Am 13.03.2015 um 11:27 schrieb Robert Wehn: ... > > We think the suexec-security-mechanism to be basically incompatible with > an (ACL- and Kerberos-based) NFSv4 way of security. The NFSv4 security > has at least to important parts. nfs(5): > * Transport: cryptographic proof of a user's identity (krb5), integrity > (krb5i), encryption (krb5p). > * Permissions: rich ACLs. > Yes I think you are right. Kerberos needs to authenticate a user before allowing this user to access a service like NFS. This is exactly the problem on a web server where users most often do not want or need to authenticate just to view a web page but the web server with kerberos and NFS4 needs to access the html files via NFS containing the web page. If these files are accessible only via NFS4 and do not belong to root, access is only granted with a user authentication. This could be done via a keytab file ad a kinit, but this does not make sense if you have thousands of users.
In between I think about giving up NFS on this particular user webpage server. Instead I will probably try to use sshfs to mount user directorties. Since we mount user directories via automount, sshs has the charm that we only have to change on automounter map in our setup. Afterwards user directiores will automatically be mounted via sshfs. I only tried a test setup until now which works fine, but I don not yet have any experience about reliability and stability of this setup. Have a nice day Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
