[PLUG] how are uid/gid mapped between NFS server and client?
Chris Jantzen
chris at maybe.net
Sun Dec 7 14:26:01 UTC 2003
On Sun, Dec 07, 2003 at 08:06:24AM -0800, Paul Heinlein wrote:
> Any filesystem, network or local, needs three compoents: file server,
> file client, *and* a common authentication system.
>
> Since filesystems store file metadata (ownership, permissions, ACLs,
> ...) as numeric tokens, it needs an authentication database to do
> number -> name lookups. Sometimes the authentication system is local,
> like /etc/passwd, and sometimes it's remote: NIS, LDAP, AFS, Kerberos.
>
> Regardless of whether the authentication is local or remote, however,
> it needs to be there. Remove a user from /etc/passwd on your local
> system, and all you'll see are files owned by some uid. Same thing if
> you lose contact with your NIS or LDAP server.
To quibble on fine (but important) points:
Authentication is simply the process of verifying identity, e.g., the
user has the password right or has the right SecurID card.
Authorization is the process of mapping a user identity to their rights
to access files. Presumably it makes sure the identity is authenticated
first, but it is not required to (such as in our case of NFS < v4).
Sometimes it is also worth seperating the concept of a Directory as
the database that maps textual user identities to machine readable user
identities (such as username to uid).
Understanding the difference between authorization and authentication
helps to understand why Microsoft's abuse of Kerberos 5 packets for
the purposes of Active Directory is a bad thing.
Again, just quibbling. The important thing from the entire thread is:
Yes, you have to synchronize. :-)
--
chris kb7rnl =->
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20031207/b2a19f12/attachment.asc>
More information about the PLUG
mailing list