I've got a server running CentOS 5.2 and has a working NFSv4 server. I've been looking for some help on this on the net, but haven't come across anything that looks like it would pertain to my situation.
Basically, I've got a mixed distro environment (CentOS, Fedora, openSuSE, Ubuntu, Puppy, and yikes possibly a Windows box) on various desktops and laptops that I want to connect to my server. Currently, I've got it setup so that it is only NFSv4 with a host mask. My first concern is that it authenticates to the machine, not the user. Second, that the user is identifed by the UID on the local machine, not the actual user name. Since Centos/Fedora start UID at 500 and Ubuntu/opensuse start at 1000, even though the names are the same, UID is not. I'd rather not have to reID on half my machines Third, I know I'll need samba for the windows box. So, if someone were to get on my local network and have the same uid as I have, then they could mount my shares as rw and have at it.
The ideal situation is that a user would logon to a local box, then when he wants to access a share, it sends the credentials to the server, and mounts the share. This is all for my home setup; basically, I'd like to have my directories be mounted rw for myself, but if i have guests over, have them be able to mount read only (sharing pictures with family memebers that have laptops, etc).
Thanks, Ryan
On Fri, 2008-08-01 at 19:27 -0400, Ryan Dunn wrote:
I've got a server running CentOS 5.2 and has a working NFSv4 server. I've been looking for some help on this on the net, but haven't come across anything that looks like it would pertain to my situation.
Basically, I've got a mixed distro environment (CentOS, Fedora, openSuSE, Ubuntu, Puppy, and yikes possibly a Windows box) on various desktops and laptops that I want to connect to my server. Currently, I've got it setup so that it is only NFSv4 with a host mask. My first concern is that it authenticates to the machine, not the user. Second, that the user is identifed by the UID on the local machine, not the actual user name. Since Centos/Fedora start UID at 500 and Ubuntu/opensuse start at 1000, even though the names are the same, UID is not. I'd rather not have to reID on half my machines Third, I know I'll need samba for the windows box. So, if someone were to get on my local network and have the same uid as I have, then they could mount my shares as rw and have at it.
The ideal situation is that a user would logon to a local box, then when he wants to access a share, it sends the credentials to the server, and mounts the share. This is all for my home setup; basically, I'd like to have my directories be mounted rw for myself, but if i have guests over, have them be able to mount read only (sharing pictures with family memebers that have laptops, etc).
---- You seem to be afraid of changing id's but that really isn't that difficult - especially considering that it's a one time process...
http://docsrv.sco.com/UG_admin/uaT.chguid.html
next - you really should consider using ldap which is perfect for maintaining a single account/password which can be used to authenticate users on various machines (but that wont create their $HOME directories). Bonus is that if you use LDAP, the samba users also have the same uid.
NFS-4 seems to be overkill for a home LAN setup but if you do some google searches or at least start with the official documentation on setting up NFS-4
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/ (see section on NFS)
Craig
On Fri, Aug 1, 2008 at 7:44 PM, Craig White craigwhite@azapple.com wrote:
You seem to be afraid of changing id's but that really isn't that difficult - especially considering that it's a one time process...
http://docsrv.sco.com/UG_admin/uaT.chguid.html
next - you really should consider using ldap which is perfect for maintaining a single account/password which can be used to authenticate users on various machines (but that wont create their $HOME directories). Bonus is that if you use LDAP, the samba users also have the same uid.
NFS-4 seems to be overkill for a home LAN setup but if you do some google searches or at least start with the official documentation on setting up NFS-4
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/ (see section on NFS)
Craig
Thanks for the input. What would you recommend as a home file server instead? Samba? Also, I just got the RHCE book and am just testing things out, so it has been a nice learning experience for me.
If I were to use LDAP, what would happen if I tried to use the laptop in the absence of the server? Is a local copy stored, ala how my work windows network works?
On Fri, 2008-08-01 at 20:04 -0400, Ryan Dunn wrote:
If I were to use LDAP, what would happen if I tried to use the laptop in the absence of the server? Is a local copy stored, ala how my work windows network works?
If you have nscd (Name Services Caching Daemon) enabled, yes. However, that will only cache the UID/GID lookups, and not authentication. If you are using local authentication, then no problem :) Also, if you wanted a file sharing service that would work better with a laptop, look at Coda instead (at least for home dirs). Coda has a concept of a disconnected mode, and caches locally the most used items that are on the share.
--Tim
On Fri, Aug 1, 2008 at 8:22 PM, Timothy Selivanow < timothy.selivanow@virtualxistenz.com> wrote:
On Fri, 2008-08-01 at 20:04 -0400, Ryan Dunn wrote:
...
If you have nscd (Name Services Caching Daemon) enabled, yes. However, that will only cache the UID/GID lookups, and not authentication. If you are using local authentication, then no problem :) Also, if you wanted a file sharing service that would work better with a laptop, look at Coda instead (at least for home dirs). Coda has a concept of a disconnected mode, and caches locally the most used items that are on the share.
--Tim
I'm not looking to have a single home directory, just a place to put pictures, music, docs that I would want to access from any computer. The authentication would be to enable the write access, as anyone else who has access to the network, I'd like to have read only access. That basically sums up my end goal. Oh, and to not have the laptop choke on boot when I'm not at home and it cannot find the share.
Ryan Dunn wrote:
Thanks for the input. What would you recommend as a home file server instead? Samba? Also, I just got the RHCE book and am just testing things out, so it has been a nice learning experience for me.
Depends on what clients you have, if there is a chance there will be windows systems on the network at some point it may be good to at least setup a couple read only shares so you can dump files to them. Or maybe take a WebDAV approach.
For the linux hosts, NFSv3 is more than enough. NFSv4 really doesn't seem to have anything that useful in it to make the extra effort to set it up worth while for most environments.
I personally don't like LDAP(after having used it for many years now). I do use it at home, though only two of the 6 systems I have are actually using it(I also use it for mail routing but that is a legacy thing I setup 7 years ago that I haven't gotten around to migrating off of). I'm in the slow process of migrating my company's systems off of LDAP, they are using it for authentication and it's horribly unreliable and I hate that single point of failure and the complexity of setting it up and maintaining it. They have a cron script that restarts the LDAP services every 15 minutes and they restart nscd on all of the servers every hour. And still even I get complaints on occasion about not being able to login and I have to go restart nscd again or at least invalidate the nscd passwd cache (nscd -i passwd).
My network very rarely has any 3rd party computers connected to it but something you may want to think about is assigning static IPs to your own systems, and on the NFS server end setup those IPs as having read-write to your important shares, and then the rest of the network can have read-only access.
Then setup a couple public shares where everyone has full read/write access. Sure someone could spoof an IP or something but if you have people willing to do that and are on your internal network you have bigger problems I think.
For my network I just have 2 shares that are wide open to my local computers. Really only one of them actually has any NFS volumes mounted though.
If I were to use LDAP, what would happen if I tried to use the laptop in the absence of the server? Is a local copy stored, ala how my work windows network works?
If you use nscd it can cache stuff for a short period of time but it isn't robust enough to survive a reboot or anything. The system can automatically fall back to local authentication. If I were you I suggest just sticking to local authentication.
And I do suggest, if possible to consolidate the userids/group ids of your systems as another poster suggested if you plan to make wide spread use of NFS (my environment it's really basic use with my own account and the root accounts, so uid/gid sync isn't as important, though it happens to be in sync for the accounts that I care about). Hopefully it won't be too hard, I haven't checked much cross distro stuff recently but I am able to use the same passwd/group/shadow files on RHEL4/RHEL5 and Fedora 8.
But really, stay away from NFSv4 unless you really do understand what it is for and really need those capabilities. NFSv3 is more mature, more stable, more compatible, and much easier to setup. Yes it is less secure but I wouldn't be running NFS period in an environment where security was critical (or any RPC services for that matter).
At home I run debian.
nate
On Fri, 2008-08-01 at 17:33 -0700, nate wrote:
I personally don't like LDAP(after having used it for many years now). I do use it at home, though only two of the 6 systems I have are actually using it(I also use it for mail routing but that is a legacy thing I setup 7 years ago that I haven't gotten around to migrating off of). I'm in the slow process of migrating my company's systems off of LDAP, they are using it for authentication and it's horribly unreliable and I hate that single point of failure and the complexity of setting it up and maintaining it. They have a cron script that restarts the LDAP services every 15 minutes and they restart nscd on all of the servers every hour. And still even I get complaints on occasion about not being able to login and I have to go restart nscd again or at least invalidate the nscd passwd cache (nscd -i passwd).
---- LDAP is as stable as anything I've ever used but I have to admit that I don't use nscd anywhere because I would suspect, that is what is killing you. I stopped using nscd when I went to LDAP for that reason.
It's not uncommon for my primary LDAP servers to have uptimes of over 9 months and never restarting though Red Hat made a curious choice of using sleepy-cat 4.3 on RHEL 5 which is totally not recommended by OpenLDAP developers. http://www.openldap.org/faq/data/cache/44.html
I suppose if you wanted to have a stable LDAP, you would investigate with the developers of OpenLDAP.
Craig
I would second OpenLDAP, having used it in production at two different employers. It's always been stable and reliable. If you're restarting slapd every 15 minutes I'd take a good hard look at the problem versus just migrating away from it.
On that note, we recently migrated to Active Directory from OpenLDAP, primarily because we migrated from Zimbra 4.5 to Exchange (and Exchange requires AD). It wasn't without much kicking and screaming, but in the end it was the best move for our users. The tricky part was switching Linux systems which had been authenticating reliably and smoothly to OpenLDAP to using Winbind instead (primarily because of AD group support). Even though it largely works, I would say that in a large production environment I prefer OpenLDAP for centralized authentication over AD, especially since we're a predominately Linux/ UNIX environment.
- Chris
On 1 Aug, 2008, at 5:47 PM, Craig White wrote:
On Fri, 2008-08-01 at 17:33 -0700, nate wrote:
I personally don't like LDAP(after having used it for many years now). I do use it at home, though only two of the 6 systems I have are actually using it(I also use it for mail routing but that is a legacy thing I setup 7 years ago that I haven't gotten around to migrating off of). I'm in the slow process of migrating my company's systems off of LDAP, they are using it for authentication and it's horribly unreliable and I hate that single point of failure and the complexity of setting it up and maintaining it. They have a cron script that restarts the LDAP services every 15 minutes and they restart nscd on all of the servers every hour. And still even I get complaints on occasion about not being able to login and I have to go restart nscd again or at least invalidate the nscd passwd cache (nscd -i passwd).
LDAP is as stable as anything I've ever used but I have to admit that I don't use nscd anywhere because I would suspect, that is what is killing you. I stopped using nscd when I went to LDAP for that reason.
It's not uncommon for my primary LDAP servers to have uptimes of over 9 months and never restarting though Red Hat made a curious choice of using sleepy-cat 4.3 on RHEL 5 which is totally not recommended by OpenLDAP developers. http://www.openldap.org/faq/data/cache/44.html
I suppose if you wanted to have a stable LDAP, you would investigate with the developers of OpenLDAP.
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Chris Brentano wrote:
I would second OpenLDAP, having used it in production at two different employers. It's always been stable and reliable. If you're restarting slapd every 15 minutes I'd take a good hard look at the problem versus just migrating away from it.
I've been using LDAP for quite a while. I discounted using it starting about 4 years ago. I inherited the existing broken LDAP installation, the person that was there before me tried all sorts of things to make it work. I never wanted to use it in the first place. So out it goes. I came up with, at least for me is a much more scalable, stable system authentication system based on SSH keys, and automatically generated passwd/group/shadow files. Managed by a couple scripts I wrote and distributed to the hundreds of nodes with CFengine(www.cfengine.org).
I can dynamically create passwd/group/shadow files on the fly for an "unlimited" amount of systems(in quotes because I need to manage the classes in cfengine to determine what class gets what set of files). Though at my current job I just have 3 different configs(mainly for different root passwords depending on the system type). I wrote the system about 2 years ago and used it extensively at my last job and it worked wonderfully.
LDAP is good I suppose for application level authentication(e.g. web apps). But for system authentication(all I really care about), while it does work, it is (to me):
- overly complicated(schema and stuff, my OpenLDAP 2.2 to 2.3 migration on my home network was a real pain) - not many good tools to manage it(well that I'm aware of at least, I use raw LDAP editors for the most part, I'm sure I could write some scripts if I was serious about long term support of it) - Maybe it's improved recently but replication in OpenLDAP used to be real sketchy. Configuration was arcane, and it was purely a master->slave relationship (not master<->master). - SSL is damn picky. One of the things the former guy at my company tried to do was load balance a pair of LDAP servers for higher availability but was unable to get that to work with SSL (I haven't tried myself). I'm fairly certain it would work without SSL, but don't care enough at this point to put any work into it. - I aim to eliminate any external dependencies on everything I can, last thing I need is some problem in LDAP taking down authentication for the entire network. I suppose if I really hork my custom generated password files the same could happen. - Has a funny way of not working when the network is down <g> - nscd is iffy to say the least. It's been mostly reliable on my home network over the past 7 years or so, but on occasion I login to my system and it tells me my user name is "I have no name!" (at least I can login at all since I use SSH key authentication). - Without nscd LDAP can be sluggish at times so it's a tough trade off..
Of course everyone's situation is different and I will admit that LDAP is a suitable solution for some, just not for me(anymore).
The reason I use it at home still is because it was my testing ground for my LDAP deployment at my company 7 years ago, I was getting close to replacing the local NT4 authentication server with samba-tng when they decided to downsize the company and well there went that plan :)
It also helps that I don't have to support any windows users (I saw your next comment about AD and exchange stuff).
LDAP was an interesting thing to play with, back in my early days with it the documentation was so bad I spent weeks or even months, with trial and error working with OpenLDAP, and getting samba-tng with domain authentication working, Netscape Roaming profiles with LDAP, and postfix mail routing. I even wrote a HOWTO doc at http://howto.aphroland.org/HOWTO/LDAP though I haven't updated it since 2003 I think. It was fun, learned a lot. But have learned even more since.
I toyed with the idea of using the SSH patch to store SSH public keys in LDAP a few years ago until I came up with the idea to take advantage of CFengine (which is a hellishly complicated tool in itself but I use it for far more things than just this), and I decided to finally put my LDAP ambitions to rest for good.
It's quite possible that my information about LDAP is out of date, I admit I haven't been on the cutting edge of that technology recently, though I still interface with my home installation on a regular basis(just added some new mail aliases into my LDAP config today actually), I haven't changed the way I go about things in LDAP in quite some time. Maybe I'm just gettin' old.
nate (also don't like NIS, and hate kerberos)
On Fri, 2008-08-01 at 21:09 -0700, nate wrote:
It's quite possible that my information about LDAP is out of date, I admit I haven't been on the cutting edge of that technology recently, though I still interface with my home installation on a regular basis(just added some new mail aliases into my LDAP config today actually), I haven't changed the way I go about things in LDAP in quite some time. Maybe I'm just gettin' old.
---- it is...syncrepl has been available for quite some time (master <-> master)
the way to deal with ssl/multiple LDAP servers is to use TLS_CACERTDIR on the clients so you can have multiple certs for the clients to use
migration from openldap 2.2 to 2.3 doesn't require any reconfiguration that I'm aware of.
Craig
Craig White wrote:
it is...syncrepl has been available for quite some time (master <-> master)
the way to deal with ssl/multiple LDAP servers is to use TLS_CACERTDIR on the clients so you can have multiple certs for the clients to use
migration from openldap 2.2 to 2.3 doesn't require any reconfiguration that I'm aware of.
good to know, thanks.
As for 2.2 to 2.3, the configs themselves didn't change but I had to change a ton of my data, took at least a couple of hours to clean up my data so that it would import into 2.3. I'm fairly sure it's just leftover cruft from OpenLDAP 2.0 when it wasn't as compliant as 2.2/2.3, and 2.2 was more lenient on what it would accept for schema layouts, and 2.3 was very strict by comparison.
I don't recall the exact errors I got when I upgraded, it was about a year ago. Fortunately I tested it a bunch of times and fixed the schema in my 2.2 production system before upgrading it, so that it went smoothly.
I'm hoping future version updates will be smoother for me.
nate
On Friday 01 August 2008 5:27:50 pm Ryan Dunn wrote:
If you are running your lan as a lab to learn, I would suggest one thing. From what I have read, it seems you just want to have everything work together in a simple manor.
Since you have windows involved, you might consider having everything run with samba. With samba, every system would be able to share and use shares on every other computer.
You could set up a samba server as a domain controller and use something like pam_smb, pam_ntdom or libpam-smbpass (i've used libpam-smbpass on other systems, but do know if centos makes it available anywhere, it is the only one that I know of that allows for update of the password from Linux) to allow the Linux boxes to authenticate against the samba server.
http://www.freebooks.by.ru/view/SambaIn24h/ch16-03.htm
In this case, you would not need to set up LDAP which I think is a bit much for what it sounds like you are trying to do. Because you would be mounting Linux to Linux using Samba, you would not need to worry about NFS at all.
If it were just a Linux home network, I would do NFS3 with (probably a bad word here) NIS. Yes, NIS is insecure, but so is NFS3. If you use a firewall that would block outgoing NIS packets, it should do good enough for a home network.
How this simplifies everything:
1: Only one network file system for both windows and Linux, not NFS for Linux, samba for windows.
2: Allows Linux access to windows shares and printers.
3: If you are using libpam-smbpass you do not need to use a something like LDAP, but rather passdb backend = tdbsam .
Your needs may be more complex than what I assumed, but I wanted to put forward one way to consider...
On Sat, Aug 2, 2008 at 12:44 AM, MJT centos@mjt1.com wrote:
If you are running your lan as a lab to learn, I would suggest one thing. From what I have read, it seems you just want to have everything work together in a simple manor.
Since you have windows involved, you might consider having everything run with samba. With samba, every system would be able to share and use shares on every other computer.
You could set up a samba server as a domain controller and use something like pam_smb, pam_ntdom or libpam-smbpass (i've used libpam-smbpass on other systems, but do know if centos makes it available anywhere, it is the only one that I know of that allows for update of the password from Linux) to allow the Linux boxes to authenticate against the samba server.
http://www.freebooks.by.ru/view/SambaIn24h/ch16-03.htm
In this case, you would not need to set up LDAP which I think is a bit much for what it sounds like you are trying to do. Because you would be mounting Linux to Linux using Samba, you would not need to worry about NFS at all.
If it were just a Linux home network, I would do NFS3 with (probably a bad word here) NIS. Yes, NIS is insecure, but so is NFS3. If you use a firewall that would block outgoing NIS packets, it should do good enough for a home network.
How this simplifies everything:
1: Only one network file system for both windows and Linux, not NFS for Linux, samba for windows.
2: Allows Linux access to windows shares and printers.
3: If you are using libpam-smbpass you do not need to use a something like LDAP, but rather passdb backend = tdbsam .
Your needs may be more complex than what I assumed, but I wanted to put forward one way to consider...
Thanks MJT. I kinda thought in the back of my head that I would end up with a solution similar to what you describe (I know I'll need to learn all about samba anyways).
In the meantime, I still want to play around with the ldap to see what all it can do. So the nscd is what will copy the account info to the local drive so in the absence of the server, the laptop is still usable? In my setup, I would want the $HOME drives to all be local, with a folder inside that would be the network share.
One thing that I've been somewhat confused on is how to tell the NFS server to only use v4 or v3? Right now I've only got tcp 2049 open in the centos firewall, so I'm assuming that it is NFSv4, but other than that, I don't know how to tell the difference. I've look around for this and haven't found anything.
On Saturday 02 August 2008 6:25:07 pm Ryan Dunn wrote:
One thing that I've been somewhat confused on is how to tell the NFS server to only use v4 or v3? Right now I've only got tcp 2049 open in the centos firewall, so I'm assuming that it is NFSv4, but other than that, I don't know how to tell the difference. I've look around for this and haven't found anything.
/etc/sysconfig/nfs
is where you say which versions are mounted.
On Sat, 2008-08-02 at 20:25 -0400, Ryan Dunn wrote:
On Sat, Aug 2, 2008 at 12:44 AM, MJT centos@mjt1.com wrote: If you are running your lan as a lab to learn, I would suggest one thing. From what I have read, it seems you just want to have everything work together in a simple manor.
Since you have windows involved, you might consider having everything run with samba. With samba, every system would be able to share and use shares on every other computer. You could set up a samba server as a domain controller and use something like pam_smb, pam_ntdom or libpam-smbpass (i've used libpam-smbpass on other systems, but do know if centos makes it available anywhere, it is the only one that I know of that allows for update of the password from Linux) to allow the Linux boxes to authenticate against the samba server. http://www.freebooks.by.ru/view/SambaIn24h/ch16-03.htm In this case, you would not need to set up LDAP which I think is a bit much for what it sounds like you are trying to do. Because you would be mounting Linux to Linux using Samba, you would not need to worry about NFS at all. If it were just a Linux home network, I would do NFS3 with (probably a bad word here) NIS. Yes, NIS is insecure, but so is NFS3. If you use a firewall that would block outgoing NIS packets, it should do good enough for a home network. How this simplifies everything: 1: Only one network file system for both windows and Linux, not NFS for Linux, samba for windows. 2: Allows Linux access to windows shares and printers. 3: If you are using libpam-smbpass you do not need to use a something like LDAP, but rather passdb backend = tdbsam . Your needs may be more complex than what I assumed, but I wanted to put forward one way to consider...Thanks MJT. I kinda thought in the back of my head that I would end up with a solution similar to what you describe (I know I'll need to learn all about samba anyways).
In the meantime, I still want to play around with the ldap to see what all it can do. So the nscd is what will copy the account info to the local drive so in the absence of the server, the laptop is still usable? In my setup, I would want the $HOME drives to all be local, with a folder inside that would be the network share.
One thing that I've been somewhat confused on is how to tell the NFS server to only use v4 or v3? Right now I've only got tcp 2049 open in the centos firewall, so I'm assuming that it is NFSv4, but other than that, I don't know how to tell the difference. I've look around for this and haven't found anything.
---- I am of the opinion that nscd causes far more problems than it solves and wouldn't recommend usage.
For laptop purposes, you create the same user, same uid, same home directory both as a local account and as an LDAP account so the laptop will function either connected to LAN or not...it's tacky but it will work.
This is a good clean recommendation for NFS/Firewall...
https://www.redhat.com/archives/fedora-list/2008-January/msg00076.html
Craig
-
Chris Brentano -
Craig White -
MJT -
nate -
Ryan Dunn -
Timothy Selivanow