Hi, On Thu, Jan 06, 2011 at 10:13:12PM +0100, Mike Gabriel wrote: > Hi Andreas, > > On Do 06 Jan 2011 12:12:35 CET "Andreas B. Mundt" wrote:
[...] > > Each client needs a Kerberos setup as well. Is this also already > coded somewhere? I am sorry that I cannot remember exactly which of > the services (PAM, NFS, ...) was DNS and host principal critical, > but a healthy Kerberos setup cannot be setup up with host principals > on every client. Same for NFS4 sec=krb5p or sec=krb5i. > The client setup is also implemented, iirc it only needs preseeding of the corresponding Kerberos packages. (We might need to add a cf-rule to have allow_weak_encryption = true in /etc/krb5.conf on the clients). > >With this setup, users are authenticated to the system via a Kerberos > >TGT, which works. > > I think PAM alone was quite handsome and did not require host > principals when I set up my servers... > Iirc this is how it's done already. So far we have no (and need no) host principals (only for the services on tjener). [...] > >My hope was, that by using Kerberos in combination with nfs4, the > >machine management would simplify and we could get rid of IP- and > >netgroup based "security". > > What exactly do you mean by this netgroup based ,,security'' (please > execuse that I have not dived into the details of the lenny-tjener > that deep)? see below > > The problem about NFSv3 or NFSv4 with sec=sys is: I come to some > school with my linux netbook, create a local user account with a > uidNumber of some interesting account on tjener and then I mount the > user's home dir on my netbook with rw-access. > Take a look at <URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/cf/cf.homes>, i.e. our exports file. If a machine want's to mount the home directories, it first has to be added to a netgroup that allows mounting the share. So if you walk into the school with your Laptop to fake an identity on the net, it will not work the first time, because your MAC address will be differerent from the machines in the netgroup you need the membership of. The next day you walk into school you will be better prepared, you modified the Laptop's MAC. Now, just plug off the machine you got the MAC from and use your Laptop instead with the nice user ID. I guess that's how current security is thought to be. So using sec=sys in NFS4 is the same as using NFS3 now. It doesn't help with the netgroups, but it also doesn't hurt. > However, netgroups are really quite handy, because amongst others > they allow the group of hosts in a way that can be pulled down on > libnss level (with usage scenario e.g. with pam_access.so and > /etc/security/access.conf). Whereas netgroups can help you to set up > the on-site-systems in a versatile manner, it does not protect you > against people bringing in their own devices (like my netbook). > > >(Which would also resolve the need for very > >special administrative tools). > > Netgroups are not too special... but you may be right about Netgroup > integration in WebGUI tools... > Yes, the GUI administration is the problem right now. Do you have access to a debian-edu setup? Maybe if you want to take a look, try a virtual setup with virt-manager + KVM (rsync the DVD image): <URL:http://wiki.debian.org/DebianEdu/HowTo/TestCDinstall> You need about a 25GiB image for Tjener+LTSPserver. Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107094141.ga7...@flashgordon
