nfs help?
Ambrogio
fn050202 at flashnet.it
Mon Jun 12 09:49:41 UTC 2006
Il giorno dom, 11/06/2006 alle 17.34 +0930, Tim ha scritto:
> Tim:
> >>> That's never been my experience. Firstly, normally only the root use
> >>> can mount something. Secondly, when mounting a Linux file system over
> >>> NFS, the original ownership is maintained, but numerically: User 500
> >>> remote is treated as user 500 local, so you better make sure that
> >>> usernames and user IDs match on both sides of the connection.
Correct...
In a big LAN with a lot of client you must use some other things other
than etc/passwd to maintain user access.
It's hard to make on every client a passwd coherent. (NIS for examples
or other).
> Ambrogio:
> > It is that I sayd.
> > For first, mount command is available also at user level.
>
> While you *can* make things user-mountable, it doesn't also mean that
> root mountable things will only be available to the root user. That
> sort of behaviour depends on the mount. I would go as far as to say
> that for things like NFS mounts, it's NOT typical to mount them as a
> user, and it's NOT typical that users can't access root user mounted
> mounts.
This is one of the use.
Another may be that you deliver some login script that mount NFS only
after login.
So
user 500 mounts server:/home/tim in /home/tim and
user 501 mounts server:/home/ambrogio in /home/ambrogio
this can be at login level, and mount is made by user and not by root.
> > The user level is threated everytime numerically.
> > When you use ls -la and see a user insted of a number is only because ls
> > make a conversion, but on ACL we ave numbers.
>
> ls -lan would show numerical mounts (n option does that).
I know, but it was only to explain that all is based on number and not on word.
> Typically, with NFS, user 500 has to be user 500 on both machines, and
> so on. It doesn't matter if they use the same names on both sides, but
> that helps to make things coherent.
>
> If I am user 500, username Tim on one box, and export /home to another,
> I really also want to be user 500, on the second box. Then, I can
> access my files on both PCs. And, that mount is handled by root.
well, is for that that NFS is considered unsure.
I can be on your lan with my PC in which user 500 is not TIM and mount
your home.
SURELY, Only if /etc/exports permits that.
I read something about NFS v4 that is capable to use some more sure
protocol (Kerberos I think).
> All that's done with just two entries on each machine (NFS must be
> running, already).
>
> Server's /etc/export file:
> /home *.localdomain(rw,sync)
>
> This exports part of the file system to my LAN, the /home partition, and
> each user within that file system's home directories get exported as-is
> (Tim's files are Tim's elsewhere, johndoe's files are his elsewhere, and
> so on).
>
> Client's /etc/fstab file:
> server.localdomain:/home /mnt/server/home nfs auto,intr,noexec,nodev
>
> This mounts the export on a client machine. Root is doing the mount,
> but because the individual directories are owned by other people, and
> NFS understands ownership, ownership is maintained on both sides, so
> long as you set up the client machines with the same user IDs on both
> sides.
Thinking like Microsoft does (and a lot of customer does), IT Admin
think that exporting the entire home is more insecure that exporting
single directory.
So the exports is like that
/home/user1 pc1.localdomain(rw,sync)
/home/user2 pc2.localdomain(rw,sync)
> I seem to recall reading that it is possible to map user IDs between
> different systems using NFS (e.g. on server Tim is 500, but Tim is 632
> on a client, and 2349 on another client). But not seen anything
> detailing how.
option map_static=/...map_file
in which you can specify mapping
uid 0-99 - (no mapping for users)
uid 100-150 1000 (add 1000 to users betwenn 100 and 150
the same for gid
You can use also map_daemon or map_nis
Bye
Ambrogio
More information about the fedora-list
mailing list