Thanks for your thoughts about this.
Peter Staubach wrote:
> Is the real goal to be able to export the files using krb5
> authentication or the use of NFSv4?
>
Both, I fear.
> If the former, then why not just export the files from the
> NetApp using Kerberos?
>
> If the latter, then I suspect that it won't provide much, if
> any, benefit. It would still be limited to the NFSv3 semantics
> of the file system.
>
The current NFS4-support in NetApps OnTap is afaik quite new,
so our filer administrator doesn't want to enable it in the
near future; he prefers waiting until the issues that are likely
to come up are solved before allowing it on a productive machine.
But mounting directly from the filer using NFS3+Kerberos would
allow the following attack vector, as the clients are in an
unsecure network (i.e. could get root access on their machines):
User mounts an directory using his Kerberos-credentials
User gets root, then changes w/o password to another user
User can now read the files of that other user, as the NFS3-server
doesn't check the permissions
(at least, that's how I understood the difference between NFS3
and NFS4 -- please correct me if I'm wrong)
So my question still is: Is re-exporting an NFS-mount technically
impossible, or does it just need some coding to get it working?
Thanks in advance,
--
Infineon Technologies IT-Services GmbH Martin.Schuster1@xxxxxxxxxxxx
Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster
FB: LG Klagenfurt, FN 246787y +43 5 1777 3517
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
