Date: Tue, 4 Dec 2001 19:21:02 +0100 (CET) From: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de> To: freebsd-questions@freebsd.org Subject: Some administrative questions FBSD/NIS/KERBEROS/NFS Message-ID: <20011204185847.Q83313-100000@klima.physik.uni-mainz.de>
next in thread | raw e-mail | index | archive | help
Dear Sirs. We are a small department at the Johannes Gutenberg University of Mainz and at this moment I'm the responsible administrator around here for our UNIX systems. Since I developed and built this computer facility, we use FreeBSD on all backbone systems and now some desktop users seem to prefer FreeBSD over Linux. FreeBSD runs with a real great success here and although I had a lot of trouble with several buggy parts of FBSD our problems were never more in quantity than those several department of physiscs still have with their Linux systems or our computing center has with Solaris and other operating systems. NFS and NIS/YP runs in our small department and we try to use only core software to build up the base part of our interconnected systems. With the growth of the computer systems the lack of security aspects became a 'hot-spot' in the past and now I wish to develop some solutions. At this moment all of our main servers are interconnected via NIS/YP and a main fileserver spread diskspace over to all machines via NFS. There are only a few administrators which are capable to become root on all machines, but the more people want their desktop machine to be manageable by themselfs, the more I run into trouble. One of the unsolved problems is that root within a NIS/YP domain can gain access to each part of exported NFS filesystems and via su - USER each local root is capable of gaining access to someones 'privacies'. Our department of physics runs that way a Linux cluster - and this is definitely not what We want to do! I never dealt with KERBEROS 4/KERBEROS 5 but I was said that this facility is capable to export NFS filesystems to other machines and if the master Kerberos server which is und the administrative control does not give a local user root privileges over an exported filesystem, no one is capable of gaining access of NIS/YP accounts via root privileges on a local machine having NIS/YP maps incorporated (means in my bad English: a client is its local root and the machine he uses is under its local root-control but this machine is part of the NIS/YP domain. That means in the unprotected domain, that a local root is capable of becoming each user he wants to be and access this way NFS exported filesystems - and this is what I want to avoid). I played around with sudo, but this is not the suitbale tool due to the fact a local root on a cleint can 'override' this mechanism as an easy excercise ... I saw that NFS export options do have Kerberos options and FreeBSD has HEIMDAL and Kerberos IV. I prefer HEIMDAL/Kerberos 5 but do not wish to install the port (their are some export restrictions ...). In the past, in the time of FBSD 3.X or FBSD 2.X.X there was a special kernel option to make Kerberos a part of the system's base functions (the man page of export still refers to this options). Does anyone has experiences in doing this type of administering a big NIS/YP domain using HEIMDAL or Kerberos 5? And the essential question is: is Kerberos the right tool to do that what I want? Thanks a lot for your hints ... Oliver -- MfG O. Hartmann ohartman@klima.physik.uni-mainz.de ---------------------------------------------------------------- IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) ---------------------------------------------------------------- Johannes Gutenberg Universitaet Mainz Becherweg 21 55099 Mainz Tel: +496131/3924662 (Maschinenraum) Tel: +496131/3924144 FAX: +496131/3923532 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011204185847.Q83313-100000>