From owner-freebsd-current@FreeBSD.ORG Mon Jan 10 21:42:33 2011 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0631E106566C for ; Mon, 10 Jan 2011 21:42:33 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.mail.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id AF41D8FC16 for ; Mon, 10 Jan 2011 21:42:32 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApwEAPgLK02DaFvO/2dsb2JhbACECKE2rU6OBYEhgXOBRHQEhGeGI4Uqhgc X-IronPort-AV: E=Sophos;i="4.60,303,1291611600"; d="scan'208";a="104875016" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu-pri.mail.uoguelph.ca with ESMTP; 10 Jan 2011 16:42:31 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 793E8B4072; Mon, 10 Jan 2011 16:42:31 -0500 (EST) Date: Mon, 10 Jan 2011 16:42:31 -0500 (EST) From: Rick Macklem To: Marek Salwerowicz Message-ID: <68044570.109439.1294695751441.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <7B2D6737C7D44738A9710C1BD5E5711F@marekdesktop> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.201] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - IE8 (Win)/6.0.10_GA_2692) Cc: freebsd-current@freebsd.org, Andrzej Tobola Subject: Re: NFSv4 and pam_mount - mounting user home directories (with security?) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2011 21:42:33 -0000 > > So I would like NFSv4 to serve user home directories across the > network for all workstations, but I would like it to protect using > user password > > Eg. on workstation I want to do: > > sudo mount -t nfs -o nfsv4 nfs4-server:/home/user1 /home/user1 > and then I want to be asked for password of user1 at server (or in the > whole network - users and passwords are stored in LDAP server > and workstation and server have access to it) > > Is it possible to do with NFSv4? > The short answer is no. The long answer is that you can require users to have valid kerberos credentials for access to an NFS volume (via v3 or v4). But that requires the setup of Kerberos and I'm not volunteering to help with that.:-) There are some good books/tutorials on setting up Kerberos and it works well, once you wade through the hassles of getting it going. (Kerberos authenticates the user for access to the server volume. It is not a host based authentication for the mount. If you choose to use Kerberos, you need to allow the user to do the mount without sudo by setting vfs.usermount=1 and then you restrict the server volume(s) with the sec= export option.) rick