Re: [tlug] NFS-mounting /home

[Bruno Raoult <br@example.com>]

Matt,

Just 2 questions: What is a "computer lab" for you? It sounds for me 
(this name -
computer lab)  like an university or research domain. This is nice, but not
where most people are working, AFAIK.

Second question: I don't understand how automount is less secure than mount,
if the same mount points -&servers- are used: The server decides to share a
directory, and the client decides to mount it, in both cases. The access 
rights
are the same, and the protocol is the same. If a client uses automount, the
server will not be able to notice the difference with a "real" mount. We 
are
of course speaking about nfs only.

br.

-- 
Two witches watched two watches.
Which witch watched which watch?


Matt Doughty wrote:

>On Thu, May 16, 2002 at 07:41:09PM +0900, Bruno Raoult wrote:
>  
>
>>My points (2) & (3) were typical of needs which cannot be covered by a 
>>"global"
>>/home mount. Even if /home is reserved for users dirs, it does not mean 
>>that all
>>homes *must* be nfs-mounted (a trader on Tokyo Stock Exchange and a 
>>secretary
>>cannot afford the same downtime, but they work in the same company, and 
>>share
>>the same sysadmin).
>>    
>>
>
>Yes and right there you have illustrated a completely different environment
>with different concerns.  It sounds like you have an environment where 
>every user has their own workstation. Your goals are to centralize data as
>much as possible while allowing for needed flexibility per workstation. In
>your case a strait mount of /home is not a good solution. In the case of
>a computer lab with a fleet of generic workstations with a variety of users
>a strait mount of home is both simple and very applicable.
>  
>
>>I did not say home dirs should not be mounted. On contrary, in most of 
>>cases.
>>But a global and *unique* mount point is not good IMHO.
>>I really prefer a per-user mount system (nearly as easy to setup as a 
>>global /home),
>>which could *also* give you a centralized server if you wish. You just add
>>the possibility to do something different if you need.
>>    
>>
>
>Yes but your solution is going to require the use of additional services
>such as amd. These type of services have been the target of various security
>exploits.  It your basic security tenets here.  You just shouldn't run
>services that aren't needed.  It is trivial to change over to an auto mount
>system in the future should it be needed. 
>  
>
>>We use NFS for home dirs, of course, but certainly not by mounting /home.
>>
>>With the same idea, we don't mount a "/usr/local" dir where our added 
>>apps are.
>>It is also a "indirect automount map" in /usr/local/mount. With this system,
>>we simply have the same dirs (e.g. /usr/local/sybase), whatever the 
>>client is
>>(linux, Solaris, with different versions of Sybase).
>>
>>    
>>
>
>These are all very good solutions to the problems you are dealing with. It
>doesn't make it the best solution for all environments.  As I said before it
>is situational. In your case a single NFS mount for home is a horrible solution.
>In the case of a computerlab environment it is the perfect solution.
>
>--Matt
>
>
>  
>