Implementing ZFS/NFS/CIFS security

[packetboy]

So let's start simple.

I want to create a bunch of "home" directories on my ZFS storage server and serve them up to various Windows and Unix desktops throughout the house. For example:

/rz2pool/home/fred - share via NFS to my Fedora desktop
/rz2pool/home/wilma - share via CIFS to my wife's Windows desktop
/rz2pool/home/ginger - share via NFS to grandma's Puppy Linux desktop

I guess the first choice on the CIFS sharing is to decide on native CIFS vs. Samba...found this article which is interesting:

http://jimcollier.blogspot.com/2010/03/2kc820q3.html

What have folks here gone with? native CIFS or Samba?

Has anyone evaluated the perf. difference between the two?


Next onto NFS...I'm still getting up to speed on NFS security...it all seems to be based on *IP Addresses* which seems extremely lame. Is there some other security model you can layer on top of NFS...prefereable one that could also be used in conjunction with CIFS/Samba sharing too.

So far I'm loving ZFS and the whole approach to centralized storage (btw, I have the Puppy linux box diskless booting via PXE to the storage server...it's awesome to know my boot image is backed up centrally and served up with double-parity storage).

 

[_Gea]

i would say:

On free-bsd, you have only samba, so its clear
on Solaris based systems you could use Samba or Kernel-based native CIFS/SMB Server

Mostly Samba has more features but Kernel-based SMB is more simple to setup and faster.

But Windows compatible ACL and AD Integration of the native Sun-Version seems to be much better.
-> if you set ACL from Windows it's like on a real Windows server, only complicated if you try to set on Solaris
so always set ACL from Windows. (Samba ACL is more different from Windows)


About NFS:
NFS V3 is only IP-based
NFS V4 supports ACL

use NFS4 if you want to use ACL but V3 is much simpler.
i would suggest, use SMB if possible, use NFS when really needed
like in combination with ESXi and SAN-datastores

gea

 

[Metaluna]

This is way out of my area of expertise but I think you can also use Kerberos to secure the NFS shares.

As I just spent about half a day unsnarling some really fsck'd up ACLs on a Windows 7 system (the kind of thing that 'chown -R' would have fixed in about 30 seconds), I agree that avoiding them is much simpler unless you're sure you need the kind of fine grained security that they offer. If you aren't an expert in how they work, they can be a recipe in endless frustration, especially when you've got a disk that's been around through a few OS reinstalls, and is littered with ACLs with permissions and ownership from users that no longer exist, and other files inheriting properties from god-knows-where, etc.

 

[PointandClick]

Couldn't you just create the local users on your ZFS box, map their home directories to your storage pool and enable home directories (for smb at least, not familiar with nfs). My nas box is currently on Ubuntu, but this works for me with both Samba and AFP.

 

[mikesm]

I agree with Gea, use Opensolaris or a derivative and the kernel based SMB server. SAMBA has a lot of issues, and I think you'll be much happier with the SMB server. It's faster and easier to configure, and much better if you run an AD.