[28161] in Kerberos

home help back first fref pref prev next nref lref last post

Re: AFS and kerberos

daemon@ATHENA.MIT.EDU (Faeandar)
Tue Jul 31 11:15:14 2007

From: Faeandar <mr_castalot@yahoo.com>
Message-ID: <24kua3di385mbfe8kfuri6bfqkeo7dqcsc@4ax.com>
MIME-Version: 1.0
X-Complaints-To: abuse@prodigy.net
Date: Tue, 31 Jul 2007 08:10:25 -0700
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Mon, 30 Jul 2007 23:04:10 -0600, Tillman Hodgson
<tillman@seekingfire.com> wrote:

>On Tue, Jul 31, 2007 at 01:54:58AM +0000, Faeandar wrote:
>> The one is Solaris and Linux.  Maybe Linux is 32, I don't know for
>> sure.
>> I hear that a system change on Solaris will allow for 32 but unless
>> your NFS servers are Solaris you break NFS.
>
>On FreeBSD you can adjust kern.ngroups (defaults to 16). Harti has
>tested an increased number (64, I think) over a number of years and with
>the exception of NFS everything worked fine.
>
>> I'm looking into increasing file system security over NFS and was
>> initially leaning towards kerb5 with LDAP to allow for a greater
>> number of unix groups, and therefore greater access control (beyond 16
>> groups) even if it is still ugo.
>> But so far I'm doubtful that will work.
>
>As I undersatnd it, over NFS it won't work because of how RPC works. RFC
>1057 defines the auth_unix struct as having unsigned int gids<16>.
>
>-T

I have not read the spec for RPC but I'll check that one out.  If
that's the case we may be SoL.

Thanks.

~F
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post