[Freeipa-users] insecure IPA'd NFS
Steven Jones
Steven.Jones at vuw.ac.nz
Wed May 9 22:18:25 UTC 2012
Hi,
Thanks so I will remove the sec=sys bit and re-test..and then I assume it will be kerberos only.....
However in effect what we are saying is we cant protect an IPA user's files if we have to allow a non-IPA user to connect? its ALL kerberos or nothing? kind of makes sense.....
Also then the 6.3admin beta manual is wrong then IMHO, all that work to do kerberos and adding sec=sys negates it all, so its pointless...dont think that should be there myself in that case.
The next phase is for me to connect to a BLUEARC NAS, in which case its suggesting I cant secure NFS ie users data at all....
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Nalin Dahyabhai [nalin at redhat.com]
Sent: Thursday, 10 May 2012 9:43 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] insecure IPA'd NFS
On Wed, May 09, 2012 at 09:16:45PM +0000, Steven Jones wrote:
> I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6
> workstation clients doing NFS via automount as per section 10.3 admin
> guide 6.3beta....all good until I use a Ubuntu client to 'attack it"
> I find the non-IPA's ubuntu client can delete, alter and edit
> files......kind of Oops....I think there is a stage missing in the doc
> or a bug.......can someone have a look at that doc and tell me if a
> step is missing please?
What was the exact command used to mount the filesystem at the client,
and what are the contents of the mountpoint's entry in /proc/mounts on
the client after it's been mounted?
The guide lists "sys" as one of the security flavors when it shows an
example entry in /etc/exports (I guess, because it's demonstrating
adding Kerberos settings to a previously-configured export), which I
suspect is at least part of it.
HTH,
Nalin
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list