[KLUG Members] Re: fs permissions with smb/nfs/ldap
Chris Goron
members@kalamazoolinux.org
13 Jan 2002 09:07:37 -0500
On Sat, 2002-01-12 at 20:02, Bryan J. Smith wrote:
> Chris Goron wrote:
> > I take it you are suggesting nfs for my Linux clients?? SMB for my Win
> > clients?? My Samba server is configured as a PDC and works very well for
> > my Win clients. I have no problem with NFS for Linux clients.
>
> Right, you're fine then. I just used to running into a lot of people
> who think they must use one only protocol for efficiency, memory
> savings, etc... (when it is nothing of the sort).
>
> > Yup, I've used NIS and had no problems with this but I'm really keen on
> > using LDAP to manage my network.
>
> Right, you're way ahead of me then. I've been procrastinating far too
> long on moving to LDAP.
>
> > I believe I'm specifying my NFS exports right. It sure seems like a LDAP
> > user issue here. I will check this site and go over my exports.
>
> Again, you're ahead of me in that ball game.
>
> > But my mount points depend on which user is logging in??
>
> Is that something you are asking? Or saying?
Asking now, but I think you clarify this down further.
>
> [ I'm a bit confused, I'll try to see if I'm following you ... ]
>
> IMHO, with UNIX clients, mount points should _never_ be "relative" to
> who's logged in. You don't have to play such "games" like you do for
> Windows.
>
> E.g., don't have a different /home for "bob" and a different /home for
> "mary". Make their home directories _always_ /home/bob and /home/mary,
> respectively. If they are on different servers, then make them
> /server1/bob and /server2/mary.
>
> Am I making any sense? Or am I going off on a tangent/path that is not
> what you are talking about?
Yes. No problem here, I have that set.
>
> > Do I include all possible mount points and if a user needs access
> > afs takes care of them if they have access rights??
>
> Are you using "AFS"? Or did you mean "NFS"?
Oops, sorry I meant automount.
>
> [ Now I'm more confused ]
>
> I haven't messed with AFS enough either, but we're still talking UNIX
> clients.
>
> Remember, multi-user aware UNIX does user permissions/resolution at
> "access time" not "mount time" like multi-user ignorant Windows
> clients. E.g., if you export /home from a server, just mount it as
> /home from the client. Then normal RPC client-server exchange will
> resolve the user/group authentication for each file access, etc...
>
> > Keep in mind I want my client workstations to know nothing about
> > the users logging in, it's all handled by the server.
>
> Hence the "problem" I'm having with your setup. Traditional UNIX
> network filesystems are designed to authenticate systems, then users,
> not just users.
That's kind of a new concept for me then. I guess I'm a little confused
why you would want to control network resources by system and not user?
But I can live with that.
>
> Unless you're using "no_squash_root" with some circular /etc/hosts.equiv
> references between clients/servers, then you're not giving the client
> "full access" to the server just by mounting. Both the client "system"
> is authorized at "mount-time," then the clients "users" are
> authenticated at "access-time." I'm not sure about NFS v2 on this, but
> if you are using NFS v3, I'm fairly certain this is so. Hmmm, I need to
> re-read section 6 of the NFS HOWTO.
I've checked and tried about every setting in the exports file including
the no_squash_root, I believe the problem lies in making my NFS on the
client side "LDAP aware".
>
> NFS security can also be enhanced further by ticketing, like with
> Kerberos. This is yet another realm where I'm not so enlightened. ;-P
>
> > Yes, enlighten me. I currently have a package called pam_mount to mount
> > the users home dir but it only supports smb and netware. How do I mount
> > the users home dir with nfs lets say??
>
> You've hit the problem on the head.
>
> SMB/NW is designed for "per-user" authentication at mount time, and
> that's it!
>
> NFS (when setup correctly) is designed for "per-system" authorization at
> mount time, then "per-user" authentication at "access-time" (via remote
> procedure calls). Most other UNIX-centric protocols are designed for
> this too.
Got it. I have autofs configured now and works very slick. Takes care of
that confusion for me I believe.
>
> Again, depending on how "secure" you make NFS (version, configuration,
> ticketing, etc...), it differs on exactly how the system and users are
> authenticated.
>
> -- Bryan
>
> P.S. If anyone has any commentary on this, please jump in.
>
> --
> Bryan J. Smith, Engineer mailto:b.j.smith@ieee.org
> AbsoluteValue Systems, Inc. http://www.linux-wlan.org
> SmithConcepts, Inc. http://www.SmithConcepts.com
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
>