nfs help?

[Ambrogio]

Il giorno dom, 11/06/2006 alle 17.34 +0930, Tim ha scritto:

> Tim:
> >>> That's never been my experience.  Firstly, normally only the root use
> >>> can mount something.  Secondly, when mounting a Linux file system over
> >>> NFS, the original ownership is maintained, but numerically:  User 500
> >>> remote is treated as user 500 local, so you better make sure that
> >>> usernames and user IDs match on both sides of the connection.
Correct...
In a big LAN with a lot of client you must use some other things other
than etc/passwd to maintain user access.
It's hard to make on every client a passwd coherent. (NIS for examples
or other).

> Ambrogio:
> > It is that I sayd.
> > For first, mount command is available also at user level.
> 
> While you *can* make things user-mountable, it doesn't also mean that
> root mountable things will only be available to the root user.  That
> sort of behaviour depends on the mount.  I would go as far as to say
> that for things like NFS mounts, it's NOT typical to mount them as a
> user, and it's NOT typical that users can't access root user mounted
> mounts.
This is one of the use.
Another may be that you deliver some login script that mount NFS only
after login.
So 
user 500 mounts server:/home/tim in /home/tim and 
user 501 mounts server:/home/ambrogio in /home/ambrogio
this can be at login level, and mount is made by user and not by root.

> > The user level is threated everytime numerically.
> > When you use ls -la and see a user insted of a number is only because ls
> > make a conversion, but on ACL we ave numbers.
> 
> ls -lan would show numerical mounts (n option does that).
I know, but it was only to explain that all is based on number and not on word.

> Typically, with NFS, user 500 has to be user 500 on both machines, and
> so on.  It doesn't matter if they use the same names on both sides, but
> that helps to make things coherent.
> 
> If I am user 500, username Tim on one box, and export /home to another,
> I really also want to be user 500, on the second box.  Then, I can
> access my files on both PCs.  And, that mount is handled by root.
well, is for that that NFS is considered unsure.
I can be on your lan with my PC in which user 500 is not TIM and mount
your home.
SURELY, Only if /etc/exports permits that.

I read something about NFS v4 that is capable to use some more sure
protocol (Kerberos I think).

> All that's done with just two entries on each machine (NFS must be
> running, already).
> 
> Server's /etc/export file:
> /home *.localdomain(rw,sync)
> 
> This exports part of the file system to my LAN, the /home partition, and
> each user within that file system's home directories get exported as-is
> (Tim's files are Tim's elsewhere, johndoe's files are his elsewhere, and
> so on).
> 
> Client's /etc/fstab file:
> server.localdomain:/home  /mnt/server/home  nfs  auto,intr,noexec,nodev
> 
> This mounts the export on a client machine.  Root is doing the mount,
> but because the individual directories are owned by other people, and
> NFS understands ownership, ownership is maintained on both sides, so
> long as you set up the client machines with the same user IDs on both
> sides.
Thinking like Microsoft does (and a lot of customer does), IT Admin
think that exporting the entire home is more insecure that exporting
single directory.
So the exports is like that
/home/user1 pc1.localdomain(rw,sync)
/home/user2 pc2.localdomain(rw,sync)

> I seem to recall reading that it is possible to map user IDs between
> different systems using NFS (e.g. on server Tim is 500, but Tim is 632
> on a client, and 2349 on another client).  But not seen anything
> detailing how.
option map_static=/...map_file
in which you can specify mapping
uid 0-99 - (no mapping for users)
uid 100-150 1000 (add 1000 to users betwenn 100 and 150 

the same for gid
You can use also map_daemon or map_nis

Bye
 Ambrogio