From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 18:27:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC99237B401 for ; Wed, 30 Jul 2003 18:27:48 -0700 (PDT) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with SMTP id E115F44008 for ; Wed, 30 Jul 2003 18:27:45 -0700 (PDT) (envelope-from piechota@argolis.org) Received: (qmail 30524 invoked from network); 31 Jul 2003 01:26:17 -0000 Received: from unknown (HELO cithaeron.argolis.org) (151.200.35.252) by saraswati.gigatrex.com with SMTP; 31 Jul 2003 01:26:17 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.9/8.12.9) with ESMTP id h6V1TBDR049158; Wed, 30 Jul 2003 21:29:11 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h6V1TAD2049155; Wed, 30 Jul 2003 21:29:10 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 30 Jul 2003 21:29:10 -0400 (EDT) From: Matt Piechota To: Michael Collette In-Reply-To: <200307301553.40385.metrol@metrol.net> Message-ID: <20030730212059.X17489@cithaeron.argolis.org> References: <200307301553.40385.metrol@metrol.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: FreeBSD Security Subject: Re: Kerberos to file server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 01:27:49 -0000 On Wed, 30 Jul 2003, Michael Collette wrote: > From what I've read thus far it "seems" that configuring Kerberos > between the two is the way to go about this. The handbook talks about > setting up a remote loging kind of thing, but nothing about how to > handle NFS permissions. I also don't quite get how to automate the > process of authenticating and mounting upon initial login. > > Question 1: Am I heading down the right road, or are there other options > I should be considering first? What you're doing should work just fine. I can't see any difference between a netbooted client and a regular PC client. > Question 2: If I'm on the correct path where should I look for some kind > of a tutorial for the mechanics of getting this to happen? NFS doesn't really /do/ permissions, so the easiest (and probably least safe) is to export as400:/home to all the clients, and make it root-writable to the FreeBSD master server. All the clients would individually mount the NFS share from as400 on boot, and since the FreeBSD box has root-write, you can manage the files from it. The as400 wouldn't even need to know about the users at all (unless as400's nfs has rules about uids having to match something in its own password file, which isn't standard). A safer way would be to use AFS, since it does proper authentication, but I have no idea if as400 would make a nice AFS server. And this isn't strictly speaking a freebsd-security@ question, for that matter. Reply to me directly if you have questions. -- Matt Piechota