Hi everyone !
Right now I can’t decide wich one is the most versatile and fit my personal needs, so I’m looking into your personal experience with each one of them, if you mind sharing your experience.
It’s mostly for secure shared volumes containing ebooks and media storage/files on my home network. Adding some security into the mix even tough I actually don’t need it (mostly for learning process).
More precisely how difficult is the NFS configuration with kerberos? Is it actually useful? Never used kerberos and have no idea how it works, so it’s a very much new tech on my side.
I would really apreciate some indepth personal experience and why you would considere one over another !
Thank you !
If you’re going to have any non-linux clients, samba will be an order of magnitude easier. MacOS handles nfs pretty well, but Windows just wants SMB
macOS switched from AFS to samba for file sharing & time machine backups a while ago; it’s been a while since I had first-hand experience setting up a Mac, but based on that fact I’m pretty sure samba is more straightforward to use. … it annoyingly mangles unix file ownership, & permissions though, as mentioned above in https://lemmy.ml/comment/10204431
NFS v4 with krb is probably the best option of these if Linux/macOS is all you need to support because everything just works transparently with one system-wide mount. I had it set up for a couple years until recently (had to basically completely give up on my network setup including the box the KDC was running on for unrelated reasons recently and have still yet to set it up completely again).
Kerberos is pretty straightforward to set up if you know how it works, I think the main problem is lack of documentation and pretty awful NFS error messages (you pretty much have to enable nfsd/rpc debug kernel options if you want to even begin figuring out what’s going wrong when your mount doesn’t work). The first time I set it up it took me a whole day to get it to actually work, and in the end a reboot of the NFS server solved the problem I had.
Look at the Arch wiki article for Kerberos, I think that’s what I used mostly. Feel free to ask if you need help setting it up.
(Unfortunately IMO all of these suck in different ways though: sshfs dies if your SSH connection gets interrupted, NFS v4 (v3 is unusable imo because it doesn’t have idmap so you have to make sure your user IDs match on every machine) isn’t supported by Windows and mobile devices, Samba doesn’t map well to Unix permissions and I can’t tell what its “unix extensions” are actually supposed to do if it isn’t permissions. Integrating Samba with NFS, if you want to use both, also is pretty hard because while Samba theoretically uses Kerberos, it doesn’t work with a normal KDC but needs Samba AD because Microsoft (I haven’t taken a look at Samba AD yet). And forget integrating Samba with anything that isn’t Kerberos-based entirely because NTLM is the only other auth mechanism and it’s pretty much incompatible with anything because the client only sends the password hashed with a unique mechanism. So you’re going to have a pretty bad time if you want to use a single auth mechanism for everything if SMB is involved, and that’s pretty much your only option if you want to access stuff on a mobile device.)
Thank you for your friendly and detailed response !!!
Look at the Arch wiki article for Kerberos, I think that’s what I used mostly. Feel free to ask if you need help setting it up.
It’s always Arch wiki :D. Thank you, but I will probably stay with samba at the moment which will probably fullfil my current needs and seems more complex than I thought ! Also, it’s in a multi-OS environnement (Windows, MacOS, Linux) and NFS seems to not work very well with Windows :/ If I could I would switch my whole family to Linux, but old habits die hard…
Anyway, will keep Kerberos under my radar ! I really want to learn more about it seems very interesting, especially the cybersecurity aspect !
If you don’t mind… Can you tell very briefly what kerberos actually solves in a coporate environnement ? Please, give me a sneek peak of the subject that awaits me :) !!
Thank you, but I will probably stay with samba at the moment which will probably fullfil my current needs and seems more complex than I thought !
Then, take a look at ksmbd which is basically a mini SMB implementation in the kernel. I haven’t used it yet, but apparently it’s more performant and easier to set up.
If you don’t mind… Can you tell very briefly what kerberos actually solves in a coporate environnement ? Please, give me a sneek peak of the subject that awaits me :) !!
It provides single sign-on capability. As I already said Active Directory is built on Kerberos for authentication, but it’s used similarly on Linux, logging in to Kerberos gives you a TGT (ticket-granting ticket) which essentially allows you to also authenticate to other services like NFS, SSH (in which case it can forward your ticket to the machine you log on to), stuff like IMAP, even websites (though as far as I’ve seen you need to do some stupid per-domain manual setup for at least Firefox) without having to enter your password again, at least, until the ticket expires, or storing it anywhere. There’s much more that supports it but I’ve only used it for NFS and I’ve experimented with using it for SSH auth, and only for personal use, so I can’t tell you what exactly.
It’s worth noting that it’s purely for authentication and not authorization, so if you want central permission management, something else will have to do that, such as LDAP which is also what AD uses.
I’ve got both Samba and NFS set up. I’d say Samba is the most versatile, just because more devices are bound to be compatible with it out of the box. I have an app on my phone I can use to connect to it, for example. And it obviously works with Windows machines. NFS is very simple to set up and nice and speedy. But I only use it for a couple permanent shares for specific things between Linux machines. You could always use a mix. I have a directory that’s shared with both.
I’ve never configured Kerberos I think, might’ve tried once in the past. From what I understand it’s a pain to set up and really more useful for enterprise environments. But could be fun to configure if you’re into tinkering with that sort of thing.
Moved to Truenas Scale and decided to setup NFS shares for my Linux server. Spent a lot of time troubleshooting the fstab config and file/share permissions. Switched to CIFS/SAMBA and had it working in about 15 minutes.
Good to know samba works well with truenas. Seeing all the comments, the tendency seems to go in samba’s direction !
i use nfs. always. every minute my computer is online it has a mounted directory from my server.
via nfs and wireguard.
i tried lots of things but nfs which listens on wireguard ip is the best i ever achieved.
