Just recently was playing with NFS and Kerberos. But it turns out it's not doing what I thought it would do. I want to talk it through a bit so please correct me.
I was thinking that it would authenticate users accessing the mounted file system and grant access through their credentials. Instead what I think it's doing is just validating the machines through its machines credentials to connect to the NFS service principal on the server. A kinit and user credentials is in no way used.
I suppose that is a little better than in some respects to host-based access. But the machine itself is trusted to enforce username and group policy permissions. And it's worse than host-based access because all hosts within the Kerberos realm are allowed to mount to the NFS mountpoints no matter if they need to or not.
Again I was thinking it would be validating users which would be way more useful. Am I missing something?
I was thinking that it would authenticate users accessing the mounted file system and grant access through their credentials. Instead what I think it's doing is just validating the machines through its machines credentials to connect to the NFS service principal on the server. A kinit and user credentials is in no way used.
I suppose that is a little better than in some respects to host-based access. But the machine itself is trusted to enforce username and group policy permissions. And it's worse than host-based access because all hosts within the Kerberos realm are allowed to mount to the NFS mountpoints no matter if they need to or not.
Again I was thinking it would be validating users which would be way more useful. Am I missing something?