need help with NFS and user authentication

Sat Feb 28 22:11:47 MST 2009

You might approach this from the the other (Apple Mac Kerberos) side.  

Apple NFS/Kerberos will do what you want (files are created with the Kerberos principal rather than uid 501, they're assigned the same gid as the directory in which they're created, and mounting the filesystem can be setup to require only a user principal rather than full-blown host/NFS keys).

http://support.apple.com/kb/TA24986?viewlocale=en_US

<Go ahead, flame me for this as OT posting (but "NO" Mac fits in to the technocracy as a NIX, whereas Gate-sys are well, $easytargets)!>

obnosis.com | wiki.obnosis.com| (503)754-4452
PLUG HACKFESTS 2nd Saturday Each Month at Noon - 3PM

> From: alex at crackpot.org
> To: plug-discuss at lists.plug.phoenix.az.us
> Subject: Re: need help with NFS and user authentication
> Date: Sat, 28 Feb 2009 19:10:51 -0700
> 
> 
> On Feb 28, 2009, at 5:16 PM, Bob Elzer wrote:
> 
> >>> I could probably change uids everywhere so they all match on all
> > machines, but this seems 1.
> > klunky and 2. really insecure.
> 
> Granted, it's a small network with few nodes.  Changing uids is  
> probably workable in this case, and may be the solution I end up going  
> with.  But it doesn't seem like it scales very well.  If I'm uid 1000,  
> how hard is it for any random person to create some uid 1000 on their  
> machine, connect to the network, and access my files with my  
> permissions?  That seems pretty insecure to me.
> 
> Take a look at this for a similar issue : http://nfsworld.blogspot.com/2006/02/real-authentication-in-nfs.html
> 
> >
> > Why would you think that ? How is the server going to know it's you,  
> > if
> > every time you connect, you have a different UID ?
> 
> I'd prefer to have some other mechanism for authorization.  That's the  
> core of what I'm asking.  I will poke at Kerberos a bit, and if I have  
> success setting it up, I will probably go with it.  If it seems too  
> involved for my simple little network, then I'll get busy changing uids.
> 
> >
> > You wouldn't give a different name at different DMV offices would  
> > you ?
> 
> To me, the better question is 'you wouldn't believe anyone having ID #  
> 1000 is guaranteed to be the same person, would you?'.
> 
> thanks,
> alex

_________________________________________________________________
Windows Live™ Groups: Create an online spot for your favorite groups to meet.
http://windowslive.com/online/groups?ocid=TXT_TAGLM_WL_groups_032009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090301/1ddcb400/attachment.htm 