On Sun, Jun 5, 2011 at 9:30 PM, Nico Kadel-Garcia <[email protected]> wrote: > On Sun, Jun 5, 2011 at 5:38 AM, Simon Brandmair <[email protected]> wrote: >> Hi, >> >> On 3/6/2011 19:50 Axel Freyn wrote: >> [...] >>> For NFSv4 this has changed. You can use NFSv4 in different modes. The >>> easy one has the same problem. > > NFSv4 is a giant pain in the keister, not worth the headaches. The > NFSv4 access published from an actual Linux or other NFSv4 capable > service can be published, it can be passed along via Samba to CIFS > clients, but the CIFS clients cannot *see* or manipulate the NFSv4 > permissions due to incompatibilities between thee two ownership > models, and due to the Samba code for this being "spaghetti code". > (http://samba.2283325.n4.nabble.com/viewing-if-not-editing-NFSv4-ACL-s-from-Samba-shares-td2417666.html). > > Overall, NFSv4 has proven itself destabilizing and useless in small > and large environments. It takes a significant investment in complex > infrastructure, and the security benefits have proven to be illusory > in the face of clients who *insist* on making their home directories > publicly accessible, clients who use password free SSH keys, or > clients who store passwords in source controlled software with no > access control. (I've run into all of these in environments that spent > useless years pursuing the "security" of NFSv4 and ignoring gaping > holes in infrastructure security.)
Yes, I read the documentation for Kerberos and it seems to be too complicated. I think that it is an overkill to connect to computers. In my case the LAN is the whole University and it is very easy to spoof an IP, I checked that. So NFSv3 might not be such a good idea. How about NFSv3 over a ssh tunnel? That should be easy to implement. I compared the transfer of a file of 700Mb between scp (encrypted) and samba not encrypted, and the result is: -scp: 38 seconds, and 25% of overhead in one of the 4 cores of the computer -samba: 18 seconds and no overhead So in my case I think it can be acceptable to do a ssh tunnel as most of the times most of the cores of the computer are not used and there is not a big traffic of data. Are there other disadvantages of using a ssh tunnel? Thanks, Dan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
