[ale] NFSv4, Kerberos, and OpenLDAP

Michael B. Trausch mike at trausch.us
Sun Mar 23 00:37:23 EDT 2008


On Sun, 2008-03-23 at 00:27 -0400, Brian Pitts wrote:
> Are you actually going to use any kerberized services, or could you
> get away with a simpler setup like OpenLDAP + NFSv3 ?

One of the reasons that I was looking to use NFSv4 was that it has
in-protocol support for file locks and all that, and the last time I
tried an NFSv3 setup under Ubuntu, some of the functionality was rather
curtailed.  This included various random breakages surrounding file
locking issues and so forth, and (probably fixed by now) GNOME being
broken in strange ways.

However, NFSv4 would be worth it from everything that I have read, and
have the added bonus of being able to be used when I am out of town,
albeit a bit slowly (so I'd probably still just take an rsync of my home
when I go away and rsync it back when I get back).  OpenLDAP+NFSv3 might
work, if all the bugs have been fixed, but my understanding is that some
of the bugs were issues (particularly file-locking issues) were due to
the way that NFSv3 works inherently.

I could see leveraging Kerberos for other things in the long run though,
seeing that there is a good amount of software that seems to support
using it for various things.

For now, I am back to just running locally, because I do have other
things that I have to do and I can't spend (all) my time trying to
figure out the nuances of what's broken currently.  I would like to just
get it working though, and what I am probably going to wind up doing is
creating a new subnetwork for a few virtual machines and try to use
those as a sandbox to get things working, and then if I can get it
working there, try again on my main network.

Part of it, by the way, is that I would like to (in the long run) be
able to actually require that the network be signed into in some form or
fashion so that the NFS mounts can be used.  NFSv3 is too easy to get
into, and I wouldn't want to have it so that my next door neighbor can
simply crack the key on my wireless router (which we all know is trivial
anyway) and get access to the shares by saying "hey, I am UID 1000!".
Kerberos would at least make sure that doesn't happen, by requiring that
access be authenticated by having the ticket to access the filesystem.
The only filesystem that I intend on having open (e.g., not relying on
Kerberos for its use) is one that I plan on using eventually to support
netbooting and having a root partition via NFS.  Though, I am a ways
away from that...

	--- Mike

-- 
Michael B. Trausch                                   mike at trausch.us
home: 404-592-5746, 1                                 www.trausch.us
cell: 678-522-7934                       im: mike at trausch.us, jabber
Ubuntu Unofficial Backports Project:    http://backports.trausch.us/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20080323/df84770b/attachment.bin 


More information about the Ale mailing list