Re: Samba vs NFS

From: Avery Payne (
Date: 02/22/05

  • Next message: alux: "Re: Samba vs NFS"
    Date: Mon, 21 Feb 2005 17:07:04 -0800

    Jennifer Fountain wrote:

    >Hi all:
    >My company is looking at samba or NFS to allow our clients to access
    >shares from their Windows workstations and their linux ssh sessions.
    >>From a security standpoint, which option is "more" secure? Which option
    >is more vulnerable than the other? Etc, etc ,etc. I appeciate any
    >security information about NFS or samba that you may have.
    Samba would be your better option for Windows. While it is (somewhat)
    more complicated than NFS, it has some rudimentary security (the same
    security that you get with NT LanMan hashes, used in Windows NT 4) and
    the Windows clients need no additional software to interface with. Your
    SSH sessions will require three ports to be forwarded (four if you are
    running Windows 2000 or better), but otherwise it should work fine as
    well. You can even set up Samba as a domain controller with the newer
    versions. Please note that NTLM hashes are NOT as secure as they used
    to be, and can be directly attacked with commercial tools (do a search
    term on Lophtcrack sometime). Future versions of Samba will incorporate
    Kerberos support for stronger authentication, as well as better
    integration with existing Windows 2000 clients.

    NFS doesn't have nearly as good a security system (it performs a
    credential lookup on the client system, which can theoretically be
    spoofed - yikes!), but it is "Native" to Linux/Solaris/Mac OS X and
    pretty much is the "Unix" way of sharing files. If you do decide to use
    NFS, use an implementation that is at least NFSv3 or better. NFSv2 or
    older will have some issues with file sizes and throughput that have
    been resolved in the v3 protocol. NFS has adequate throughput, can
    mount sync/async, and basically extends the internals of a directory on
    one *nix box to a mount point on another *nix box. It is especially
    handy when making thin or diskless clients or workstations that share a
    common binary image (this practice is called "using an NFS root").

    NFS is becoming "long in the tooth" and there are replacements that are
    being proposed, but none have gained as much widespread traction as
    NFS. Look up AFS (and its cousin, OpenAFS), SFS, and the terms "network
    filesystem" or "distributed filesystem" in Google. AFS has also been
    around but uses Kerberos authentication, SFS takes NFS further with
    encryption and vastly-stronger user validation.

    Hope this helps.

  • Next message: alux: "Re: Samba vs NFS"