[KLUG Members] Re: fs permissions with smb/nfs/ldap

[Bryan J. Smith]

Chris Goron wrote:
> I take it you are suggesting nfs for my Linux clients?? SMB for my Win
> clients?? My Samba server is configured as a PDC and works very well for
> my Win clients. I have no problem with NFS for Linux clients.

Right, you're fine then.  I just used to running into a lot of people
who think they must use one only protocol for efficiency, memory
savings, etc... (when it is nothing of the sort).

> Yup, I've used NIS and had no problems with this but I'm really keen on
> using LDAP to manage my network.

Right, you're way ahead of me then.  I've been procrastinating far too
long on moving to LDAP.

> I believe I'm specifying my NFS exports right. It sure seems like a LDAP
> user issue here. I will check this site and go over my exports.

Again, you're ahead of me in that ball game.

> But my mount points depend on which user is logging in??

Is that something you are asking?  Or saying?

[ I'm a bit confused, I'll try to see if I'm following you ... ]

IMHO, with UNIX clients, mount points should _never_ be "relative" to
who's logged in.  You don't have to play such "games" like you do for
Windows.

E.g., don't have a different /home for "bob" and a different /home for
"mary".  Make their home directories _always_ /home/bob and /home/mary,
respectively.  If they are on different servers, then make them
/server1/bob and /server2/mary.

Am I making any sense?  Or am I going off on a tangent/path that is not
what you are talking about?

> Do I include all possible mount points and if a user needs access
> afs takes care of them if they have access rights?? 

Are you using "AFS"?  Or did you mean "NFS"?

[ Now I'm more confused ]

I haven't messed with AFS enough either, but we're still talking UNIX
clients.

Remember, multi-user aware UNIX does user permissions/resolution at
"access time" not "mount time" like multi-user ignorant Windows
clients.  E.g., if you export /home from a server, just mount it as
/home from the client.  Then normal RPC client-server exchange will
resolve the user/group authentication for each file access, etc...

> Keep in mind I want my client workstations to know nothing about
> the users logging in, it's all handled by the server.

Hence the "problem" I'm having with your setup.  Traditional UNIX
network filesystems are designed to authenticate systems, then users,
not just users.

Unless you're using "no_squash_root" with some circular /etc/hosts.equiv
references between clients/servers, then you're not giving the client
"full access" to the server just by mounting.  Both the client "system"
is authorized at "mount-time," then the clients "users" are
authenticated at "access-time."  I'm not sure about NFS v2 on this, but
if you are using NFS v3, I'm fairly certain this is so.  Hmmm, I need to
re-read section 6 of the NFS HOWTO.

NFS security can also be enhanced further by ticketing, like with
Kerberos.  This is yet another realm where I'm not so enlightened.  ;-P

> Yes, enlighten me. I currently have a package called pam_mount to mount
> the users home dir but it only supports smb and netware. How do I mount
> the users home dir with nfs lets say??

You've hit the problem on the head.

SMB/NW is designed for "per-user" authentication at mount time, and
that's it!

NFS (when setup correctly) is designed for "per-system" authorization at
mount time, then "per-user" authentication at "access-time" (via remote
procedure calls).  Most other UNIX-centric protocols are designed for
this too.

Again, depending on how "secure" you make NFS (version, configuration,
ticketing, etc...), it differs on exactly how the system and users are
authenticated.

-- Bryan

P.S.  If anyone has any commentary on this, please jump in.

-- 
Bryan J. Smith, Engineer          mailto:b.j.smith@ieee.org
AbsoluteValue Systems, Inc.       http://www.linux-wlan.org
SmithConcepts, Inc.            http://www.SmithConcepts.com