From owner-freebsd-questions Mon May 27 6:32:56 2002 Delivered-To: freebsd-questions@freebsd.org Received: from klima.physik.uni-mainz.de (klima.Physik.Uni-Mainz.DE [134.93.180.162]) by hub.freebsd.org (Postfix) with ESMTP id 2BD7637B400; Mon, 27 May 2002 06:32:46 -0700 (PDT) Received: from klima.Physik.Uni-Mainz.DE (Sturm@klima.Physik.Uni-Mainz.DE [134.93.180.162]) by klima.physik.uni-mainz.de (8.12.3/8.12.3) with ESMTP id g4RDWjM7057449; Mon, 27 May 2002 15:32:45 +0200 (CEST) (envelope-from ohartman@klima.physik.uni-mainz.de) Date: Mon, 27 May 2002 15:32:40 +0200 (CEST) From: "Hartmann, O." To: freebsd-stable@freebsd.org Cc: freebsd-questions@freebsd.org Subject: NFS mounts secured by KERBEROS/HEIMDAL, possible in FBSD 4.6? Message-ID: <20020527151740.L56945-100000@klima.physik.uni-mainz.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello. In our environment we use NFS and NIS/YP for distributing and managing a shared environment. Within the last period the structure of this environment growth a little bit complicated and several clients machines running FreeBSD have their own root, but they need to mount centralized shared filesystems from our NFS server. NIS/YP is a bad solution for this purpose, AFS is not a core part of FreeBSD and so I played with (maybe a very naive) the idea to 'kerberize' everything. At this moment we build up a KDC. My intention is to autheticate each machine and each user against a 'heimdalized' or 'kerberized' user database and each NFS export should be exported as a kerberized export. I need to prevent each NFS export to be compromised by an extern client's root, so a extern machine should be able to mount a NFS export - but no root access is gained for no centralized root. Example: the NFS export 'homes' contains all the home directories for our users. Within the NIS/YP domain it is no problem to export them to clients which are under control of a small supervisor group. But within our workgroup of scientists we have an ongrowing group of clients which are not managed centralized, means they have their own root. Problem with NIS/YP and NFS is, that root on those extern clients can gain access to each user by 'su -' when they are member of the NIS/YP domain and have their own local root. You can understand, that this is not a nice and secure solution. My question is: is their a solution with native FreeBSD tools to restrict 'extern' root's access to a NFS share within a NIS/YP domain? My idea is to have a bunch of servers under central control (also NFS and NIS/YP server) and a bunch of local managed clients with their own local root. These machines should be able to mount a NFS export and being member of the NIS/YP domain, but root on those machines must not have access to any root-shares or shares of other users. I saw several mount options for kerberos/heimdal in FreeBSD's manual for mount and I thought this could be a solution. Are their any other working solutions for those problems for FreeBSD 4.6/4.5? Those solutions should work in a environment with a lot of traffic and must be stable like NFS and NIS/YP under FreeBSD 4.6. I would like to welcome each hint, tip or discussion of this problem, my knowledge is rather limited. Thanks a lot. oliver -- MfG O. Hartmann ohartman@klima.physik.uni-mainz.de ------------------------------------------------------------------ IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) ------------------------------------------------------------------ Johannes Gutenberg Universitaet Mainz Becherweg 21 55099 Mainz Tel: +496131/3924662 (Maschinenraum) Tel: +496131/3924144 (Buero) FAX: +496131/3923532 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message