FC6 and Samba

Craig White craig at tobyhouse.com
Fri Mar 9 22:36:00 UTC 2007


On Fri, 2007-03-09 at 18:49 +0000, Anne Wilson wrote:
> On Friday 09 March 2007, Craig White wrote:
> >
> > You really shouldn't be using samba/cifs sharing on your LAN since you
> > have all Linux systems but you get away with it because you always run
> > as root and it's clear that your methodology is to remove all security
> > restrictions that are in your way.
> 
> Now that statement really puzzles me.  I run samba for the lan, not only 
> windows to linux to windows, but also linux to linux.  I don't run as root, 
> and I use selinux.
> 
> Would you like to amplify your statement?
----
sure - a smbfs/cifs mount pretty much discards the concept of posix
users and doesn't understand Posix attributes, has no concept of the
case in file names and finally doesn't permit executables.

If I set up a Linux server and share the same directories via samba (to
Windows systems), netatalk (to Macintosh systems) and NFS (to Linux &
Macintosh systems), all users have native access to their native files
in native formats.

If I use LDAP and mount NFS as 'user', I can have multiple users
accessing an NFS share with their native account information, native
umasks, etc.

Thus on my main server, users directories are shared in all forms,
either as 
- a share in samba (mounted as sambaHomePath:
   \\srv1\homes /home/storage/users)
- a share in netatalk (mounted as apple-user-homeDirectory:
   /Network/Servers/srv1.tobyhouse.com/NetUsers
   as /home/storage/users)
- an automount for Posix users (homeDirectory: /home/storage/users)

# ldapsearch -x -h localhost -D 'XXXXX,dc=tobyhouse,dc=com' -W \
'(uid=craig)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=craig)
# requesting: ALL
#

# craig, People, tobyhouse.com
dn: uid=craig,ou=People,dc=tobyhouse,dc=com
sambaLMPassword: XXXX
sambaNTPassword: XXXX
shadowLastChange: 13450
sambaLogonScript: logon.bat
sambaProfilePath: \\srv1\profiles\craig
cn: Craig White
uidNumber: 1000
sambaPrimaryGroupSID: S-1-5-21-XXXX-XXXX-XXXX-513
sambaAcctFlags: [U          ]
gecos: Craig White
apple-user-homeDirectory: /Network/Servers/srv1.tobyhouse.com/NetUsers/craig
mail: craig at tobyhouse.com
userPassword:: XXXX
uid: craig
sambaHomePath: \\srv1\homes\craig
apple-user-homeurl:: PGhvbWVfZGlyPjx1cmw
+YWZwOi8vc3J2MS50b2J5aG91c2UuY29tL05ld
 FVzZXJzPC91cmw+PHBhdGg+Y3JhaWc8L3BhdGg+PC9ob21lX2Rpcj4=
homeDirectory: /home/storage/users/craig
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
objectClass: sambaSamAccount
objectClass: calEntry
objectClass: apple-user
description: cwhite at tobyhouse.com
description: c.white at tobyhouse.com
gidNumber: 100
sambaDomainName: TH
givenName: Craig
sambaSID: S-1-5-21-XXXX-XXXX-XXXX-3000
sambaHomeDrive: h:
sn: White
mailLocalAddress: craigwhite at tobyhouse.com
mailLocalAddress: c.white at tobyhouse.com
mailLocalAddress: cwhite at tobyhouse.com
calFBURL: https://srv1.tobyhouse.com/horde/kronolith/fb.php?c=craig
loginShell: /bin/sh

Thus a users home directory / files follow the user around regardless of
whether he logs into a Macintosh, Windows or Linux system.

Take a Linux system...

touch 'my file.txt'
touch 'My File.txt'

do the same thing on Windows/samba mount

In the final analysis though, if you don't find yourself bothered by the
limitations that you are imposing upon yourself by using Windows network
storage mounts then this doesn't matter. Perhaps that is a testament to
the Samba team for providing enough functionality for users to abandon
the native network methodologies or perhaps some Windows users are
willing to accept less capabilities. NFS is brilliant. Samba brings
along the baggage that accompanies Microsoft SMB.

-- 
Craig White <craig at tobyhouse.com>




More information about the fedora-list mailing list