# NIS, NFS, Kerberos, LDAP? Confused

## independence

I'm trying to solve some network and file sharing problems at my home, and I'd like to do this right. I don't care if it takes a little bit of extra time, cause I also want to learn about this stuff. But anyways, I have a Gentoo server and then two Linux workstations (mine and my dad's). On the server we download stuff via bittorrent, and it get's in on directory for each of us with the right owner/file permissions via ACLs. Now I'd like to be able to mount this directory on my workstation (and my dad's), with the right permissions with UID/GID and the ACL working. I'm very confused by all these techniques, but as far as I can gather, I'm supposed to be able to do this with NFSv4? But I need to have a NIS server so that the UID/GIDs are the same on all computers? And also NIS is so insecure, so I probably need Kerberos too (or maybe not really, but it would be fun to learn a bit about kerberos too if it's not too complicated). Is this correct, I need to set up NIS and NFS, and maybe Kerberos? And can NFSv4 handle ACLs? I've tried reading some HOWTO:s, but I can't find one that explains what I need. This makes me think I'm maybe on the wrong path, and maybe shouldn't use NFS/NIS? Maybe LDAP or some other fancy net FS that actually supports ACLs in a good, non-experimental way? I'd be really happy if you could point me to me what I need or maybe a good HOWTO/tutorial or just information about this stuff.

----------

## mackerel

you do not need NIS for NFS. 

http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS

If you are on a fairly secure network, NFS will work great. I use NFS for my server and 2 other Linux boxes to share and backup.

----------

## firesox

What you are thinking of using LDAP in conjunction with Kerberos at home for you and your dad is like building a nuclear power plant to light a bulb. And you don't even need NIS and no ACL's in your configuration. Just keep your local /etc/passwd and the file system permissions. If you want to try a little bit around with identity and password management: try NIS. It's unsecure, yes, but if you plan to setup a Kerberos domain it's best to run this server on a standalone machine with no other services.

----------

## nielchiano

 *firesox wrote:*   

> What you are thinking of using LDAP in conjunction with Kerberos at home for you and your dad is like building a nuclear power plant to light a bulb.

 

Well, if independence is like me, that's exactly what I want. Not that I NEED that nuclear plant, but I'd like to experiment with it.

----------

## depontius

Incidental note about OpenLDAP, Kerberos, and nfsv4...

I've tried in the past to get the OpenLDAP/Kerberos mix working, but it's a black art, and I've never had the time to really get it done. At the time I tried, there were threading problems with MIT Kerberos, so the recommended solution was to use Heimdal Kerberos. Heimdal has the secondary advantage of being able to use LDAP as its password database. The whole thing is more/better integrated that way, and I'm under the impression that it greases the skids to add Samba to the mix, and have a PDC. All of this was a few years ago, and at the time I was also having certificate problems with OpenLDAP, so I never got to the problems of using SASL to glue OpenLDAP and Kerberos together.

In a more immediate mode, I had the fear (not a real problem, just a scare) of a hard disk problem, so I've put personal data onto a raid-1 mirror and set that up with nfs. Currently it's nfs4, but I'm hoping to move to nfsv4.

I've still done nothing about OpenLDAP/Kerberos, but mixing it with nfsv4 there's a snag. To get Kerberos, nfsv4 requires mit-krb5, not virtual/krb5. It won't work with Heimdal. Reading a bit more, it appears that a lot of work had gone into making MIT Kerberos thread-safe at the currently stable 1.5.2 level. So I suspect that part of marrying it with OpenLDAP would work. Beyond that, MIT Kerberos 1.6 (not unstable, not even masked yet) allows its keys to be stored in OpenLDAP. So the pieces are coming together. (But as far as I know, getting it all to work together is still a black art.)

----------

