NFS Bug (Demo)

A

AFS is extremely hard to set up.

Has Narrower: AFS requires a special dedicated drive partition (at least one) running a virtual file system on top.; AFS requires setting up Kerberos.
Other: Use AFS (Andrew File System).

AFS is extremely slow.

Other: AFS requires a special dedicated drive partition (at least one) running a virtual file system on top.; Use AFS (Andrew File System).

AFS is highly durable; you can close your laptop and take it somewhere else, and it works when you reconnect.

Other: Use AFS (Andrew File System).

AFS requires a special dedicated drive partition (at least one) running a virtual file system on top.

Has Broader: AFS is extremely hard to set up.
Other: AFS is extremely slow.

AFS requires setting up Kerberos.

Has Broader: AFS is extremely hard to set up.

AFS supports symbolic links.

Other: Use AFS (Andrew File System).

AFS traffic is encrypted.

Other: That said, AFS traffic is not encrypted very well.; Use AFS (Andrew File System).

AFS uses a single global namespace which makes it easy to locate a share.

Other: Use AFS (Andrew File System).

H

Having to `sudo kinit` as yourself obviates the point of non-root user mounts: why not just `sudo mount /nfs/share` instead?

Other: Workaround: have root `kinit` as the non-root principal.

Historically NFS has been a tremendous pain to set up due to the need to match user UIDs/GIDs across all systems in the network.

Other: Use NFS (Network File System).; Use NFSv4 and `rpc.idmapd` that ships with it to get around the problem of normalizing all UIDs/GIDs.

However, the ticket expected by the system is not the principal associated with root, but the non-root user.

Other: Turns out that the mounting infrastructure is looking for a ticket owned by root rather than the non-root user doing the mount.; Workaround: have root `kinit` as the non-root principal.

I

If the Samba server goes down, the client (Mac) goes into an unrecoverable state and has to be hard power-cycled.

Other: Use Samba (CIFS).

K

Keep files consolidated among multiple devices on home network.

Other: Make one machine the authoritative file server and just write to it from the others over the network.

M

Make one machine the authoritative file server and just write to it from the others over the network.

Other: Keep files consolidated among multiple devices on home network.; Which remote filesystem protocol should we use?

`mount` complains of a missing service principal.

Other: Non-root user can't mount a kerberized NFSv4 share.; Run `rpc.gssd` with the `-n` flag to force the use of user principals.

N

NFS is easy to set up and manage (certainly relative to AFS).

Other: Use NFS (Network File System).; Why are we using NFS in the first place?

NFS is much, much faster than AFS.

Other: Use NFS (Network File System).; Why are we using NFS in the first place?

NFS supports symbolic links.

Other: Use NFS (Network File System).; Why are we using NFS in the first place?

Non-root user can't mount a kerberized NFSv4 share.

Other: Non-root users should be able to mount any entry in the `/etc/fstab` as long as there is a `user` option set.; Use the Kerberos setup left over from AFS (and testing environment for client work).; Why are we using NFS in the first place?; Workaround: have root `kinit` as the non-root principal.; `mount` complains of a missing service principal.

Non-root users should be able to mount any entry in the `/etc/fstab` as long as there is a `user` option set.

Other: Non-root user can't mount a kerberized NFSv4 share.

O

The only way NFSv4 traffic can be encrypted is with Kerberos.

Other: Use NFSv4 and `rpc.idmapd` that ships with it to get around the problem of normalizing all UIDs/GIDs.; Use the Kerberos setup left over from AFS (and testing environment for client work).

R

Root's ticket expires which causes NFS to freeze in a really ugly way.

Has Broader: You need to have two tickets; one for the non-root user and the other for root as the non-root user.
Other: Workaround: have root `kinit` as the non-root principal.

Run `rpc.gssd` with the `-n` flag to force the use of user principals.

Other: The user still can't mount the share even with `rpc.gssd -n`.; `mount` complains of a missing service principal.

S

Samba has no symbolic links.

Other: Use Samba (CIFS).

Samba is relatively simple to set up.

Other: Use Samba (CIFS).

Samba is widely supported across multiple operating systems.

Other: Use Samba (CIFS).

Samba traffic is encrypted.

Other: Use Samba (CIFS).

T

That said, AFS traffic is not encrypted very well.

Other: AFS traffic is encrypted.

Turns out that the mounting infrastructure is looking for a ticket owned by root rather than the non-root user doing the mount.

Other: However, the ticket expected by the system is not the principal associated with root, but the non-root user.; The user still can't mount the share even with `rpc.gssd -n`.

U

The user still can't mount the share even with `rpc.gssd -n`.

Other: Run `rpc.gssd` with the `-n` flag to force the use of user principals.; Turns out that the mounting infrastructure is looking for a ticket owned by root rather than the non-root user doing the mount.

Use AFS (Andrew File System).

Other: AFS is extremely hard to set up.; AFS is extremely slow.; AFS is highly durable; you can close your laptop and take it somewhere else, and it works when you reconnect.; AFS supports symbolic links.; AFS traffic is encrypted.; AFS uses a single global namespace which makes it easy to locate a share.; Which remote filesystem protocol should we use?

Use NFS (Network File System).

Has Narrower: Use NFSv4 and `rpc.idmapd` that ships with it to get around the problem of normalizing all UIDs/GIDs.
Other: Historically NFS has been a tremendous pain to set up due to the need to match user UIDs/GIDs across all systems in the network.; NFS is easy to set up and manage (certainly relative to AFS).; NFS is much, much faster than AFS.; NFS supports symbolic links.; Which remote filesystem protocol should we use?

Use NFSv4 and `rpc.idmapd` that ships with it to get around the problem of normalizing all UIDs/GIDs.

Has Broader: Use NFS (Network File System).
Has Narrower: Use the Kerberos setup left over from AFS (and testing environment for client work).
Other: Historically NFS has been a tremendous pain to set up due to the need to match user UIDs/GIDs across all systems in the network.; The only way NFSv4 traffic can be encrypted is with Kerberos.

Use Samba (CIFS).

Other: If the Samba server goes down, the client (Mac) goes into an unrecoverable state and has to be hard power-cycled.; Samba has no symbolic links.; Samba is relatively simple to set up.; Samba is widely supported across multiple operating systems.; Samba traffic is encrypted.; Which remote filesystem protocol should we use?

Use the Kerberos setup left over from AFS (and testing environment for client work).

Has Broader: Use NFSv4 and `rpc.idmapd` that ships with it to get around the problem of normalizing all UIDs/GIDs.
Other: Non-root user can't mount a kerberized NFSv4 share.; The only way NFSv4 traffic can be encrypted is with Kerberos.

W

Which remote filesystem protocol should we use?

Other: Make one machine the authoritative file server and just write to it from the others over the network.; Use AFS (Andrew File System).; Use NFS (Network File System).; Use Samba (CIFS).

Why are we using NFS in the first place?

Other: NFS is easy to set up and manage (certainly relative to AFS).; NFS is much, much faster than AFS.; NFS supports symbolic links.; Non-root user can't mount a kerberized NFSv4 share.

Workaround: have root `kinit` as the non-root principal.

Other: Having to `sudo kinit` as yourself obviates the point of non-root user mounts: why not just `sudo mount /nfs/share` instead?; However, the ticket expected by the system is not the principal associated with root, but the non-root user.; Non-root user can't mount a kerberized NFSv4 share.; Root's ticket expires which causes NFS to freeze in a really ugly way.; You need to have two tickets; one for the non-root user and the other for root as the non-root user.

Y

You need to have two tickets; one for the non-root user and the other for root as the non-root user.

Has Narrower: Root's ticket expires which causes NFS to freeze in a really ugly way.
Other: Workaround: have root `kinit` as the non-root principal.