Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Jan 2011 16:42:31 -0500 (EST)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Marek Salwerowicz <salwerom@iem.pw.edu.pl>
Cc:        freebsd-current@freebsd.org, Andrzej Tobola <ato@iem.pw.edu.pl>
Subject:   Re: NFSv4 and pam_mount - mounting user home directories (with security?)
Message-ID:  <68044570.109439.1294695751441.JavaMail.root@erie.cs.uoguelph.ca>
In-Reply-To: <7B2D6737C7D44738A9710C1BD5E5711F@marekdesktop>

next in thread | previous in thread | raw e-mail | index | archive | help
> 
> So I would like NFSv4 to serve user home directories across the
> network for all workstations, but I would like it to protect using
> user password
> 
> Eg. on workstation I want to do:
> 
> sudo mount -t nfs -o nfsv4 nfs4-server:/home/user1 /home/user1
> and then I want to be asked for password of user1 at server (or in the
> whole network - users and passwords are stored in LDAP server
> and workstation and server have access to it)
> 
> Is it possible to do with NFSv4?
> 
The short answer is no. The long answer is that you can require users to
have valid kerberos credentials for access to an NFS volume (via v3 or v4).
But that requires the setup of Kerberos and I'm not volunteering to help
with that.:-) There are some good books/tutorials on setting up Kerberos
and it works well, once you wade through the hassles of getting it going.
(Kerberos authenticates the user for access to the server volume. It is
 not a host based authentication for the mount. If you choose to use
 Kerberos, you need to allow the user to do the mount without sudo by
 setting vfs.usermount=1 and then you restrict the server volume(s) with
 the sec= export option.)

rick



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?68044570.109439.1294695751441.JavaMail.root>