[kelnos]

Several of the criticisms the book lists are still true today. File locking is unreliable, deletions are weird, security is either garbage (in that you set it up in a way where there's very little security) or trash (in that you have to set up Kerberos infrastructure to make it work, and no one wants to have to do that).

Perhaps I was a bit hyperbolic about it sucking more nowadays. At least you can use TCP with it and not UDP, and you can configure it so you can actually interrupt file operations when the server unexpectedly goes away and doesn't come back, instead of having to reboot your machine to clear things out. But most of what the book says is still the NFS status quo today, 30 years later.

[chungy]

Everything you listed was fixed in NFSv4. Don't use the ancient versions of NFS.

[yrro]

We're not there with authentication yet (although I've no problem with Kerberos myself).

[gnufx]

How are we not there? The only real issue I know is allegedly requiring host keys for gssd (e.g. "joining the domain"), but rpc.gssd(8) documents "anyname" principals.

[yrro]

The only per-user authentication option is Kerberos. Username/password based authentication is not possible.

[gnufx]

That seems like a feature; mounting SMB is done on a local system on the basis of password, and it's horrible. (I assume you could, in principle, use some other GSSAPI mechanism.)

[lubutu]

There has been recent work on RPC-with-TLS (RFC 9289), xprtsec=mtls.

[yrro]

AIUI this is still not user level authentication. It rather secures the communication between hosts, but you still have to choose between sec=sys ("trust me bro") or sec=krb5* at the upper layer.

[kiney]

easist way nowadays to get secure NFS is to just set up a wireguard tunnel

[yrro]

No because you still have to trust the client.

With Kerberos a hacked client where user 1 has authenticated can't impersonate user 2 unless that user has also authenticated on the client.

With sec=sys the client is simply trusted without any per-user authentication.

[kiney]

in most cases you can just use more fine-grained exports. e.g. export /home/user1 to 10.0.0.1 and /home/user2 to 10.0.0.2 instead of /home to 10.0.0.0/24 etc.