what you're talking abo,ut, and what NFS doesn't provide is
authentication. I.e. making sure you are who you say you are. I
believe kerberos is commonly used to address this, though I don't know
much about it, other than it can be very challenging to configure.
You are correct that windows domains, with respect to authentication,
are more secure than simple NFS. I believe this is how it works: when
you authenticate against a windows domain from an authorized machine,
you are presented with a unique token, that, in theory anyway, can't
be forged. You then present that token to other network assets, such
as file servers. Those systems then look at that token to verify
that you are who you say you are. Then, confident in who you are,
they establish what you're allowed to do, i.e. filesystem permissions,
etc.
NFS by itself trusts that you are who you say you are, and so has no
authentication machanism of its own. An LDAP directory as an
authentication backend, provides you with an identity, but doesn't
provide you with any thing that can be taken as proof that that
identity was established by a trusted source.
On 11/9/05, mourik jan c heupink <heupink@intech.unu.edu>
wrote:> Dear list,
>
> I don't know if it is appropriate to ask here, if it is not, please
> point me to the right lists (suse-linux-e..?)
>
> I am using a samba pdc right now, and we want to start using linux for
> (some) workstations as well. I have exported /home to my subnet, to
> allow access via nfs. (so you will have your home directory available
> both under windows and linux)
>
> Under windows, you have to add a machine to the domain first, and only
> THEN you are able to connect to your home drive.
>
> Under linux, I have to make sure that the user id's match up (ldap, so
> that's no problem) but some similar to "adding a workstation to
the
> domain" is not necessary there. Doesn't this make windows
networking
> much more secure?
>
> Suppose I (as a regular user) would install my own linux machine, and
> created users and groups with the same id's as the ldap users / groups.
> My understanding now is, that I would be able to read other people's
> data. (I would simply have to find out each users uid, and that would
> allow me to pretend to be that user, and read his/her data)
>
> I hope I am missing something vital here, or will this indeed work? That
> seems like a big security issue to me...
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
If you reply to a message I posted to a mailing list,
and you want me to see your reply, be sure to put my
address in the 'To:', or I might not see the message.