On 12/01/2011 04:58 PM, John Hodrien wrote:

On Thu, 1 Dec 2011, Ondrej Valousek wrote:

And how does it affect security? Easily - if you declare nfs/ UPN principal
for deneb and nfs/ SPN principal for polaris, you making sure that only
polaris can be used as a NFS server and deneb as a NFS client and not
vice-versa.

NFS is a freaky oddity though.  You've done nothing to stop me running pretty
much any other service I like.

jh

Kerberos can not protect you against a malicious root, but it can very well protect you against a malicious user. So if you are a common user, it is very easy to lock the system down the way so you have to use say NFS/Kerberos or nothing else.

That's a different story though...