mike at trausch.us, jabber
> Ubuntu Unofficial Backports Project:    http://backports.trausch.us/
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080324/7327ec2d/attachment.html

More information about the Ale mailing list