Hello NFS-list,
Section A5 of the Linux NFS FAQ (Can I use Kerberos authentication with NFS
on Linux?) is somewhat confusing as it the Answer is not clearly yes or no.
So whats the current Answer to this simple Question:
Is ist possible to use RPCSEC GSSAPI in conjunction with NFSv3 on Linux
Clients and Servers?
I managed to use it in conjunction with NFSv4, but NFSv4 does not seem to be
stable enough for production use. I had machine lockups even on a
test-installation I have been using :(
Sven
--
Software patents are the software project equivalent of land mines: Each
design decision carries a risk of stepping on a patent, which can destroy
your project. (Richard M. Stallman)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Le mardi 18 Octobre 2005 13:00, Sven Geggus a =E9crit=A0:
> Hello NFS-list,
>
> Section A5 of the Linux NFS FAQ (Can I use Kerberos authentication with N=
=46S
> on Linux?) is somewhat confusing as it the Answer is not clearly yes or n=
o.
>
> So whats the current Answer to this simple Question:
>
> Is ist possible to use RPCSEC GSSAPI in conjunction with NFSv3 on Linux
> Clients and Servers?
Yes, that is possible.
However,
__________________________________________________________________
> > >Beaware NFSv3 is not really secure, even with kerberos.
> >
> >Have you some documentation on this issue?
>
> I don't know what the right citation is.
>
> Problems I know of; maybe there are others:
>
> 1. nfsv2/v3 mount doesn't traditionally seem to know how to use
> rpcsec_gss, so in theory someone could spoof the reply to your
> mount call, returning a filehandle other than the one you asked
> for.
> 2. The locking protocol used with v2/v3 doesn't use rpcsec_gss.
>
> But depending on your environment these problems may not worry you.
>
> --b.
___________________________________________________________________
> I managed to use it in conjunction with NFSv4, but NFSv4 does not seem to
> be stable enough for production use.=20
Hmmm... Which kernel are you using ?
The nfsv4 mailing list is here : [email protected]
> I had machine lockups even on a test-installation I have been using :(
What kind of lockups ?
Vincent
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Vincent Roqueta <[email protected]> wrote:
>> Is ist possible to use RPCSEC GSSAPI in conjunction with NFSv3 on Linux
>> Clients and Servers?
> Yes, that is possible.
Any kind of mini HOWTO on this? Which Versions of mount, nfs-utils etc would
I need?
Protection against mounts from untrusted machines which are not
authenticated is all I need to provide at the Moment.
NFSv4 seems to be a better design, but stability is more important for my
application.
Sven
--
"Software is like sex; it's better when it's free"
(Linus Torvalds)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Le mardi 18 Octobre 2005 13:29, Sven Geggus a =E9crit=A0:
> Vincent Roqueta <[email protected]> wrote:
> >> Is ist possible to use RPCSEC GSSAPI in conjunction with NFSv3 on Linux
> >> Clients and Servers?
> >
> > Yes, that is possible.
>
> Any kind of mini HOWTO on this? Which Versions of mount, nfs-utils etc
> would I need?
That is the same howto as for NFSv4. You need a recent kernel.
http://wiki.linux-nfs.org/index.php/Main_Page
> Protection against mounts from untrusted machines which are not
> authenticated is all I need to provide at the Moment.
Ok.
> NFSv4 seems to be a better design, but stability is more important for my
> application.
NFSv4 works quite fine for most NFSv3 uses. It pass some stress tests NFSv3=
=20
does not. We are looking for early adpoters of NFSv4.=20
You should have a look here for tests :=20
http://nfsv4.bullopensource.org/
Vincent
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On Tue, Oct 18, 2005 at 11:29:06AM +0000, Sven Geggus wrote:
> Vincent Roqueta <[email protected]> wrote:
>
> >> Is ist possible to use RPCSEC GSSAPI in conjunction with NFSv3 on Linux
> >> Clients and Servers?
> > Yes, that is possible.
>
> Any kind of mini HOWTO on this? Which Versions of mount, nfs-utils etc would
> I need?
If you have versions of those things that support NFSv4, then they
almost certainly also has v3/rpcsec_gss support.
> Protection against mounts from untrusted machines which are not
> authenticated is all I need to provide at the Moment.
>
> NFSv4 seems to be a better design, but stability is more important for my
> application.
Could you give any more details on the "lockups" you were seeing? Which
kernel were you using (client and server), what exactly happened, what
workload caused it, etc.
--b.
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
> Section A5 of the Linux NFS FAQ (Can I use Kerberos=20
> authentication with NFS
> on Linux?) is somewhat confusing as it the Answer is not=20
> clearly yes or no.
>=20
> So whats the current Answer to this simple Question:
>=20
> Is ist possible to use RPCSEC GSSAPI in conjunction with=20
> NFSv3 on Linux
> Clients and Servers?
it depends on which client kernel you are using.
there are some GSS and NLM bugs that prevent Kerberos authentication
from working with NFSv3 in kernels earlier than 2.6.12.
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs