|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Windows Clients, KerberosV5 and dns platform mixup
Dear Community,
Beloved, I have a quick problem that seeks experience. I have a just installed OpenBSD ver6.8 assuming a full disk and I already setup my nfs and ntpd (All I wanted was kerberos for authentication to nfs server). I understand now that I have to deploy a DNS for kerberos to work. Well, I have a Windows Server that isn't doing much. I could turn on its dns feature and make it a DNS server. Or I could (can I) setup dns on my OpenBSD and co-host it with kerberos?. ntp_server --> OpenBSD_6.8 nfs ---> OpenBSD_6.8 kerberos V5 --> OpenBSD_6.8 dns --> Windows or OpenBSD_6.8 nfs clients platform --> Windows OS My question in summary: 1. Can Windows clients' use kerberos tickets to authenticate nfs and also authenticate Windows applications? 2. Will co-hosting my dns-server with nfs, ntp and kerberos (on OpenBSD) compromise security in some ways. Or in general, how can I make this sort of system as clean as possible? Thanks in anticipation |
|
|||
Windows Clients, KerberosV5 and dns platform mixup
Thanks you jggimi,
Oh my! I had typed a response since I read your answer. I apparently didn't hit the Post button. Forgive me for the late reply please. Foremost, thanks for the note on Heimdal. I detest complexity! Maybe I should make use of IPSec with Samba in place of NFS. Thanks again. |
|
||||
IPSec is quite complex. Due to that complexity the provisioning burden can sometimes be complex also. Just ask any admin who has ever had to develop and deploy an ISAKMP/Oakley KeyNote Policy for IKEv1. Or any admin who has ever missed a minor provisioning mistake in an IPSec flow and accidentally routed private communication between endpoints over plaintext instead of having that traffic being encapsulated and encrypted.
To help with IPSec deployments, the OpenBSD FAQ has a chapter on VPN provisioning IPSec with either IKEv2 or IKEv1/L2TP. Right now, the chapter just mentions WireGuard and has a link to the driver's man page. As I mentioned above, I prefer VLANs whenever they can be deployed over any form of VPN, and when VPNs are needed my current preference is for WireGuard over IPSec due to its clear administrative simplicity. |
Tags |
dns, kerberos, nfs, ntp, windows clients |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Tox clients in OpenBSD? | Nureo | OpenBSD Packages and Ports | 11 | 29th April 2018 01:05 PM |
evdo on server: clients can ping www, but not browse | amorphousone | OpenBSD Security | 2 | 24th September 2010 04:56 AM |
torrent clients are driving me nuts | graudeejs | FreeBSD General | 28 | 9th January 2009 12:43 PM |
FreeBSD server, Windows clients, daily backups | Weaseal | FreeBSD General | 4 | 25th December 2008 05:50 PM |
Exempting clients from AuthPF | Kristijan | NetBSD Security | 1 | 12th July 2008 12:09 AM |