Hi all,
I hope that this isn't too obvious a question but here goes....
I'm wondering how people are handling NFS security in environments where you have a lot of Mac OS X or Linux computer systems. For ease of administration, I would love to be able to specify that any computer within our network has read access to various qtrees. But this opens up a can of worms in that anybody with root access on their local Mac or Linux box can spoof user accounts with legitimate UID's and GID's. This essentially gives away the keys to the kingdom.
The other obvious alternative is using netgroups but that would be a lot of administration as machines come and go. It's certainly better than opening up access to everybody but not a course that I'd like to take.
Are there any other alternatives that I'm missing? Thanks!
--- Pat Allen (pat@mbari.org) Monterey Bay Aquarium Research Institute (MBARI) 7700 Sandholdt Rd, Moss Landing, CA 95039 (voice) 831-775-1724; (fax) 831-775-1620
On Tue, Aug 27, 2002 at 10:25:08AM -0700, Allen, Pat wrote:
Hi all,
I hope that this isn't too obvious a question but here goes....
I'm wondering how people are handling NFS security in environments where you have a lot of Mac OS X or Linux computer systems. For ease of administration, I would love to be able to specify that any computer within our network has read access to various qtrees. But this opens up a can of worms in that anybody with root access on their local Mac or Linux box can spoof user accounts with legitimate UID's and GID's. This essentially gives away the keys to the kingdom.
Don't export with root privs at all then.
The other obvious alternative is using netgroups but that would be a lot of administration as machines come and go. It's certainly better than opening up access to everybody but not a course that I'd like to take.
Force them to use authenticatin and export via CIFS or something instead.
Are there any other alternatives that I'm missing? Thanks!
As I said, turn off the root to root mapping, only export items read only that they need, anything else should be via authenticated login, which CIFS supports and both Linux and OS X can do.
Hi all,
I hope that this isn't too obvious a question but here goes....
I'm wondering how people are handling NFS security in environments where you have a lot of Mac OS X or Linux computer systems. For ease of administration, I would love to be able to specify that any computer within our network has read access to various qtrees. But this opens up a can of worms in that anybody with root access on their local Mac or Linux box can spoof user accounts with legitimate UID's and GID's. This essentially gives away the keys to the kingdom.
The other obvious alternative is using netgroups but that would be a lot of administration as machines come and go. It's certainly better than opening up access to everybody but not a course that I'd like to take.
Both MacOS X and Linux have support for smb (cifs) filesystems, so you could use CIFS instead. It doesn't dovetail with unix as nicely as NFS, but it may be good enough.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
NFS is really annoying when you have to deploy it in a lab environment. The best solution I've seen is the approach used at http://tux.anu.edu.au/Projects/NFS_filter/. It does change the networking setup of your typical lab. You basically put all of your machines behind a linux router that authenticates and filters every nfs request. The major downside is that this project doesn't seem to have released any code, although they state their intention to do so. Another solution which is not as comprehensive is the "secure export system" at ftp://ftp.monash.edu.au/pub/keithl/SES/.
We've done something whereby the machine at boot contacts a daemon running elsewhere. Using a shared secret the machine notifies the daemon to modify the netgroup on the fly, allowing it to perform the mount. It's still lousy, but it's not quite as bad as a raw export.
If you go the cifs route on Linux, you may want to update your smbfs module to take advantage of cifs extensions for unix (see http://uranus.it.swin.edu.au/~jn/linux/smbfs/) -- otherwise you'll get errors when xauth attempts to lock the .Xauthority. The webpage also describes a method of performing the smbmount automatically at login. I recommend taking a look at pam_mount (http://www.flyn.org/) as an alternate method of doing this.
I'm hoping NFSv4 can help in the future, but the linux patches are still immature. Also the DataONTAP 6.2 docs say a Win2k KDC is required.
On Tue, 27 Aug 2002, Steve Losen wrote:
Hi all,
I hope that this isn't too obvious a question but here goes....
I'm wondering how people are handling NFS security in environments where you have a lot of Mac OS X or Linux computer systems. For ease of administration, I would love to be able to specify that any computer within our network has read access to various qtrees. But this opens up a can of worms in that anybody with root access on their local Mac or Linux box can spoof user accounts with legitimate UID's and GID's. This essentially gives away the keys to the kingdom.
The other obvious alternative is using netgroups but that would be a lot of administration as machines come and go. It's certainly better than opening up access to everybody but not a course that I'd like to take.
Both MacOS X and Linux have support for smb (cifs) filesystems, so you could use CIFS instead. It doesn't dovetail with unix as nicely as NFS, but it may be good enough.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
Toasters,
Not really amused about the hike in NetApp maintenance prices, which seem to have doubled.
Is this a disturbing trend ya'll are seeing with other vendors also ?
Anyways, i just wanted to bitch about it.
/dev/null
devnull@adc.idt.com
Snip:
Not really amused about the hike in NetApp maintenance prices, which seem to have doubled.
Why do you care how much it costs? At long as your company willing to pay then just do it. All I am looking for is the product that works and don't cost my company down time.
Is this a disturbing trend ya'll are seeing with other vendors also ?
Anyways, i just wanted to bitch about it.
Anyway, it just my two cents.
C-
I agree that the cost is high. The thing we all have to do is weigh the risk vs. the outage cost. I have dealt with other companies that cost alot more and deliver alot less in support. We pay extra for SAM+ and decided that for our 19 filers it was well worth it. NetApp has come thru for us with flying colors when during some major crisis situations. You pay for it just like insurance. When we called, they really put forth their best side and acted as partners with us. Since we have seen them in action I can say that, for our organization and in my humble opinion, the choice to pay a little more has been a good one.
Your risk analysis may differ and your milage may vary. C-
On Tue, Sep 17, 2002 at 08:33:58PM -0400, courier@telica.com wrote:
Snip:
Not really amused about the hike in NetApp maintenance prices, which seem to have doubled.
Why do you care how much it costs? At long as your company willing to pay then just do it. All I am looking for is the product that works and don't cost my company down time.
Is this a disturbing trend ya'll are seeing with other vendors also ?
Anyways, i just wanted to bitch about it.
Anyway, it just my two cents.
C-
Hello,
The user who commented on prices increasing for older filers is correct. If you perform a quick TCO on your filers, you might find it's cheaper to replace your F7XX filers with F8XX filers since the new filer can be purchased with a 3-year maintenance contract.
Depending on your pricing structure with NetApp, you might find you'll do better (save your company money) by refreshing your hardware every 2-3 years instead of drawing it out to 3-5 years.
/Brian/
This is exactly what we did. We upgraded all of our 7xx models to 8xx models primarily because of maintenance costs associated with older models. This financial model worked for us and probably will continue to work.
~JK
Brian Long wrote:
Hello,
The user who commented on prices increasing for older filers is correct. If you perform a quick TCO on your filers, you might find it's cheaper to replace your F7XX filers with F8XX filers since the new filer can be purchased with a 3-year maintenance contract.
Depending on your pricing structure with NetApp, you might find you'll do better (save your company money) by refreshing your hardware every 2-3 years instead of drawing it out to 3-5 years.
/Brian/
-- Brian Long | | | Americas IT Hosting Sys Admin | .|||. .|||. Phone: (919) 392-7363 | ..:|||||||:...:|||||||:.. Pager: (888) 651-2015 | C i s c o S y s t e m s
Dear Toasters,
I was wondering if any of you guys were using Legato for backing up your NetApps. I currently have 2 filers that i am backing up to a Legato server running Solaris 2.8 over NFS. I mount the NetApp volumes onto the legato server and then backup those mount points.
I am not sure this is the best thing to do in terms of performance.
Is there an alternate, easier solution.
Thanks,
/dev/null
devnull@adc.idt.com
The obvious performance boost would be to back it up using NDMP with direct attach tape drives. Legato actually has a pretty good NDMP backup component now, much better than NetBackup. Also, backing up over NFS loses one of the big benefits of an NDMP backup, snapshots. NFS backups do not guarantee consistency in the data whereas NDMP backups will.
~JK
devnull@adc.idt.com wrote:
Dear Toasters,
I was wondering if any of you guys were using Legato for backing up your NetApps. I currently have 2 filers that i am backing up to a Legato server running Solaris 2.8 over NFS. I mount the NetApp volumes onto the legato server and then backup those mount points.
I am not sure this is the best thing to do in terms of performance.
Is there an alternate, easier solution.
Thanks,
/dev/null
devnull@adc.idt.com
legato/networker with ndmp works very well indeed. (jukebox connected to filer)
-paul
devnull@adc.idt.com wrote:
The following message was sent to your former e-mail address paul.bell@us.rbcds.com , which will soon be discontinued.
A notice was automatically generated and delivered on your behalf to the sender notifying them of the change, but you may also wish to contact the sender to ensure they update their records.
If the incoming message is from a source whose distribution list you no longer wish to be on, please unsubscribe from the list to prevent unnecessary mail traffic.
Thank you for your cooperation. RBC Capital Markets Postmaster.
Dear Toasters,
I was wondering if any of you guys were using Legato for backing up your NetApps. I currently have 2 filers that i am backing up to a Legato server running Solaris 2.8 over NFS. I mount the NetApp volumes onto the legato server and then backup those mount points.
I am not sure this is the best thing to do in terms of performance.
Is there an alternate, easier solution.
Thanks,
/dev/null
devnull@adc.idt.com
-- "There is magic in the web" - Shakespeare (Othello, Act 3, Scene 4)
-
Allen, Pat -
Brian Long -
Chris Blackmor -
courier@telica.com -
devnull@adc.idt.com -
Jeff Kennedy -
Mike Horwath -
Paul J. Bell -
randall don scott -
Steve Losen