I've been working on Kerberos + NFSv4. There's a reason it's not common though - there's a lot of hoops to jump through to get it "working" in a way that's suitably convenient. It's not too bad on RHEL6, but on 5 you've got to do a bit more messing around with host nfs principals than I like (you need a nfs service principal to mount your KRB mount in the first place).

The thing we like though, is that NFS4 + KRB is quite a lot closer to CIFS styles. Within RHEL6 you can use 'net ads' to do a lot of the integration with Active Directory, including keytab generation, which makes it fairly convenient.

The thing we've had most trouble with is though, is root mounts - it's irritatingly difficult to get the root user on an NFS client set up in kerberos. Fortunately, you can also do mixed security mode exports from your filer, and designate your 'admin' host as a valid system to mount 'sec=sys'. Or you can configure kerberos root service principals (which is probably the _right_ way of doing it).




On 7 November 2014 21:53, Michael Garrison <mcgarr@umich.edu> wrote:
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.

I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging. 

How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?

Thanks,
Mike Garrison

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters