Original author here. I wrote this article because I have set up NFSv4 with Kerberos twice so far and, both times, I ended up with a functional system but… very frustrated by how difficult and fragile everything seems.
That said, I still have a bunch of unanswered questions (all listed at the bottom of the article) and I suspect that some of you folks might have some insightful answers or corrections… hence why I’m submitting the article myself. If you do have any of those insights, please share here or there. And thanks!
> Yet, when you look around, people say “oh, but NFSv3 is fine if you trust the network!” But seriously, who trusts the network in this day and age?
My understanding is in the last 5-10 years we got a bit of trust back in the network through the return of the VPN with WireGuard, Tailscale, ZeroTier & co.
Because Kerberos and those VPN are doing a bit the same thing: authenticating hosts and encrypting communications.
I am unfamiliar with NFS but it seems to me for fine grain control the ideal would be able to map hosts on the network to users in NFS.
Could we do that?
Setting up a VPN between exclusively two machines would do the trick mostly. Note, however, that if a malicious user compromised the client, they'd still get unfettered access to the whole file system of the server -- whereas with NFSv4, they'd only get access to the files accessible by the Kerberos principal of the client.
Also, when I wrote this, I was thinking about the use case of a home network: running a VPN within such a network sounds really strange, but such a network is full of less-than-trustable IoT devices and the like.
That said, I still have a bunch of unanswered questions (all listed at the bottom of the article) and I suspect that some of you folks might have some insightful answers or corrections… hence why I’m submitting the article myself. If you do have any of those insights, please share here or there. And thanks!