Date: Wed, 30 Jul 2003 21:29:10 -0400 (EDT) From: Matt Piechota <piechota@argolis.org> To: Michael Collette <metrol@metrol.net> Cc: FreeBSD Security <FreeBSD-Security@freebsd.org> Subject: Re: Kerberos to file server Message-ID: <20030730212059.X17489@cithaeron.argolis.org> In-Reply-To: <200307301553.40385.metrol@metrol.net> References: <200307301553.40385.metrol@metrol.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 30 Jul 2003, Michael Collette wrote: > From what I've read thus far it "seems" that configuring Kerberos > between the two is the way to go about this. The handbook talks about > setting up a remote loging kind of thing, but nothing about how to > handle NFS permissions. I also don't quite get how to automate the > process of authenticating and mounting upon initial login. > > Question 1: Am I heading down the right road, or are there other options > I should be considering first? What you're doing should work just fine. I can't see any difference between a netbooted client and a regular PC client. > Question 2: If I'm on the correct path where should I look for some kind > of a tutorial for the mechanics of getting this to happen? NFS doesn't really /do/ permissions, so the easiest (and probably least safe) is to export as400:/home to all the clients, and make it root-writable to the FreeBSD master server. All the clients would individually mount the NFS share from as400 on boot, and since the FreeBSD box has root-write, you can manage the files from it. The as400 wouldn't even need to know about the users at all (unless as400's nfs has rules about uids having to match something in its own password file, which isn't standard). A safer way would be to use AFS, since it does proper authentication, but I have no idea if as400 would make a nice AFS server. And this isn't strictly speaking a freebsd-security@ question, for that matter. Reply to me directly if you have questions. -- Matt Piechota
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030730212059.X17489>