AFS and kerberos

Faeandar mr_castalot at yahoo.com
Tue Jul 31 11:10:25 EDT 2007


On Mon, 30 Jul 2007 23:04:10 -0600, Tillman Hodgson
<tillman at seekingfire.com> wrote:

>On Tue, Jul 31, 2007 at 01:54:58AM +0000, Faeandar wrote:
>> The one is Solaris and Linux.  Maybe Linux is 32, I don't know for
>> sure.
>> I hear that a system change on Solaris will allow for 32 but unless
>> your NFS servers are Solaris you break NFS.
>
>On FreeBSD you can adjust kern.ngroups (defaults to 16). Harti has
>tested an increased number (64, I think) over a number of years and with
>the exception of NFS everything worked fine.
>
>> I'm looking into increasing file system security over NFS and was
>> initially leaning towards kerb5 with LDAP to allow for a greater
>> number of unix groups, and therefore greater access control (beyond 16
>> groups) even if it is still ugo.
>> But so far I'm doubtful that will work.
>
>As I undersatnd it, over NFS it won't work because of how RPC works. RFC
>1057 defines the auth_unix struct as having unsigned int gids<16>.
>
>-T

I have not read the spec for RPC but I'll check that one out.  If
that's the case we may be SoL.

Thanks.

~F



More information about the Kerberos mailing list