Re: Samba vs NFS
From: Avery Payne (apayne_at_pcfruit.com)
Date: Mon, 21 Feb 2005 17:07:04 -0800 To: firstname.lastname@example.org
Jennifer Fountain wrote:
>My company is looking at samba or NFS to allow our clients to access
>shares from their Windows workstations and their linux ssh sessions.
>>From a security standpoint, which option is "more" secure? Which option
>is more vulnerable than the other? Etc, etc ,etc. I appeciate any
>security information about NFS or samba that you may have.
Samba would be your better option for Windows. While it is (somewhat)
more complicated than NFS, it has some rudimentary security (the same
security that you get with NT LanMan hashes, used in Windows NT 4) and
the Windows clients need no additional software to interface with. Your
SSH sessions will require three ports to be forwarded (four if you are
running Windows 2000 or better), but otherwise it should work fine as
well. You can even set up Samba as a domain controller with the newer
versions. Please note that NTLM hashes are NOT as secure as they used
to be, and can be directly attacked with commercial tools (do a search
term on Lophtcrack sometime). Future versions of Samba will incorporate
Kerberos support for stronger authentication, as well as better
integration with existing Windows 2000 clients.
NFS doesn't have nearly as good a security system (it performs a
credential lookup on the client system, which can theoretically be
spoofed - yikes!), but it is "Native" to Linux/Solaris/Mac OS X and
pretty much is the "Unix" way of sharing files. If you do decide to use
NFS, use an implementation that is at least NFSv3 or better. NFSv2 or
older will have some issues with file sizes and throughput that have
been resolved in the v3 protocol. NFS has adequate throughput, can
mount sync/async, and basically extends the internals of a directory on
one *nix box to a mount point on another *nix box. It is especially
handy when making thin or diskless clients or workstations that share a
common binary image (this practice is called "using an NFS root").
NFS is becoming "long in the tooth" and there are replacements that are
being proposed, but none have gained as much widespread traction as
NFS. Look up AFS (and its cousin, OpenAFS), SFS, and the terms "network
filesystem" or "distributed filesystem" in Google. AFS has also been
around but uses Kerberos authentication, SFS takes NFS further with
encryption and vastly-stronger user validation.
Hope this helps.