AFS and kerberos
Faeandar
mr_castalot at yahoo.com
Tue Jul 31 11:08:38 EDT 2007
On Mon, 30 Jul 2007 19:28:54 -0700, Russ Allbery <rra at stanford.edu>
wrote:
>Faeandar <mr_castalot at yahoo.com> writes:
>> Russ Allbery <rra at stanford.edu> wrote:
>
>>> What 16-group limit is that?
>
>> The one is Solaris and Linux. Maybe Linux is 32, I don't know for sure.
>> I hear that a system change on Solaris will allow for 32 but unless your
>> NFS servers are Solaris you break NFS.
>
>Oh, that. I think that's 64K with current versions of Linux. How well
>that works with all NFS servers, I don't know.
>
>> I'm looking into increasing file system security over NFS and was
>> initially leaning towards kerb5 with LDAP to allow for a greater number
>> of unix groups, and therefore greater access control (beyond 16 groups)
>> even if it is still ugo. But so far I'm doubtful that will work.
>
>Well, AFS doesn't use groups in the same way that NFS does and if you use
>AFS, you won't have this problem. AFS accounts can be in as many groups
>as you want (well, practically speaking). But that would mean moving your
>files from NFS to AFS and using AFS's different ACL scheme.
AFS is great at access control and availability but it is horrid on
performance. Read is fine if you are already cached on the client but
we've seen a 20X performance difference between reading from AFS
servers and NFS servers (rsync'ing data).
So while AFS would solve my access control issue it would kill our
ability to get work done.
You have provided good information though, thanks.
~F
More information about the Kerberos
mailing list