Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Jun 2017 10:35:48 -0400
From:      Matt B <theunusualmatt@gmail.com>
To:        Benjamin Kaduk <kaduk@mit.edu>
Cc:        "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>
Subject:   Re: SMBv1 Deprecation
Message-ID:  <CALJ5sFm%2BeKPonELuo2gTYR88qQz4mocFbd6fOVrTWu5FoPeWcg@mail.gmail.com>
In-Reply-To: <20170624045543.GY39245@kduck.kaduk.org>
References:  <CALJ5sFkKMGvhgRYzegikDTiTTyV1xtA_WYJW_gLkHFN9Oh0OqA@mail.gmail.com> <YTXPR01MB01893E3AAB21A03677998D2FDDDB0@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> <CALJ5sFnMWGAGS8oyUvzXfq_Z4ZeRzgs==EDZf%2BqO-4O269qdiw@mail.gmail.com> <9b556cbe-f9f3-ab15-6fcd-71397d18c126@freebsd.org> <20170623104654.07e5a3e0@ernst.home> <45b0864b-680c-8fe0-f5a5-353b6373d069@freebsd.org> <YTXPR01MB0189251BCE0A17B8D0C51514DDD80@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> <CALJ5sF=_9=-UK%2B6NyWg1Wp%2BcZZwu%2BSVDMLUjirjWD9DrHy%2BzEQ@mail.gmail.com> <20170624045543.GY39245@kduck.kaduk.org>

next in thread | previous in thread | raw e-mail | index | archive | help
It is about decreasing the attack surface. I certainly trust the level of
security and validation the Kerberos provides. The physical act of going
into the security gateways and opening ports is quite the menial task. The
main problem I have with the implementation is the deployment of keytabs to
the physical systems, which is a bit of a process to actually get the key
over there, then configuring idmapping in Windows, which brings another
round of issues regarding AD structure and permissions on the shares. More
ports open between the DMZ and the core is just one more negative reason
(to me) to not go forward with an NFS Kerberos deployment. Kerberos and NFS
are definitely a great combination when the configuration suites the
situation. I am looking into figuring out how to just implement SMBv2 for
BSD as I believe that is the best solution for my network architecture.

On Sat, Jun 24, 2017 at 12:55 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Fri, Jun 23, 2017 at 09:42:30AM -0400, Matt B wrote:
> > I am currently using the Win implementation of NFS 4.1 to provide share
> > access in the interim. NFS does work, and it works well, but due to
> spread
> > out local service accounts on the BSD systems, permissions has become a
> bit
> > of a challenge. I would have to set up idmapping in the Win environment
> and
> > then configure all shares with these new perms that Windows can
> understand.
> > Right now, when the scripts and programs run, they plop down
> files/folders
> > that have the perms of the user running the script/program. Windows loses
> > its mind and I have to force grab ownership of the files and folders and
> > re-inherit perms from the parent directory. Windows doesn't like that and
> > thus it is a slow process to cascade down the NTFS ACLs. The other prong
> to
> > the NFS approach is Kerberos. I would have to generate keytabs for all of
> > these systems, some of them live in a DMZ and navigate to the shares
> > through a firewall, which means I need to open up more ports from the DMZ
> > back to the core for Kerberos to work. Not something I want to do.
>
> What follows is a digression from the core point of the thread, but
> as one of the (upstream) developers for security/krb5, I would
> really like to know more about why you are reluctant ot open up
> ports for Kerberos traffic.  Of course there is the sheer mundane
> work of actually changing the configuration to effect the opening of
> the ports, but it sounds like perhaps you are unhappy for some
> deeper reason, like perhaps a desire to reduce the overall number of
> open ports or a particular distrust of Kerberos.
>
> With respect to the latter, the Kerberos protocol is explicitly
> designed to run over a hostile network, and both the Heimdal and MIT
> implementations are mature projects that have many production
> deployments exposed to the internet.  From my (presumably biased)
> perspective, switching to Kerberos+NFS would be a security win over
> SMBv1, even with the extra open ports.
>
> Thanks,
>
> Ben
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALJ5sFm%2BeKPonELuo2gTYR88qQz4mocFbd6fOVrTWu5FoPeWcg>