| View previous topic :: View next topic |
| Author |
Message |
Ian
l33t
Joined: 28 Oct 2002
Posts: 834
Location: Somerville, MA
|
 Posted: Mon Nov 03, 2003 1:06 am Post subject: NFS Permssions |
 |
|
| I just setup an NFS server/client on my two computers, and I'm wondering how I can make it so that mounted shares can be set to be owned by my regular user (ian), instead of whatever the system feels like. I have no idea how to do this, and I can't find any documentation, but I assume that it's possible, because you need it to work to be able to write non-root, correct? |
|
| Back to top |
|
 |
Ian
l33t
Joined: 28 Oct 2002
Posts: 834
Location: Somerville, MA
|
| Posted: Mon Nov 03, 2003 11:12 am Post subject: |
|
|
No Ideas?
Why are all the easy threads answered in seconds (literally), and then semi-hard ones always ignored...?  |
|
| Back to top |
|
|
Beekster
Apprentice
Joined: 26 Nov 2002
Posts: 268
Location: Sydney
|
| Posted: Mon Nov 03, 2003 11:34 am Post subject: |
|
|
The key is the matching of user id's (the third parameter, a number, in /etc/passwd) or groups id's (the third parameter, a number, in /etc/group) between client and server machines. How this is achieved in large network environments escapes me at this point in my Linux admin "career".
[edit]Don't go changing the already made user or group id's! Unless you really know what you're doing, and are prepared to change ownership and permissions of the home directories involved etc.[/edit]
From "man exports":
| Quote: | User ID Mapping
nfsd bases its access control to files on the server machine on the uid
and gid provided in each NFS RPC request. The normal behavior a user
would expect is that she can access her files on the server just as she
would on a normal file system. This requires that the same uids and
gids are used on the client and the server machine. This is not always
true, nor is it always desirable.
Very often, it is not desirable that the root user on a client machine
is also treated as root when accessing files on the NFS server. To this
end, uid 0 is normally mapped to a different id: the so-called anony-
mous or nobody uid. This mode of operation (called `root squashing') is
the default, and can be turned off with no_root_squash.
By default, exportfs chooses a uid and gid of -2 (i.e. 65534) for
squashed access. These values can also be overridden by the anonuid and
anongid options. Finally, you can map all user requests to the anony-
mous uid by specifying the all_squash option.
Here's the complete list of mapping options:
root_squash
Map requests from uid/gid 0 to the anonymous uid/gid. Note that
this does not apply to any other uids that might be equally sen-
sitive, such as user bin.
no_root_squash
Turn off root squashing. This option is mainly useful for disk-
less clients.
all_squash
Map all uids and gids to the anonymous user. Useful for NFS-
exported public FTP directories, news spool directories, etc.
The opposite option is no_all_squash, which is the default set-
ting.
anonuid and anongid
These options explicitly set the uid and gid of the anonymous
account. This option is primarily useful for PC/NFS clients,
where you might want all requests appear to be from one user. As
an example, consider the export entry for /home/joe in the exam-
ple section below, which maps all requests to uid 150 (which is
supposedly that of user joe). |
|
|
| Back to top |
|
|
MrPyro
Tux's lil' helper
Joined: 14 Aug 2003
Posts: 121
Location: Sheffield, England
|
| Posted: Mon Nov 03, 2003 3:42 pm Post subject: |
|
|
| Beekster wrote: | How this is achieved in large network environments escapes me at this point in my Linux admin "career".
|
In a large network you would use NIS (yuck) or LDAP(better) to perform centralised authentication. This works in a similar way to Windows domain logins: the username and password are sent to a central server, which authenticates you. Because this authentication is central, you have the same numeric UID on all machines, which is how NFS determines file ownership.
In a small network, the easy thing to do is synchronise your group and passwd files across the network, so that your user has the same UID and GIDs on both machines. However, as Beekster warned, this can be a little tricky, and may involve some file chowning later.
_________________
Back off man, I'm a computer scientist |
|
| Back to top |
|
|
Ian
l33t
Joined: 28 Oct 2002
Posts: 834
Location: Somerville, MA
|
| Posted: Mon Nov 03, 2003 9:24 pm Post subject: |
|
|
| Is setting up LDAP hard, because I'm trying to just learn whatever I can, just for the hell of it, so I'm thinking I might as well try it just for the hell of it, provided that it's not too much work. |
|
| Back to top |
|
|
mattjgalloway
l33t
Joined: 16 Mar 2004
Posts: 761
Location: Coventry, UK
|
| Posted: Mon Apr 10, 2006 5:53 pm Post subject: |
|
|
Did you ever learn how to synchronise /etc/group and /etc/passwd or setup LDAP? I would like to do the same thing for my home network and would like to know how it's done if you could spare a little time, that'd be appreciated.
_________________
AMD64 3200+, 1024MB RAM, Gentoo Linux
MacBook Core Duo, 1024MB RAM, Leopard |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Wed Apr 12, 2006 8:47 pm Post subject: |
|
|
I have that setup running here at home (NFS + LDAP for user auth).
It works fine, but has 1 drawback: the server trusts the cliens: example:
I am user foo (uid 1000), I want to steel bar's files (uid 1001).
I am root on some client (e.g., my own laptop that I brought from home). I make a local user, bar, uid 1001, password "blabla" on the laptop. Then I NFS mount the share; su to bar, pass "blabla" and I have access to his files.
This works becauste the server trusts the client computer to do the authentication. (which it did, but to it's own local user-database, not to the "right" LDAP server)
I'd recommend "Ldap System administration" (O'Reilly) to get LDAP set up. It has an excellent chapter about it.
If you don't want to bu ythe book, let me know. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
