[KLUG Members] Re: fs permissions with smb/nfs/ldap

Chris Goron members@kalamazoolinux.org
13 Jan 2002 09:07:37 -0500
Previous message: [KLUG Members] Re: fs permissions with smb/nfs/ldap (2)
Next message: [KLUG Members] Re: fs permissions with smb/nfs/ldap
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, 2002-01-12 at 20:02, Bryan J. Smith wrote:
> Chris Goron wrote:
> > I take it you are suggesting nfs for my Linux clients?? SMB for my Win
> > clients?? My Samba server is configured as a PDC and works very well for
> > my Win clients. I have no problem with NFS for Linux clients.
> 
> Right, you're fine then.  I just used to running into a lot of people
> who think they must use one only protocol for efficiency, memory
> savings, etc... (when it is nothing of the sort).
> 
> > Yup, I've used NIS and had no problems with this but I'm really keen on
> > using LDAP to manage my network.
> 
> Right, you're way ahead of me then.  I've been procrastinating far too
> long on moving to LDAP.
> 
> > I believe I'm specifying my NFS exports right. It sure seems like a LDAP
> > user issue here. I will check this site and go over my exports.
> 
> Again, you're ahead of me in that ball game.
> 
> > But my mount points depend on which user is logging in??
> 
> Is that something you are asking?  Or saying?

Asking now, but I think you clarify this down further.

> 
> [ I'm a bit confused, I'll try to see if I'm following you ... ]
> 
> IMHO, with UNIX clients, mount points should _never_ be "relative" to
> who's logged in.  You don't have to play such "games" like you do for
> Windows.
> 
> E.g., don't have a different /home for "bob" and a different /home for
> "mary".  Make their home directories _always_ /home/bob and /home/mary,
> respectively.  If they are on different servers, then make them
> /server1/bob and /server2/mary.
> 
> Am I making any sense?  Or am I going off on a tangent/path that is not
> what you are talking about?

Yes. No problem here, I have that set.

> 
> > Do I include all possible mount points and if a user needs access
> > afs takes care of them if they have access rights?? 
> 
> Are you using "AFS"?  Or did you mean "NFS"?

Oops, sorry I meant automount.

> 
> [ Now I'm more confused ]
> 
> I haven't messed with AFS enough either, but we're still talking UNIX
> clients.
> 
> Remember, multi-user aware UNIX does user permissions/resolution at
> "access time" not "mount time" like multi-user ignorant Windows
> clients.  E.g., if you export /home from a server, just mount it as
> /home from the client.  Then normal RPC client-server exchange will
> resolve the user/group authentication for each file access, etc...
> 
> > Keep in mind I want my client workstations to know nothing about
> > the users logging in, it's all handled by the server.
> 
> Hence the "problem" I'm having with your setup.  Traditional UNIX
> network filesystems are designed to authenticate systems, then users,
> not just users.

That's kind of a new concept for me then. I guess I'm a little confused
why you would want to control network resources by system and not user?
But I can live with that.

> 
> Unless you're using "no_squash_root" with some circular /etc/hosts.equiv
> references between clients/servers, then you're not giving the client
> "full access" to the server just by mounting.  Both the client "system"
> is authorized at "mount-time," then the clients "users" are
> authenticated at "access-time."  I'm not sure about NFS v2 on this, but
> if you are using NFS v3, I'm fairly certain this is so.  Hmmm, I need to
> re-read section 6 of the NFS HOWTO.

I've checked and tried about every setting in the exports file including
the no_squash_root, I believe the problem lies in making my NFS on the
client side "LDAP aware".

> 
> NFS security can also be enhanced further by ticketing, like with
> Kerberos.  This is yet another realm where I'm not so enlightened.  ;-P
> 
> > Yes, enlighten me. I currently have a package called pam_mount to mount
> > the users home dir but it only supports smb and netware. How do I mount
> > the users home dir with nfs lets say??
> 
> You've hit the problem on the head.
> 
> SMB/NW is designed for "per-user" authentication at mount time, and
> that's it!
> 
> NFS (when setup correctly) is designed for "per-system" authorization at
> mount time, then "per-user" authentication at "access-time" (via remote
> procedure calls).  Most other UNIX-centric protocols are designed for
> this too.

Got it. I have autofs configured now and works very slick. Takes care of
that confusion for me I believe.

> 
> Again, depending on how "secure" you make NFS (version, configuration,
> ticketing, etc...), it differs on exactly how the system and users are
> authenticated.
> 
> -- Bryan
> 
> P.S.  If anyone has any commentary on this, please jump in.
> 
> -- 
> Bryan J. Smith, Engineer          mailto:b.j.smith@ieee.org
> AbsoluteValue Systems, Inc.       http://www.linux-wlan.org
> SmithConcepts, Inc.            http://www.SmithConcepts.com
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
>
Previous message: [KLUG Members] Re: fs permissions with smb/nfs/ldap (2)
Next message: [KLUG Members] Re: fs permissions with smb/nfs/ldap
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]