Host based authentication
J. Bruce Fields
bfields at fieldses.org
Fri Apr 20 12:42:09 EDT 2007
On Fri, Apr 20, 2007 at 12:00:14PM -0400, Peter Staubach wrote:
> This sort of support would make companies, who have administrative domains
> with overlapping uids and gids, very happy. They've been asking for a way
> to do uid/gid mapping for quite a while now.
So these are people that wouldn't be interested without arbitrary
mappings of id's?
> We've always put them off by suggesting they use Kerberos, which
> solves the immediate problem, while introducing a whole host of
> others, mainly deploying and maintaining Kerberos realms.
Yeah. Of course, I don't really know their situation. So all I have is
my knee-jerk reaction: that they may be putting too much faith in their
firewalls, and that the effort would be better spent on making kerberos
easier to deploy. Which is not fundamentally impossible, as Mike Eisler
keeps saying. I don't have experience doing big Kerberos deployments;
somebody that did could make a big difference here. Some possible
starting points:
- Bull's work on administration tools:
http://nfsv4.bullopensource.org/admin_tools.php
- various distribution's kerberos packages--could their scripts
could do more work for the administrator? Could they learn
anything from each other? (E.g., I seem to recall Debian's
scripts being a little more helpful than some of the other's.)
--b.
More information about the NFSv4
mailing list