Currently I am able to setup a SSO NFS setup with openldap ldap server and Truenas NFS server (with LDAP access configured). The ubuntu clients are able to use pam-mount to mount the nfs home shares. The purpose is have each LDAP users to authenticate using pam-ldap and nss-ldap and then mount the appropriate nfs home shares. The setup is working.
There are four possible approaches as I see.
Approach - 1:
a) Use no_root_squash, and sec=sys in nfs-server export (this has serious security implications) and mount /home for every user authenticated using ldap by the pam_ldap in the ubuntu client. This will enable pam_mkdir to autocreate home folders for new users, and also access other user home folders based on the permissions setup.
b) But this seem like thoroughly insecure as the client can fake the uid/gid to access the unauthorized shares including root. But without no_root_squash, auto creation of home folder in /home seem like impossible.
Approach - 2
a) Use sec=sys, root_squash in nfs export. Nfs (truenas) server has ldap access configured. Do not mount /home. Rather use pam_mount or autofs to mount only client authenticated the user home folders. This is how my current working setup is. But still the client can fake uid/gid to gain unauthorized access. But in this case auto home create wont work, it has to be done manually.
Approach - 3
a) Use sec=ldap , root_squash in nfs export. Setup ldap_pam auth in nfs server also. Does this approach provide any extra security ? As I understand, nfs_client provides nfs_server with uid/gid (which may be faked too) and even if nfs_server query the ldap server with these info, I dont see any manner in which some security can be provided. Can any one comment on this approach ? I have not tried this out as I really dont understand how this work.
Approach - 4
a) Use kerberos. sec=krb5 in nfs_server. Setup ldap_backend for kerberos. Authenticate client users using kerberos with ldap backend. Now here the traditional userPassword field of LDAP become useless, once we start using kerberos to authenticate users. So other applications like gitea, gogs etc that used ldap for authentication cannot further use ldap as userPassword field in ldap server is not in sync with the kerberos key storage field. What is the right way to proceed in this approach ? This seem like the best approach provided it does sync the passwords for traditional ldap approach and kerberos ldap backend.
Approach - 5
a) Use kerberos only to authenticate client machines and nfs server. Use traditional ldap authentication for all purpose including login/ssh other applications such as gogs etc. Is this a possibility ?
My experience with these are limited. Please help with your valuable suggestions. Ideally I want a SSO with nfs home shares with some reasonable security with openldap as my backend for all. If possible it should be as seamless as if it is not nfs shares that each user can access other user folder if permissions permit.
A simpler solution that provides reasonable security is fine enough.
-thanks
tachionic
