AFS and kerberos

Russ Allbery rra at stanford.edu
Mon Jul 30 22:28:54 EDT 2007


Faeandar <mr_castalot at yahoo.com> writes:
> Russ Allbery <rra at stanford.edu> wrote:

>> What 16-group limit is that?

> The one is Solaris and Linux.  Maybe Linux is 32, I don't know for sure.
> I hear that a system change on Solaris will allow for 32 but unless your
> NFS servers are Solaris you break NFS.

Oh, that.  I think that's 64K with current versions of Linux.  How well
that works with all NFS servers, I don't know.

> I'm looking into increasing file system security over NFS and was
> initially leaning towards kerb5 with LDAP to allow for a greater number
> of unix groups, and therefore greater access control (beyond 16 groups)
> even if it is still ugo.  But so far I'm doubtful that will work.

Well, AFS doesn't use groups in the same way that NFS does and if you use
AFS, you won't have this problem.  AFS accounts can be in as many groups
as you want (well, practically speaking).  But that would mean moving your
files from NFS to AFS and using AFS's different ACL scheme.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list