Re: Re: trace attached - Folders in NFS-share: permission denied, prob. not 16+ groups problem

[Steffen Kolbe <kolbe@vwi.tu-dresden.de>]

Thanks.

Perhaps something in background to the system I would install/use. 
Perhaps it's better for tips, how could I resolve this problem.

Server:
2x Win2003R2 for user management and "windows things"
  -AD (LDAP, Kerberos) with SFU-schema
  -because "easy" to install and most "work-ready" after install
   (I'm started over years with MS, the user DB was also old MS. I would 
migrate most to Linux, but
    I'm not ready with "learning" Linux. LDAP+Kerberos server on Linux 
isn't easy to understand/
    install/configure for a single person, so it's MS AD because it must 
work and it's easyer for me)
2x Debian (active-passive cluster) for server works: file, mail, print, 
......
  -all files/luns/config files mounted from active node via FC-SAN 
before starting services
  -nss via LDAP/nss_ldap against the MS AD 
  -pam/password via pam_krb5 against the MS AD
  -NFS-Server, ....

Clients, Debian:
-nss via LDAP/nss_ldap against the MS AD
-pam/password via pam_krb5 against the MS AD
... until here this works all fine...
-network directories via NFS against the debian cluster ....so the plan

I don't like ACLs, so NFS with more groups is the better and easyer way 
for me and the users in my opinion. Isn't ?
Is their a faq/help or so available, how to configure nfs for kerberos 
(without auth_sys)?

Thanks and best regards
Steffen


Peter Staubach wrote:

> Steffen Kolbe wrote:
>
>> -----------------------------------------------------------
>> general question:
>> Is their a real solution to use ~50 groups with nfs? Because we've 
>> many project groups some team leaders, many crossover memberships 
>> over some departments and .......
>> How is this solved in bigger environments?
>> ------------------------------------------------------------ 
>
>
>
> The two most common solutions are either to use ACLs or use a security
> flavor such as Kerberos.  The 16 group limit for AUTH_SYS is hard and
> is an RPC limitation and not an NFS thing.
>
> Unfortunately, ACLs are difficult to adminstrate and to manipulate for
> ordinary users.  You could consider writing some tools to help your users
> check and manipulate the ACLs as required.
>
> The most common solution is to deploy Kerberos.  This eliminates the
> 16 group limit, but does incur the cost and complexity of deploying and
> maintaining Kerberos.
>
> The only other alternative that springs to mind is to rearchitect the
> entire solution.  This is not usually something that people consider
> doing...  :-)
>
>    Thanx...
>
>       ps




-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs