Hi everyone !
Right now I can’t decide wich one is the most versatile and fit my personal needs, so I’m looking into your personal experience with each one of them, if you mind sharing your experience.
It’s mostly for secure shared volumes containing ebooks and media storage/files on my home network. Adding some security into the mix even tough I actually don’t need it (mostly for learning process).
More precisely how difficult is the NFS configuration with kerberos? Is it actually useful? Never used kerberos and have no idea how it works, so it’s a very much new tech on my side.
I would really apreciate some indepth personal experience and why you would considere one over another !
Thank you !
NFS v4 with krb is probably the best option of these if Linux/macOS is all you need to support because everything just works transparently with one system-wide mount. I had it set up for a couple years until recently (had to basically completely give up on my network setup including the box the KDC was running on for unrelated reasons recently and have still yet to set it up completely again).
Kerberos is pretty straightforward to set up if you know how it works, I think the main problem is lack of documentation and pretty awful NFS error messages (you pretty much have to enable nfsd/rpc debug kernel options if you want to even begin figuring out what’s going wrong when your mount doesn’t work). The first time I set it up it took me a whole day to get it to actually work, and in the end a reboot of the NFS server solved the problem I had.
Look at the Arch wiki article for Kerberos, I think that’s what I used mostly. Feel free to ask if you need help setting it up.
(Unfortunately IMO all of these suck in different ways though: sshfs dies if your SSH connection gets interrupted, NFS v4 (v3 is unusable imo because it doesn’t have idmap so you have to make sure your user IDs match on every machine) isn’t supported by Windows and mobile devices, Samba doesn’t map well to Unix permissions and I can’t tell what its “unix extensions” are actually supposed to do if it isn’t permissions. Integrating Samba with NFS, if you want to use both, also is pretty hard because while Samba theoretically uses Kerberos, it doesn’t work with a normal KDC but needs Samba AD because Microsoft (I haven’t taken a look at Samba AD yet). And forget integrating Samba with anything that isn’t Kerberos-based entirely because NTLM is the only other auth mechanism and it’s pretty much incompatible with anything because the client only sends the password hashed with a unique mechanism. So you’re going to have a pretty bad time if you want to use a single auth mechanism for everything if SMB is involved, and that’s pretty much your only option if you want to access stuff on a mobile device.)
Thank you for your friendly and detailed response !!!
It’s always Arch wiki :D. Thank you, but I will probably stay with samba at the moment which will probably fullfil my current needs and seems more complex than I thought ! Also, it’s in a multi-OS environnement (Windows, MacOS, Linux) and NFS seems to not work very well with Windows :/ If I could I would switch my whole family to Linux, but old habits die hard…
Anyway, will keep Kerberos under my radar ! I really want to learn more about it seems very interesting, especially the cybersecurity aspect !
If you don’t mind… Can you tell very briefly what kerberos actually solves in a coporate environnement ? Please, give me a sneek peak of the subject that awaits me :) !!
Then, take a look at ksmbd which is basically a mini SMB implementation in the kernel. I haven’t used it yet, but apparently it’s more performant and easier to set up.
It provides single sign-on capability. As I already said Active Directory is built on Kerberos for authentication, but it’s used similarly on Linux, logging in to Kerberos gives you a TGT (ticket-granting ticket) which essentially allows you to also authenticate to other services like NFS, SSH (in which case it can forward your ticket to the machine you log on to), stuff like IMAP, even websites (though as far as I’ve seen you need to do some stupid per-domain manual setup for at least Firefox) without having to enter your password again, at least, until the ticket expires, or storing it anywhere. There’s much more that supports it but I’ve only used it for NFS and I’ve experimented with using it for SSH auth, and only for personal use, so I can’t tell you what exactly.
It’s worth noting that it’s purely for authentication and not authorization, so if you want central permission management, something else will have to do that, such as LDAP which is also what AD uses.