Is possible to have NFS with some security like a password (as with samba) too?
It seems simple NFS can only do IP restriction, but it could do more secuirty with kerberos, someone in the forum wrote though, that some kernel modul might missing for that?
Is it true, or already solved by now?
Does any one know a working solution for this?
Since NIC.CZ has security as high importance, I think this should be addressed anyway
I’m not sure if the NFS provided in nfs-kernel-server is NFSv4, but it should be by now. The other question is if it is NFSv4, whether it provides the proper security.
This article mentions some of the NFSv4 security options:
Security:
This has been one of NFSv3’s weakest features. Now a strong scrty model is mandated, where client/server interactions are done using the GSS-API framework. Three security mechanisms are required: Kerberos, LIPKEY, and SPKM-3. Which one is actually used is negotiated between client and server. In addition, also negotiated are quality of protection, such as which crypto techniques are used, and service, i.e., authentication only, integrity, or privacy. Security principals are now given as strings (e.g., user@domain) rather than as user IDs as was done in the earlier versions. Authorization uses both standard UNIX-like permissions as well as Windows ACLs.
I’m sure there are many articles out there on how to implement these options.
Hello jklaas,
thanks for feedback. I think we have NFS3 in the current TO 3.11.3. Afaik in TO 4.0 alpha there could be NFS4 already, but it is probably a long way until that will be ready.
This was the topic someone mentioned that there have been missing kernel moduls that prevented using password protected kerberos NFS. So my question was related to this, whether it is still the case, and will also be the case with TO 4.0? And if anyone of you could still circumvent this issue, to use password protected mounts (beyond samba, where it is possible)