[KLUG Members] Re: fs permissions with smb/nfs/ldap (2)

Bryan J. Smith members@kalamazoolinux.org
Sat, 12 Jan 2002 20:14:08 -0500

Previous message: [KLUG Members] Re: fs permissions with smb/nfs/ldap
Next message: [KLUG Members] Re: fs permissions with smb/nfs/ldap
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Bryan J. Smith" wrote:
> You've hit the problem on the head.
> SMB/NW is designed for "per-user" authentication at mount time, and
> that's it!
> NFS (when setup correctly) is designed for "per-system" authorization at
> mount time, then "per-user" authentication at "access-time" (via remote
> procedure calls).  Most other UNIX-centric protocols are designed for
> this too.

Let me take this one step further ...

On Windows clients, the system says, "Hey non-privaledged user, there's
the network!  Have fun with it!  Including mounting remote filesystems. 
If you cause my system to 'hang' because a resource isn't there, oh
well.  While I'm at it, I'm going to broadcast our names to everyone --
in an 'AOL me-too' posting symphony.  It's so easy to network in
Windows!"

Windows clients are NOT true, multi-user systems, even NT/2000/XP aren't
(unless you're running the Citrix/Terminal Server editions -- which is
whole other ballgame).  They will let you mount drive letters at will,
etc...  They don't have to worry about multiple users mounting the same
drive letter, share, etc... because they aren't, again, multiuser client
OSes!

On UNIX clients, the system says, "Whoa!  You are not allowed to mount
_anything_!  Not especially from the network!  That's my job!  I'm here
to maintain system integrity.  You can use connectionless protocols,
like FTP, etc... that only affects you, but anything that messes with
filesystem access, that's something I can't let you do.  A 'hang' can
affect my other users, sorry."

UNIX clients are still true, multi-user systems.  They can't have users
mounting shares -- let alone different users can't have the same mount
point (or shouldn't)!.  What should be done beforehand is that the UNIX
client needs to be setup to know everything about a network, what shares
are available, what it is authorized to access, etc..  That's where an
NIS automounter map comes in, where the server "publishes" the list to
all NIS clients -- although the system authorization and user
authentication is still left up to NFS (or other method).

Again, in my LDAP ignorance, I don't know how LDAP handles creating
automounter maps.  I guess one way is an NIS "export" utility from LDAP
(that creates relative NIS maps from LDAP entries), another might be
some NSS/LDAP module on the client, etc...  Hence why I haven't dove
into LDAP yet, because I just am not familar.

-- Bryan

-- 
Bryan J. Smith, Engineer          mailto:b.j.smith@ieee.org
AbsoluteValue Systems, Inc.       http://www.linux-wlan.org
SmithConcepts, Inc.            http://www.SmithConcepts.com

Previous message: [KLUG Members] Re: fs permissions with smb/nfs/ldap
Next message: [KLUG Members] Re: fs permissions with smb/nfs/ldap
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]