In <4c77f5ca.6030...@gmail.com>, Min Wang wrote: >Zaar Hai wrote: >> On Fri, Aug 27, 2010 at 7:06 PM, Min Wang <ser.ba...@gmail.com> wrote: >>> user1 can log in as local root on Linux PC1, >>> Even though as root, user1 can not rm /home/user2, >>> but he can su - user2 on Linux PC1 then rm something. >> >> You need NFS4 with gssapi. This way to access someone's file you need >> an appropriate (his) credentials from KDC (which will be hosted near >> by your LDAP server). > >Hi >thanks. I'm totally a newbie to this nfs4/gssapi/kerberos. > >(1) does this approach > >prevent user1-> root ( su-> ) user2?
Yes. "su" does not grant Kerberos credentials. >(2) Or we need to change to use Kerberos instead of LDAP/PAM? I believe you can do "just" your NFS authentication with Kerberos and continue using LDAP/PAM for most authentication; I have not tried that though. >(3) And In the kerberosized environment,can the local root su to >networked user2? Yes and no. The local system will "trust" su, so that root can become any user the local system recognizes. However, network applications that use the gssapi (or other Kerberos methods) will require credentials granted by the Kerberos system in order to take action as a Kerberos user. Old-style NFS mostly trusts the local system to identify the user, which is why it is mostly only secure if "root" is shared between the NFS server and all its clients. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.
