Date: Fri, 23 Jun 2017 23:55:44 -0500 From: Benjamin Kaduk <kaduk@mit.edu> To: Matt B <theunusualmatt@gmail.com> Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org> Subject: Re: SMBv1 Deprecation Message-ID: <20170624045543.GY39245@kduck.kaduk.org> In-Reply-To: <CALJ5sF=_9=-UK%2B6NyWg1Wp%2BcZZwu%2BSVDMLUjirjWD9DrHy%2BzEQ@mail.gmail.com> References: <CALJ5sFkKMGvhgRYzegikDTiTTyV1xtA_WYJW_gLkHFN9Oh0OqA@mail.gmail.com> <YTXPR01MB01893E3AAB21A03677998D2FDDDB0@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> <CALJ5sFnMWGAGS8oyUvzXfq_Z4ZeRzgs==EDZf%2BqO-4O269qdiw@mail.gmail.com> <9b556cbe-f9f3-ab15-6fcd-71397d18c126@freebsd.org> <20170623104654.07e5a3e0@ernst.home> <45b0864b-680c-8fe0-f5a5-353b6373d069@freebsd.org> <YTXPR01MB0189251BCE0A17B8D0C51514DDD80@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> <CALJ5sF=_9=-UK%2B6NyWg1Wp%2BcZZwu%2BSVDMLUjirjWD9DrHy%2BzEQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 23, 2017 at 09:42:30AM -0400, Matt B wrote: > I am currently using the Win implementation of NFS 4.1 to provide share > access in the interim. NFS does work, and it works well, but due to spread > out local service accounts on the BSD systems, permissions has become a bit > of a challenge. I would have to set up idmapping in the Win environment and > then configure all shares with these new perms that Windows can understand. > Right now, when the scripts and programs run, they plop down files/folders > that have the perms of the user running the script/program. Windows loses > its mind and I have to force grab ownership of the files and folders and > re-inherit perms from the parent directory. Windows doesn't like that and > thus it is a slow process to cascade down the NTFS ACLs. The other prong to > the NFS approach is Kerberos. I would have to generate keytabs for all of > these systems, some of them live in a DMZ and navigate to the shares > through a firewall, which means I need to open up more ports from the DMZ > back to the core for Kerberos to work. Not something I want to do. What follows is a digression from the core point of the thread, but as one of the (upstream) developers for security/krb5, I would really like to know more about why you are reluctant ot open up ports for Kerberos traffic. Of course there is the sheer mundane work of actually changing the configuration to effect the opening of the ports, but it sounds like perhaps you are unhappy for some deeper reason, like perhaps a desire to reduce the overall number of open ports or a particular distrust of Kerberos. With respect to the latter, the Kerberos protocol is explicitly designed to run over a hostile network, and both the Heimdal and MIT implementations are mature projects that have many production deployments exposed to the internet. From my (presumably biased) perspective, switching to Kerberos+NFS would be a security win over SMBv1, even with the extra open ports. Thanks, Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170624045543.GY39245>