Is there a file system + configuration that will let me share a directory, and anyone who has access to something in that directory on the server will also have access (and lack of access) to the same files from the client? Clients will be Centos5, Win2K, WinXP. Server is Centos5.
To put it another way, all users have accounts on the server. I don't want to have to set up ANY user information on the server, other than what I set up to control local access. I just want to say "Share /vmware" and have it available, to the same users who can access it locally.
With Samba I have to maintain duplicate user lists, password lists, and share access lists. I have not been able to find a clear instructions on how NFS4 handles this, but what I found didn't seem any better than Samba.
I don't mind implementing ACLs on the server if it will do what I need, but I can't find anything that says it will save me any work either.
Looking for a better way, Ted Miller Indiana, USA
Ted Miller wrote:
Is there a file system + configuration that will let me share a directory, and anyone who has access to something in that directory on the server will also have access (and lack of access) to the same files from the client? Clients will be Centos5, Win2K, WinXP. Server is Centos5.
To put it another way, all users have accounts on the server. I don't want to have to set up ANY user information on the server, other than what I set up to control local access. I just want to say "Share /vmware" and have it available, to the same users who can access it locally.
With Samba I have to maintain duplicate user lists, password lists, and share access lists. I have not been able to find a clear instructions on how NFS4 handles this, but what I found didn't seem any better than Samba.
I don't mind implementing ACLs on the server if it will do what I need, but I can't find anything that says it will save me any work either.
Well, since you want to set up shares ... and since you want to share between Windows and Linux machines, and to share for windows you will need to use samba.
Since you can also set up linux to use a samba client, that would probably be the best method to "share these files" ... if you expect to just oepn them via a file manager on all platforms.
You can also do NIS (and NFS) for linux and samba for Windows if you prefer.
Johnny Hughes wrote:
Ted Miller wrote:
Is there a file system + configuration that will let me share a directory, and anyone who has access to something in that directory on the server will also have access (and lack of access) to the same files from the client? Clients will be Centos5, Win2K, WinXP. Server is Centos5.
To put it another way, all users have accounts on the server. I don't want to have to set up ANY user information on the server, other than what I set up to control local access. I just want to say "Share /vmware" and have it available, to the same users who can access it locally.
With Samba I have to maintain duplicate user lists, password lists, and share access lists. I have not been able to find a clear instructions on how NFS4 handles this, but what I found didn't seem any better than Samba.
I don't mind implementing ACLs on the server if it will do what I need, but I can't find anything that says it will save me any work either.
Well, since you want to set up shares ... and since you want to share between Windows and Linux machines, and to share for windows you will need to use samba.
Since you can also set up linux to use a samba client, that would probably be the best method to "share these files" ... if you expect to just oepn them via a file manager on all platforms.
Is there a way to set up samba so that it "just uses" ACL information for permissions, instead of having to spell everything out for each share and each user?
Ted Miller
Ted Miller wrote:
Johnny Hughes wrote:
Ted Miller wrote:
Is there a file system + configuration that will let me share a directory, and anyone who has access to something in that directory on the server will also have access (and lack of access) to the same files from the client? Clients will be Centos5, Win2K, WinXP. Server is Centos5.
To put it another way, all users have accounts on the server. I don't want to have to set up ANY user information on the server, other than what I set up to control local access. I just want to say "Share /vmware" and have it available, to the same users who can access it locally.
With Samba I have to maintain duplicate user lists, password lists, and share access lists. I have not been able to find a clear instructions on how NFS4 handles this, but what I found didn't seem any better than Samba.
I don't mind implementing ACLs on the server if it will do what I need, but I can't find anything that says it will save me any work either.
Well, since you want to set up shares ... and since you want to share between Windows and Linux machines, and to share for windows you will need to use samba.
Since you can also set up linux to use a samba client, that would probably be the best method to "share these files" ... if you expect to just oepn them via a file manager on all platforms.
Is there a way to set up samba so that it "just uses" ACL information for permissions, instead of having to spell everything out for each share and each user?
Well ... you would need to Join the "Samba Server" to your "Windows Domain". If that domain is ADS (Active Directory Services) then it is a different procedure than if it is a WinNT type Windows Domain.
Once the server is a member if the domain, the shares that are setup will work for your Windows users.
You would then need to setup "Samba Authentication" for your Linux Client machines.
The best method to do that depends on your business, who you have to interface with, what services you are running on the network, etc.
I run a Samba PDC (using LDAP as a backend) with Samba BDC's in several remote locations. If you do not require ADS network, then this can work great as LDAP databases can be replicated from the PDC to the BDCs and Linux machines can easily be setup to use LDAP for authentication.
However, if you need an ADS domain, then the LDAP method does not work since Samba can not be a Domain Controller for ADS. That would require you to be a Domain "Member Server" and enable samba authentication for Linux clients.
The methods to do that are too hard to explain on list. Much research needs to be done on samba.org docs (assuming you already understand the whole Windows Domain concept and how it works on Windows). The way that you will proceed is an infrastructure decision and based your individual needs and infrastructure.
Thanks, Johnny Hughes
Johnny Hughes wrote:
You would then need to setup "Samba Authentication" for your Linux Client machines.
The best method to do that depends on your business, who you have to interface with, what services you are running on the network, etc.
I run a Samba PDC (using LDAP as a backend) with Samba BDC's in several remote locations. If you do not require ADS network, then this can work great as LDAP databases can be replicated from the PDC to the BDCs and Linux machines can easily be setup to use LDAP for authentication.
However, if you need an ADS domain, then the LDAP method does not work since Samba can not be a Domain Controller for ADS. That would require you to be a Domain "Member Server" and enable samba authentication for Linux clients.
I've been able to use SMB authentication against an AD just by filling in the entries in system-config-authentication. I'm not sure if that requires any compatibility settings on the AD side or not - it just worked for me so I didn't ask questions. The down side is that you do have to add the users and maintain groups on the linux side which isn't too difficult if they don't change a lot, just adduser -u uid -g gid login_name with the same values on all the boxes and copy changes to /etc/group around. The up side is that you can control which users have access separately and only have to deal with passwords for users that aren't in AD - and you don't have to ask permission to join the linux boxes to the domain.
The methods to do that are too hard to explain on list. Much research needs to be done on samba.org docs (assuming you already understand the whole Windows Domain concept and how it works on Windows). The way that you will proceed is an infrastructure decision and based your individual needs and infrastructure.
Winbind can automatically create users from AD, but you have to join the domain and I'm not sure what you have to do to coordinate the uid mapping across machines so NFS shares work.
Johnny Hughes wrote:
Ted Miller wrote:
Johnny Hughes wrote:
Ted Miller wrote:
Is there a file system + configuration that will let me share a directory, and anyone who has access to something in that directory on the server will also have access (and lack of access) to the same files from the client? Clients will be Centos5, Win2K, WinXP. Server is Centos5.
To put it another way, all users have accounts on the server. I don't want to have to set up ANY user information on the server, other than what I set up to control local access. I just want to say "Share /vmware" and have it available, to the same users who can access it locally.
With Samba I have to maintain duplicate user lists, password lists, and share access lists. I have not been able to find a clear instructions on how NFS4 handles this, but what I found didn't seem any better than Samba.
I don't mind implementing ACLs on the server if it will do what I need, but I can't find anything that says it will save me any work either.
Well, since you want to set up shares ... and since you want to share between Windows and Linux machines, and to share for windows you will need to use samba.
Since you can also set up linux to use a samba client, that would probably be the best method to "share these files" ... if you expect to just oepn them via a file manager on all platforms.
Is there a way to set up samba so that it "just uses" ACL information for permissions, instead of having to spell everything out for each share and each user?
Well ... you would need to Join the "Samba Server" to your "Windows Domain". If that domain is ADS (Active Directory Services) then it is a different procedure than if it is a WinNT type Windows Domain.
This is getting well outside the range of complexity that I am looking for. If I add more detail, maybe something more suitable to my situation will suggest itself to members of the list.
1. This is a very small network, only one primary file server (office2). A second file server (RAIDer1) has only one shared directory, so is not really an issue.
2. Users log in primarily from Linux boxes, but have to run virtual Windows machines for some software, and also log in from Windows laptops.
3. office2 is set up with logins and home directories for all users, and directories are permissioned such that users can run programs on office2 (if needed) and directory permissions work right.
4. Some users don't have physical machines, but only have virtual machine(s) running on office2, which also need "network" access to office2 files.
Because all the users and permissions already exist on office2, I would like those existing permissions to be reflected when the file system is shared, just the same as when it is accessed locally. To restate: my desire is that users, logins, and permissions be identical whether a user is logged into office2 or whether that user is using a network file share from another virtual or physical machine, running Linux or Windows. I would think there would be a "market" for a network file system where sharing a directory tree involved no more than assigning a network share name to it. If (and only if) you had access to the file locally, you now have access to it on the network. Very simple to administer, very simple to understand--one set of permissions (kept locally) works everywhere.
From everything I have heard, a windows domain controller would be more work than it is worth for this size of project, as I am looking for something machine-scale, not enterprise scale.
I hope this more clearly expresses my desires, even if only so that everyone can tell me to keep dreaming, because what I want doesn't exist--or in the open source tradition, quit dreaming and start coding. (Unfortunately I am still working on my first C++ lesson book.)
Sorry I neglected this (and all other) threads for a week or more, as I had to learn how to do video editing to rescue an otherwise disastrously unusable video project for my employer.
Ted Miller
Ted Miller wrote:
Johnny Hughes wrote:
Well ... you would need to Join the "Samba Server" to your "Windows Domain". If that domain is ADS (Active Directory Services) then it is a different procedure than if it is a WinNT type Windows Domain.
This is getting well outside the range of complexity that I am looking for. If I add more detail, maybe something more suitable to my situation will suggest itself to members of the list.
- This is a very small network, only one primary file server (office2).
A second file server (RAIDer1) has only one shared directory, so is not really an issue.
- Users log in primarily from Linux boxes, but have to run virtual
Windows machines for some software, and also log in from Windows laptops.
Virtual windows machines should be no different in terms of network connections, so you can ignore that distinction.
- office2 is set up with logins and home directories for all users, and
directories are permissioned such that users can run programs on office2 (if needed) and directory permissions work right.
Is samba running there? If so, you are mostly done.
- Some users don't have physical machines, but only have virtual
machine(s) running on office2, which also need "network" access to office2 files.
Again, nothing different.
Because all the users and permissions already exist on office2, I would like those existing permissions to be reflected when the file system is shared, just the same as when it is accessed locally. To restate: my desire is that users, logins, and permissions be identical whether a user is logged into office2 or whether that user is using a network file share from another virtual or physical machine, running Linux or Windows. I would think there would be a "market" for a network file system where sharing a directory tree involved no more than assigning a network share name to it. If (and only if) you had access to the file locally, you now have access to it on the network. Very simple to administer, very simple to understand--one set of permissions (kept locally) works everywhere.
This mostly "just works" if you deal with a few complications that on a small scale can be worked around without too much trouble. The first complication is that you need to maintain passwords separately for Linux and Windows because they are stored with different encryption. If you aren't already using samba, you need to 'smbpasswd -a username' for each user and input the password (or go around and let them type it themselves). After this, a windows user mapping a samba-shared directory from your office2 machine will have the same access as the same user logged in locally. There are the same issues with directories that users share with group permissions, but samba offers some extra options to force owner/group/permissions on newly created files that will help. Windows/samba connections are treated as single users with all access through that connection treated with the permissions of the matching linux login. With samba in 'user' mode, the authentication is done before you can even see the shares and even if you have multiple shares mapped from the server they must all be as the same user. There is also a 'share' mode where you authenticate separately per connection.
From everything I have heard, a windows domain controller would be more work than it is worth for this size of project, as I am looking for something machine-scale, not enterprise scale.
You might look at webmin, since it has an option to maintain unix and samba passwords at the same time and it can also keep multiple machines in sync. The other complication is that if you also want to share files via NFS, the permissioning mechanism is entirely different. NFS just looks at the uid/gid/modes like a local file, so you need to make the password files consistent across all the Linux boxes. There is also the issue that users who have root access to their own workstation can pretend to be any user over NFS. For a single-user Linux workstation scenario, it might make more sense to only provide samba shares and use cifs mounts instead of NFS. NFS makes more sense between multiuser unix/linux boxes where only the administrator(s) have root access.
I hope this more clearly expresses my desires, even if only so that everyone can tell me to keep dreaming, because what I want doesn't exist--or in the open source tradition, quit dreaming and start coding. (Unfortunately I am still working on my first C++ lesson book.)
I don't think you need to code anything since there are already several options with varying degrees of complexity. Centralizing authentication will help if you have many users and password changes. But that can be as simple as turning on domain controller emulation on samba on your office2 server and configuring everything else (windows and Linux) to use it. Or it can be as complicated as running a separate Active Domain controller. I've always been surprised that Linux distributions didn't come with a pre-configured LDAP server that automatically worked for local users and samba and could server other Linux boxes as you add them without starting over, but so far I don't think any provide that.
Sorry I neglected this (and all other) threads for a week or more, as I had to learn how to do video editing to rescue an otherwise disastrously unusable video project for my employer.
If these remote users are doing anything but video editing, another useful option might be to use remote X logins or freenx/NX for a remote Linux desktop directly from your office2 machine instead of accessing its files on their workstation. How well it works depends on what they are doing and the relative CPU and video use compared to file access.
Thanks for the reply. I think we are making progress, see comments/questions interspersed below.
Les Mikesell wrote:
Ted Miller wrote:
Johnny Hughes wrote:
Well ... you would need to Join the "Samba Server" to your "Windows Domain". If that domain is ADS (Active Directory Services) then it is a different procedure than if it is a WinNT type Windows Domain.
This is getting well outside the range of complexity that I am looking for. If I add more detail, maybe something more suitable to my situation will suggest itself to members of the list.
- This is a very small network, only one primary file server
(office2). A second file server (RAIDer1) has only one shared directory, so is not really an issue.
- Users log in primarily from Linux boxes, but have to run virtual
Windows machines for some software, and also log in from Windows laptops.
Virtual windows machines should be no different in terms of network connections, so you can ignore that distinction.
- office2 is set up with logins and home directories for all users,
and directories are permissioned such that users can run programs on office2 (if needed) and directory permissions work right.
Is samba running there? If so, you are mostly done.
Yes, at the moment I have Samba running, but apparently not properly configured. I am also in the process of moving this machine from Centos 4 to Centos 5, and am trying to do it better this time. At the moment office2 is dual boot, still defaulting to C4.
Because all the users and permissions already exist on office2, I would like those existing permissions to be reflected when the file system is shared, just the same as when it is accessed locally. To restate: my desire is that users, logins, and permissions be identical whether a user is logged into office2 or whether that user is using a network file share from another virtual or physical machine, running Linux or Windows. I would think there would be a "market" for a network file system where sharing a directory tree involved no more than assigning a network share name to it. If (and only if) you had access to the file locally, you now have access to it on the network. Very simple to administer, very simple to understand--one set of permissions (kept locally) works everywhere.
This mostly "just works" if you deal with a few complications that on a small scale can be worked around without too much trouble. The first complication is that you need to maintain passwords separately for Linux and Windows because they are stored with different encryption. If you aren't already using samba, you need to 'smbpasswd -a username' for each user and input the password (or go around and let them type it themselves).
Done at this point.
After this, a windows user mapping a samba-shared directory from your office2 machine will have the same access as the same user logged in locally. There are the same issues with directories that users share with group permissions, but samba offers some extra options to force owner/group/permissions on newly created files that will help.
That is something I need to fix, because I do have some issues with group accessed files, where certain operations require me to log in as root and run a script that cleans up the file ownership, otherwise some users can no longer access the files. Any pointers on where to find documentation on this?
Windows/samba connections are treated as single users with all access through that connection treated with the permissions of the matching linux login. With samba in 'user' mode, the authentication is done before you can even see the shares and even if you have multiple shares mapped from the server they must all be as the same user. There is also a 'share' mode where you authenticate separately per connection.
I have been using 'share' mode, but a little reading makes it sound like I should switch to 'user' mode to make my life easier. I have been adding various user permission lines to each share. Will they keep working if I just comment out those lines?
From everything I have heard, a windows domain controller would be more work than it is worth for this size of project, as I am looking for something machine-scale, not enterprise scale.
You might look at webmin, since it has an option to maintain unix and samba passwords at the same time and it can also keep multiple machines in sync.
Does anyone maintain webmin for Centos? I have most of the common repos hooked to yum, but webmin draws a blank.
The other complication is that if you also want to share files via NFS, the permissioning mechanism is entirely different. NFS just looks at the uid/gid/modes like a local file, so you need to make the password files consistent across all the Linux boxes.
Does NFS work with windows? I have wasted considerable time on Google trying to answer that question, and the only answer I find is that there are commercial products that (for a per-seat fee) will connect windows to NFS. I read that NFS v.4 was supposed to "play better" with windows, but I could not find any official comment, or windows drivers, or even any recommendations of client only drivers.
There is also the issue that users who have root access to their own workstation can pretend to be any user over NFS.
Not an issue in this situation, users do not have root access.
For a single-user Linux workstation scenario, it might make more sense to only provide samba shares and use cifs mounts instead of NFS. NFS makes more sense between multiuser unix/linux boxes where only the administrator(s) have root access.
That is what I did under C4, but with considerable frustration, but maybe a simplified version of what I had (minus per-share permission listing in smb.conf) would get me most of what I want.
I hope this more clearly expresses my desires, even if only so that everyone can tell me to keep dreaming, because what I want doesn't exist--or in the open source tradition, quit dreaming and start coding. (Unfortunately I am still working on my first C++ lesson book.)
I don't think you need to code anything since there are already several options with varying degrees of complexity. Centralizing authentication will help if you have many users and password changes. But that can be as simple as turning on domain controller emulation on samba on your office2 server and configuring everything else (windows and Linux) to use it.
Any pointers to where I could learn the implications/pluses/minuses of that? It might be useful with my multiple machines (real and virtual) per user.
Or it can be as complicated as running a separate Active Domain controller. I've always been surprised that Linux distributions didn't come with a pre-configured LDAP server that automatically worked for local users and samba and could server other Linux boxes as you add them without starting over, but so far I don't think any provide that.
Sounds like a great idea for a CentosPlus .rpm.
Sorry I neglected this (and all other) threads for a week or more, as I had to learn how to do video editing to rescue an otherwise disastrously unusable video project for my employer.
If these remote users are doing anything but video editing, another useful option might be to use remote X logins or freenx/NX for a remote Linux desktop directly from your office2 machine instead of accessing its files on their workstation. How well it works depends on what they are doing and the relative CPU and video use compared to file access.
Video editing is getting done on a windows-native-boot laptop. Video editing seems to be something that open source doesn't do very well.
Ted Miller
On Sat, 2008-06-21 at 21:48 -0400, Ted Miller wrote:
I have been using 'share' mode, but a little reading makes it sound like I should switch to 'user' mode to make my life easier. I have been adding various user permission lines to each share. Will they keep working if I just comment out those lines?
---- share mode is designed to mimic Windows 98 file sharing behavior - it's use is not recommended.
As for will they keep working...crystal ball cloudy. You can simply keep editing smb.conf because samba re-reads the smb.conf every minute I think. ----
From everything I have heard, a windows domain controller would be more work than it is worth for this size of project, as I am looking for something machine-scale, not enterprise scale.
You might look at webmin, since it has an option to maintain unix and samba passwords at the same time and it can also keep multiple machines in sync.
Does anyone maintain webmin for Centos? I have most of the common repos hooked to yum, but webmin draws a blank.
---- download/install from www.webmin.com - also install perl-net-SSLeay for SSL (from dag/rpmforge) ----
The other complication is that if you also want to share files via NFS, the permissioning mechanism is entirely different. NFS just looks at the uid/gid/modes like a local file, so you need to make the password files consistent across all the Linux boxes.
Does NFS work with windows? I have wasted considerable time on Google trying to answer that question, and the only answer I find is that there are commercial products that (for a per-seat fee) will connect windows to NFS. I read that NFS v.4 was supposed to "play better" with windows, but I could not find any official comment, or windows drivers, or even any recommendations of client only drivers.
---- SFU (Services for Unix) is a free download from Microsoft ----
Any pointers to where I could learn the implications/pluses/minuses of that? It might be useful with my multiple machines (real and virtual) per user.
---- You put barriers into place deciding what you are willing and not willing to do but in reality, what you want is all of the power and features of an enterprise system with none of the knowledge...good luck.
With LDAP, you could have multiple servers, integrated users/groups between posix and Windows and even have them see the same Desktop, the same $HOME directories regardless of whether they connected via Windows or Linux.
Craig
Ted Miller wrote:
Is samba running there? If so, you are mostly done.
Yes, at the moment I have Samba running, but apparently not properly configured. I am also in the process of moving this machine from Centos 4 to Centos 5, and am trying to do it better this time. At the moment office2 is dual boot, still defaulting to C4.
I don't think there should be a big difference samba-wise.
If you aren't already using samba, you need to 'smbpasswd -a username' for each user and input the password (or go around and let them type it themselves).
Done at this point.
After this, a windows user mapping a samba-shared directory from your office2 machine will have the same access as the same user logged in locally. There are the same issues with directories that users share with group permissions, but samba offers some extra options to force owner/group/permissions on newly created files that will help.
That is something I need to fix, because I do have some issues with group accessed files, where certain operations require me to log in as root and run a script that cleans up the file ownership, otherwise some users can no longer access the files. Any pointers on where to find documentation on this?
Newly created files default to having the group ownership of the primary group of the user creating it, and the RH scheme is to give every user his own group. You can do something like this in the samba share configuration: valid users = @groupname force group = groupname force create mode = 0775 force directory mode = 0775
This will make new files have the right group and r/w (and executable, which you might not want). If files are also created on the Linux side you need to 'chmod g+s' on the directory to make new files take the group of the directory.
You can find samba docs here: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/
I have been using 'share' mode, but a little reading makes it sound like I should switch to 'user' mode to make my life easier. I have been adding various user permission lines to each share. Will they keep working if I just comment out those lines?
Share vs. user doesn't make a difference in how things work after the connection is established - it controls when authentication happens. Share mode just lets you browse the share list before authenticating and you can connect to different shares with different credentials.
You might look at webmin, since it has an option to maintain unix and samba passwords at the same time and it can also keep multiple machines in sync.
Does anyone maintain webmin for Centos? I have most of the common repos hooked to yum, but webmin draws a blank.
This is one of the reasons I usually install k12ltsp instead of the stock centos distribution (you don't lose anything, it just adds some extras and makes the updates yummable). You probably can grab the RPM directly from the webmin site.
The other complication is that if you also want to share files via NFS, the permissioning mechanism is entirely different. NFS just looks at the uid/gid/modes like a local file, so you need to make the password files consistent across all the Linux boxes.
Does NFS work with windows? I have wasted considerable time on Google trying to answer that question, and the only answer I find is that there are commercial products that (for a per-seat fee) will connect windows to NFS.
On windows you would use 'services for unix'. But I'd stick to samba.
I read that NFS v.4 was supposed to "play better" with windows, but I could not find any official comment, or windows drivers, or even any recommendations of client only drivers.
Don't know about that.
There is also the issue that users who have root access to their own workstation can pretend to be any user over NFS.
Not an issue in this situation, users do not have root access.
Do they have the same uid/gid, and group lists on their workstations as on the file server?
For a single-user Linux workstation scenario, it might make more sense to only provide samba shares and use cifs mounts instead of NFS. NFS makes more sense between multiuser unix/linux boxes where only the administrator(s) have root access.
That is what I did under C4, but with considerable frustration, but maybe a simplified version of what I had (minus per-share permission listing in smb.conf) would get me most of what I want.
If it is one user per workstation, treating it just like the windows connections with samba should work.
I don't think you need to code anything since there are already several options with varying degrees of complexity. Centralizing authentication will help if you have many users and password changes. But that can be as simple as turning on domain controller emulation on samba on your office2 server and configuring everything else (windows and Linux) to use it.
Any pointers to where I could learn the implications/pluses/minuses of that? It might be useful with my multiple machines (real and virtual) per user.
Samba authentication for linux just checks that a login/password match. You still have to create the users and if you use NFS, make sure the uid/gid's are all the same. For windows it works like a domain controller and once you've logged in as a windows user, you automatically authenticate to the samba shares as the same user and the server can force login scripts to run on the client.
If these remote users are doing anything but video editing, another useful option might be to use remote X logins or freenx/NX for a remote Linux desktop directly from your office2 machine instead of accessing its files on their workstation. How well it works depends on what they are doing and the relative CPU and video use compared to file access.
Video editing is getting done on a windows-native-boot laptop. Video editing seems to be something that open source doesn't do very well.
I use a mac for the little I do, but I thought that http://cvs.cinelerra.org/docs.php and http://lives.sourceforge.net were supposed to be getting better.
Les Mikesell wrote:
Ted Miller wrote:
After this, a windows user mapping a samba-shared directory from your office2 machine will have the same access as the same user logged in locally. There are the same issues with directories that users share with group permissions, but samba offers some extra options to force owner/group/permissions on newly created files that will help.
That is something I need to fix, because I do have some issues with group accessed files, where certain operations require me to log in as root and run a script that cleans up the file ownership, otherwise some users can no longer access the files. Any pointers on where to find documentation on this?
Newly created files default to having the group ownership of the primary group of the user creating it, and the RH scheme is to give every user his own group. You can do something like this in the samba share configuration: valid users = @groupname force group = groupname force create mode = 0775 force directory mode = 0775
How about if I just change the primary user group to being the user group that I want their files' group ownership set to? Would that "just take care of it" on the group side? Then I could just set the "force create mode" and "force directory mode".
You can find samba docs here: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/
I have been using 'share' mode, but a little reading makes it sound like I should switch to 'user' mode to make my life easier. I have been adding various user permission lines to each share. Will they keep working if I just comment out those lines?
Share vs. user doesn't make a difference in how things work after the connection is established - it controls when authentication happens. Share mode just lets you browse the share list before authenticating and you can connect to different shares with different credentials.
You might look at webmin, since it has an option to maintain unix and samba passwords at the same time and it can also keep multiple machines in sync.
Does anyone maintain webmin for Centos? I have most of the common repos hooked to yum, but webmin draws a blank.
This is one of the reasons I usually install k12ltsp instead of the stock centos distribution (you don't lose anything, it just adds some extras and makes the updates yummable). You probably can grab the RPM directly from the webmin site.
Can I just add a k12ltsp repo and use their webmin?
There is also the issue that users who have root access to their own workstation can pretend to be any user over NFS.
Not an issue in this situation, users do not have root access.
Do they have the same uid/gid, and group lists on their workstations as on the file server?
yes, got that straight a while back.
Centralizing authentication will help if you have many users and password changes. But that can be as simple as turning on domain controller emulation on samba on your office2 server and configuring everything else (windows and Linux) to use it.
Any pointers to where I could learn the implications/pluses/minuses of that? It might be useful with my multiple machines (real and virtual) per user.
Samba authentication for linux just checks that a login/password match. You still have to create the users and if you use NFS, make sure the uid/gid's are all the same. For windows it works like a domain controller and once you've logged in as a windows user, you automatically authenticate to the samba shares as the same user and the server can force login scripts to run on the client.
I looked at the How-To for domain control, and it looks interesting. I'll have to dig into that further.
Ted Miller
Ted Miller wrote:
That is something I need to fix, because I do have some issues with group accessed files, where certain operations require me to log in as root and run a script that cleans up the file ownership, otherwise some users can no longer access the files. Any pointers on where to find documentation on this?
Newly created files default to having the group ownership of the primary group of the user creating it, and the RH scheme is to give every user his own group. You can do something like this in the samba share configuration: valid users = @groupname force group = groupname force create mode = 0775 force directory mode = 0775
How about if I just change the primary user group to being the user group that I want their files' group ownership set to? Would that "just take care of it" on the group side? Then I could just set the "force create mode" and "force directory mode".
Yes, that works if you only have one group that needs shared access or at least no one in overlapping groups. You do lose the ability to share your own stuff to members you add to your own group.
This is one of the reasons I usually install k12ltsp instead of the stock centos distribution (you don't lose anything, it just adds some extras and makes the updates yummable). You probably can grab the RPM directly from the webmin site.
Can I just add a k12ltsp repo and use their webmin?
That should work.
Les Mikesell wrote:
Ted Miller wrote:
This is one of the reasons I usually install k12ltsp instead of the stock centos distribution (you don't lose anything, it just adds some extras and makes the updates yummable). You probably can grab the RPM directly from the webmin site.
Can I just add a k12ltsp repo and use their webmin?
That should work.
Now, if I can just figure out where they have their repos. Their web site isn't too clear about that, but I guess they expect you to be using their distro, and it already includes all that in the default repo files, so no need to make it public.
Ted Miller
Ted Miller wrote:
Les Mikesell wrote:
Ted Miller wrote:
This is one of the reasons I usually install k12ltsp instead of the stock centos distribution (you don't lose anything, it just adds some extras and makes the updates yummable). You probably can grab the RPM directly from the webmin site.
Can I just add a k12ltsp repo and use their webmin?
That should work.
Now, if I can just figure out where they have their repos. Their web site isn't too clear about that, but I guess they expect you to be using their distro, and it already includes all that in the default repo files, so no need to make it public.
I'm not sure about dependencies, but you could try just grabbing the RPM from here: ftp://k12linux.mesd.k12.or.us/pub/K12LTSP/webmin.
This howto from their wiki might be helpful too, but I'm not sure if it is up to date: http://k12ltsp.org/mediawiki/index.php/Technical:LDAP
On Mon, 2008-06-23 at 22:13 -0500, Les Mikesell wrote:
Ted Miller wrote:
Les Mikesell wrote:
Ted Miller wrote:
This is one of the reasons I usually install k12ltsp instead of the stock centos distribution (you don't lose anything, it just adds some extras and makes the updates yummable). You probably can grab the RPM directly from the webmin site.
Can I just add a k12ltsp repo and use their webmin?
That should work.
Now, if I can just figure out where they have their repos. Their web site isn't too clear about that, but I guess they expect you to be using their distro, and it already includes all that in the default repo files, so no need to make it public.
I'm not sure about dependencies, but you could try just grabbing the RPM from here: ftp://k12linux.mesd.k12.or.us/pub/K12LTSP/webmin.
---- those webmin packages are pretty old...better just to download from http://www.webmin.com
I also heavily recommend that you install perl-Net-SSLeay rpm package from dag repo first because if that is installed first, webmin will configure itself to use SSL automatically upon install. ----
This howto from their wiki might be helpful too, but I'm not sure if it is up to date: http://k12ltsp.org/mediawiki/index.php/Technical:LDAP
---- ancient information not related to webmin at all.
Craig
Craig White wrote:
I'm not sure about dependencies, but you could try just grabbing the RPM from here: ftp://k12linux.mesd.k12.or.us/pub/K12LTSP/webmin.
those webmin packages are pretty old...better just to download from http://www.webmin.com
I also heavily recommend that you install perl-Net-SSLeay rpm package from dag repo first because if that is installed first, webmin will configure itself to use SSL automatically upon install.
This howto from their wiki might be helpful too, but I'm not sure if it is up to date: http://k12ltsp.org/mediawiki/index.php/Technical:LDAP
ancient information not related to webmin at all.
Somewhere earlier in this thread the point was to unify logins across several linux boxes and some windows samba clients. Webmin is probably the simplest approach and the LDAP/samba based on the idealx scripts might be overkill. Is there a simpler way to set up LDAP now?
-
Craig White -
Johnny Hughes -
Les Mikesell -
Ted Miller