Mount Linux to Linux Samba share w/permissions? - SMB

This is a discussion on Mount Linux to Linux Samba share w/permissions? - SMB ; I've been using Samba for about a decade now quite successfully. However, I'm in the process of replacing most (hopefully all) of my windoze desktops with SUSE 10.1 desktops. I wish to mount the remote server samba shares on these ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: Mount Linux to Linux Samba share w/permissions?

  1. Mount Linux to Linux Samba share w/permissions?

    I've been using Samba for about a decade now quite successfully. However,
    I'm in the process of replacing most (hopefully all) of my windoze desktops
    with SUSE 10.1 desktops. I wish to mount the remote server samba shares on
    these new desktops but retain the ownership and permissions as they
    currently exist on the server. I've tried both "mount" and "smbmount" but
    cannot seem to get my parameters correct for this. Yes - I can mount them,
    see them and access them but I need to be able to create files and have
    them created with the desktop user's name and group.

    Other than forcing a user/group in the smb.conf... can anyone recommend how
    I can achieve this?

    Thanks in advance..

    Bob

  2. Re: Mount Linux to Linux Samba share w/permissions?

    bobmct wrote:
    > I've been using Samba for about a decade now quite successfully. However,
    > I'm in the process of replacing most (hopefully all) of my windoze desktops
    > with SUSE 10.1 desktops. I wish to mount the remote server samba shares on
    > these new desktops but retain the ownership and permissions as they
    > currently exist on the server. I've tried both "mount" and "smbmount" but
    > cannot seem to get my parameters correct for this. Yes - I can mount them,
    > see them and access them but I need to be able to create files and have
    > them created with the desktop user's name and group.
    >
    > Other than forcing a user/group in the smb.conf... can anyone recommend how
    > I can achieve this?
    >
    > Thanks in advance..
    >
    > Bob


    Assuming I understood your requirements (a dangerous assumption) . . .
    The SMB Protocol is for Windows machines. Samba has some extensions
    for use between consenting adults (Unix/Linux machines) but it it is a
    Windows protocol. Windows machines do not have the owner/group
    mechanism or the same permission bits as Unix/Linux.

    Client X can mount a share with:

    smbmount //server/share /mountpoint -o
    username=user%passwd,uid=number,gid=number

    or variations therof (that %passwd is a security hole, anyone with
    shell access can do a 'ps aux' and see it, but you get the idea). This
    will take care of some of your problems, but my question is: why
    bother?

    NFS is designed for Unix machines. The locking mechanisms are (I
    believe) weaker, but you are using something native to the Unix world
    rather than forcing a Windows solution do do something it was not
    designed for.


  3. Re: Mount Linux to Linux Samba share w/permissions?

    On Wed, 07 Jun 2006 22:31:00 -0400, in comp.protocols.smb , bobmct
    wrote:

    >I've been using Samba for about a decade now quite successfully. However,
    >I'm in the process of replacing most (hopefully all) of my windoze desktops
    >with SUSE 10.1 desktops. I wish to mount the remote server samba shares on
    >these new desktops but retain the ownership and permissions as they
    >currently exist on the server. I've tried both "mount" and "smbmount" but
    >cannot seem to get my parameters correct for this. Yes - I can mount them,
    >see them and access them but I need to be able to create files and have
    >them created with the desktop user's name and group.


    why would you want to use Samba to do this? Unix has builtin
    functionality to create mounts between machines.
    --
    Mark McIntyre

  4. Re: Mount Linux to Linux Samba share w/permissions?

    Mark McIntyre wrote:

    > On Wed, 07 Jun 2006 22:31:00 -0400, in comp.protocols.smb , bobmct
    > wrote:
    >
    >>I've been using Samba for about a decade now quite successfully. However,
    >>I'm in the process of replacing most (hopefully all) of my windoze
    >>desktops
    >>with SUSE 10.1 desktops. I wish to mount the remote server samba shares
    >>on these new desktops but retain the ownership and permissions as they
    >>currently exist on the server. I've tried both "mount" and "smbmount" but
    >>cannot seem to get my parameters correct for this. Yes - I can mount
    >>them, see them and access them but I need to be able to create files and
    >>have them created with the desktop user's name and group.

    >
    > why would you want to use Samba to do this? Unix has builtin
    > functionality to create mounts between machines.


    Are you referring to NFS? The reason for Samba is that there are still a
    couple of windoze users that will require access to these shares as well.
    I've been playing with various various combinations of parameters of mount
    but while I CAN get things mounted, they still do not retain the oringal
    username/groupname info.




  5. Re: Mount Linux to Linux Samba share w/permissions?

    bobmct wrote:

    ......
    > Are you referring to NFS? The reason for Samba is that there are still a
    > couple of windoze users that will require access to these shares as well.
    > I've been playing with various various combinations of parameters of mount
    > but while I CAN get things mounted, they still do not retain the oringal
    > username/groupname info.


    Smbmount - the client part - is made with windows filesystems on target,
    whose ownership/group flags either don't exist (fat32) or cannot be
    accessed ("security" hive in registry). So smbfs makes no effort that way.
    Your chance is to use a samba pdc and let all windows boxen authenticate
    against that, so you have a common auth database and at least group
    mappings, but still it doesn't give access to client file/folder acls.

    --
    vista policy violation: Microsoft optical mouse detected penguin patterns
    on mousepad. Partition scan in progress to remove offending
    incompatible products. Reactivate MS software.
    Linux 2.6.16-mm1,Xorg7.0 [LinuxCounter#295241,ICQ#4918962]

  6. Re: Mount Linux to Linux Samba share w/permissions?

    bobmct wrote:
    > Mark McIntyre wrote:
    >
    >> On Wed, 07 Jun 2006 22:31:00 -0400, in comp.protocols.smb , bobmct
    >> wrote:
    >>
    >>> I've been using Samba for about a decade now quite successfully.
    >>> However, I'm in the process of replacing most (hopefully all) of my
    >>> windoze desktops
    >>> with SUSE 10.1 desktops. I wish to mount the remote server samba
    >>> shares on these new desktops but retain the ownership and
    >>> permissions as they currently exist on the server. I've tried both
    >>> "mount" and "smbmount" but cannot seem to get my parameters correct
    >>> for this. Yes - I can mount them, see them and access them but I
    >>> need to be able to create files and have them created with the
    >>> desktop user's name and group.

    >>
    >> why would you want to use Samba to do this? Unix has builtin
    >> functionality to create mounts between machines.

    >
    > Are you referring to NFS? The reason for Samba is that there are
    > still a couple of windoze users that will require access to these
    > shares as well. I've been playing with various various combinations
    > of parameters of mount but while I CAN get things mounted, they still
    > do not retain the oringal username/groupname info.


    NFS also has some fascinating problems with a client crashing and causing
    problems for the server, and vice versa. There's also typically no pretense
    at security for non-root-owned files: any local user who can do an "su"
    command can pretend to be any other user and access all files owned by the
    other user, with no login on the domain or network required.

    I've tried explaining that to VP's who were used to Windows-like
    authentication. They were pretty shocked.



  7. Re: Mount Linux to Linux Samba share w/permissions?

    On Fri, 09 Jun 2006 00:18:06 -0400, in comp.protocols.smb , bobmct
    wrote:

    >Mark McIntyre wrote:
    >
    >> why would you want to use Samba to do this? Unix has builtin
    >> functionality to create mounts between machines.

    >
    >Are you referring to NFS? The reason for Samba is that there are still a
    >couple of windoze users that will require access to these shares as well.


    right, so share to the windows guys with Samba, and the Unix guys with
    nfs.

    >I've been playing with various various combinations of parameters of mount
    >but while I CAN get things mounted, they still do not retain the oringal
    >username/groupname info.


    My experience of samba and windows uid mapping is that its essentially
    impossible to do without a degree in advanced guruness I'm afraid. The
    best I've been able to manage is to ensure that users private stuff is
    private, and public stuff is shared.
    --
    Mark McIntyre

  8. Re: Mount Linux to Linux Samba share w/permissions?

    On Fri, 9 Jun 2006 08:49:04 -0400, in comp.protocols.smb , "Nico
    Kadel-Garcia" wrote:

    >NFS also has some fascinating problems with a client crashing and causing
    >problems for the server, and vice versa.


    Indeed, stale nfs mounts are a pest. Answer is not to crash the client
    of course!

    >There's also typically no pretense
    >at security for non-root-owned files: any local user who can do an "su"
    >command can pretend to be any other user and access all files owned by the
    >other user, with no login on the domain or network required.


    Yes but this is generally fairly true under unix - if you can su to
    another user, you can mollock with their files. The fix is to manage
    su properly, and frankly its no different to windows "runas" facility.
    --
    Mark McIntyre

  9. Re: Mount Linux to Linux Samba share w/permissions?

    Mark McIntyre wrote:
    > On Fri, 9 Jun 2006 08:49:04 -0400, in comp.protocols.smb , "Nico
    > Kadel-Garcia" wrote:
    >
    >> NFS also has some fascinating problems with a client crashing and
    >> causing problems for the server, and vice versa.

    >
    > Indeed, stale nfs mounts are a pest. Answer is not to crash the client
    > of course!
    >
    >> There's also typically no pretense
    >> at security for non-root-owned files: any local user who can do an
    >> "su" command can pretend to be any other user and access all files
    >> owned by the other user, with no login on the domain or network
    >> required.

    >
    > Yes but this is generally fairly true under unix - if you can su to
    > another user, you can mollock with their files. The fix is to manage
    > su properly, and frankly its no different to windows "runas" facility.


    Well, yes, but in this case the NFS clients can su locally and have full
    privileges of any user on the server for the NFS mounted files, rather than
    merely a user who's been authenticated to the server (the SMB approach).



  10. Re: Mount Linux to Linux Samba share w/permissions?

    On Fri, 9 Jun 2006 18:52:45 -0400, in comp.protocols.smb , "Nico
    Kadel-Garcia" wrote:

    >Well, yes, but in this case the NFS clients can su locally and have full
    >privileges of any user on the server for the NFS mounted files, rather than
    >merely a user who's been authenticated to the server (the SMB approach).


    Not the place to carry on this discussion, but this hasn't been my
    experience and we use NFS extensively in the office. We use a few
    machines to hold binaries etc for our distributed processing across
    both solaris and linux, and a broadly similar environment for
    development and uat. All our user Ids are managed via NIS though, and
    are at domain level.

    --
    Mark McIntyre

  11. Re: Mount Linux to Linux Samba share w/permissions?

    Mark McIntyre wrote:
    > On Fri, 9 Jun 2006 18:52:45 -0400, in comp.protocols.smb , "Nico
    > Kadel-Garcia" wrote:
    >
    >> Well, yes, but in this case the NFS clients can su locally and have
    >> full privileges of any user on the server for the NFS mounted files,
    >> rather than merely a user who's been authenticated to the server
    >> (the SMB approach).

    >
    > Not the place to carry on this discussion, but this hasn't been my
    > experience and we use NFS extensively in the office. We use a few
    > machines to hold binaries etc for our distributed processing across
    > both solaris and linux, and a broadly similar environment for
    > development and uat. All our user Ids are managed via NIS though, and
    > are at domain level.


    You don't see an issue with this?

    1: Person walks in with NFS capable laptop.
    2: Person with laptop becomes local root via su.
    3: Person with laptop becomes different NFS file owner via su.

    I understand you can avoid this sort of issue with NFS/Kerberos interaction,
    but in most cases, the NFS servers have never had such configuration done.
    NIS is no help against this, and in fact makes it easier to abuse since you
    don't even have to look up the usernames or userid's, just use the NIS
    information. If the user's home directory is NFS mounted, it even allows
    adding entries to their .ssh/authorized_keys file.



  12. Re: Mount Linux to Linux Samba share w/permissions?

    Nico Kadel-Garcia wrote:

    > Mark McIntyre wrote:
    >> On Fri, 9 Jun 2006 18:52:45 -0400, in comp.protocols.smb , "Nico
    >> Kadel-Garcia" wrote:
    >>
    >>> Well, yes, but in this case the NFS clients can su locally and have
    >>> full privileges of any user on the server for the NFS mounted files,
    >>> rather than merely a user who's been authenticated to the server
    >>> (the SMB approach).

    >>
    >> Not the place to carry on this discussion, but this hasn't been my
    >> experience and we use NFS extensively in the office. We use a few
    >> machines to hold binaries etc for our distributed processing across
    >> both solaris and linux, and a broadly similar environment for
    >> development and uat. All our user Ids are managed via NIS though, and
    >> are at domain level.

    >
    > You don't see an issue with this?
    >
    > 1: Person walks in with NFS capable laptop.
    > 2: Person with laptop becomes local root via su.
    > 3: Person with laptop becomes different NFS file owner via su.
    >
    > I understand you can avoid this sort of issue with NFS/Kerberos
    > interaction, but in most cases, the NFS servers have never had such
    > configuration done. NIS is no help against this, and in fact makes it
    > easier to abuse since you don't even have to look up the usernames or
    > userid's, just use the NIS information. If the user's home directory is
    > NFS mounted, it even allows adding entries to their .ssh/authorized_keys
    > file.


    OK - all good points from everyone.

    But HOW can one accomplish this feat?

    That is... be able to create/edit files on a Linux server in the LAN from a
    Linux workstation on the same LAN? The reason is that it is not convenient
    or even always possible to actually sit at the server's console in the
    server room.

    Ideas therefore anyone???


  13. Re: Mount Linux to Linux Samba share w/permissions?

    On Sat, 10 Jun 2006 11:26:51 -0400, in comp.protocols.smb , "Nico
    Kadel-Garcia" wrote:

    >You don't see an issue with this?


    (snip description of potential means of hacking into nfs).

    Of course I'd have an issue with it. If it were possible. But blaming
    a network protocol because your basic security is so rubbish someone
    can plug their own laptop in, is not exactly sensible.

    By the way, which part of "Not the place to carry on this discussion"
    is hard to understand?
    --
    Mark McIntyre

  14. Re: Mount Linux to Linux Samba share w/permissions?

    On Sat, 10 Jun 2006 13:04:33 -0400, in comp.protocols.smb , bobmct
    wrote:

    >That is... be able to create/edit files on a Linux server in the LAN from a
    >Linux workstation on the same LAN?


    Use the protcol built into Unix, instead of an addon.

    >The reason is that it is not convenient
    >or even always possible to actually sit at the server's console in the
    >server room.


    Absolutely. Which is why, for at least a generation, people have done
    what I describe.

    However. If you want to know if the claims made by the other poster
    are true or FUD, and how to configure such a setup, try a unix
    networking group.

    --
    Mark McIntyre

  15. Re: Mount Linux to Linux Samba share w/permissions?

    bobmct wrote:
    > Nico Kadel-Garcia wrote:
    >
    >> Mark McIntyre wrote:
    >>> On Fri, 9 Jun 2006 18:52:45 -0400, in comp.protocols.smb , "Nico
    >>> Kadel-Garcia" wrote:
    >>>
    >>>> Well, yes, but in this case the NFS clients can su locally and have
    >>>> full privileges of any user on the server for the NFS mounted
    >>>> files, rather than merely a user who's been authenticated to the
    >>>> server (the SMB approach).
    >>>
    >>> Not the place to carry on this discussion, but this hasn't been my
    >>> experience and we use NFS extensively in the office. We use a few
    >>> machines to hold binaries etc for our distributed processing across
    >>> both solaris and linux, and a broadly similar environment for
    >>> development and uat. All our user Ids are managed via NIS though,
    >>> and are at domain level.

    >>
    >> You don't see an issue with this?
    >>
    >> 1: Person walks in with NFS capable laptop.
    >> 2: Person with laptop becomes local root via su.
    >> 3: Person with laptop becomes different NFS file owner via su.
    >>
    >> I understand you can avoid this sort of issue with NFS/Kerberos
    >> interaction, but in most cases, the NFS servers have never had such
    >> configuration done. NIS is no help against this, and in fact makes it
    >> easier to abuse since you don't even have to look up the usernames or
    >> userid's, just use the NIS information. If the user's home directory
    >> is NFS mounted, it even allows adding entries to their
    >> .ssh/authorized_keys file.

    >
    > OK - all good points from everyone.
    >
    > But HOW can one accomplish this feat?
    >
    > That is... be able to create/edit files on a Linux server in the LAN
    > from a Linux workstation on the same LAN? The reason is that it is
    > not convenient or even always possible to actually sit at the
    > server's console in the server room.
    >
    > Ideas therefore anyone???


    For Windows access, use SMB. For really easy Linux or UNIX access, use NFS.
    For *secure* remote file access, use OpenAFS with a Kerberized back end.
    OpenAFS is now built into Scientific Linux, and is certainly available for
    other distributions. It's not generally as fast as NFS or SMB, but it has
    much better access models.



  16. Re: Mount Linux to Linux Samba share w/permissions?

    On Wed, 07 Jun 2006 22:31:00 -0400, bobmct wrote:

    > I've been using Samba for about a decade now quite successfully. However,
    > I'm in the process of replacing most (hopefully all) of my windoze
    > desktops with SUSE 10.1 desktops. I wish to mount the remote server samba
    > shares on these new desktops but retain the ownership and permissions as
    > they currently exist on the server. I've tried both "mount" and
    > "smbmount" but cannot seem to get my parameters correct for this. Yes - I
    > can mount them, see them and access them but I need to be able to create
    > files and have them created with the desktop user's name and group.
    >
    > Other than forcing a user/group in the smb.conf... can anyone recommend
    > how I can achieve this?


    Ignore the nay-sayers in this group - this is *exactly* what we're
    hoping people will do with SuSE Linux 10.1 clients and Samba servers.
    Use the CIFSFS client, not the unsupported smbfs client.

    The UNIX to UNIX CIFS modifications are directly designed to do this.
    NFS to the desktop is dead, as you've noticed it has some severe
    deficiencies.

    You firstly need to share uid and gid info between the server and clients,
    until we've finished the UNIXINFO pipe use either NIS or an LDAP backend
    to do this. Ensure the Samba server is modern (3.0.22 or the 3.0.23RC2
    candidates) and make sure the users are added into the passdb backend of
    your choice (LDAP if you're using an LDAP server, tdb is you're using NIS).

    The UNIX extensions in the client and server should mean that the uids
    and gids as seen on the clients are identical to the server, permissions
    too. Check this with ls -l. Once this is correct then the mounted user
    should be able to create files and will be seen as the correct user and
    primary gid. You even get POSIX ACL support (and EA's).

    If you have problems, please log bugs with the SuSE bugzilla. This is
    supported and should work well.

    Jeremy Allison,
    Samba Team.


  17. Re: Mount Linux to Linux Samba share w/permissions?

    Jeremy Allison wrote:

    > On Wed, 07 Jun 2006 22:31:00 -0400, bobmct wrote:
    >
    >> I've been using Samba for about a decade now quite successfully.
    >> However, I'm in the process of replacing most (hopefully all) of my
    >> windoze
    >> desktops with SUSE 10.1 desktops. I wish to mount the remote server
    >> samba shares on these new desktops but retain the ownership and
    >> permissions as
    >> they currently exist on the server. I've tried both "mount" and
    >> "smbmount" but cannot seem to get my parameters correct for this. Yes -
    >> I can mount them, see them and access them but I need to be able to
    >> create files and have them created with the desktop user's name and
    >> group.
    >>
    >> Other than forcing a user/group in the smb.conf... can anyone recommend
    >> how I can achieve this?

    >
    > Ignore the nay-sayers in this group - this is *exactly* what we're
    > hoping people will do with SuSE Linux 10.1 clients and Samba servers.
    > Use the CIFSFS client, not the unsupported smbfs client.
    >
    > The UNIX to UNIX CIFS modifications are directly designed to do this.
    > NFS to the desktop is dead, as you've noticed it has some severe
    > deficiencies.
    >
    > You firstly need to share uid and gid info between the server and clients,
    > until we've finished the UNIXINFO pipe use either NIS or an LDAP backend
    > to do this. Ensure the Samba server is modern (3.0.22 or the 3.0.23RC2
    > candidates) and make sure the users are added into the passdb backend of
    > your choice (LDAP if you're using an LDAP server, tdb is you're using
    > NIS).
    >
    > The UNIX extensions in the client and server should mean that the uids
    > and gids as seen on the clients are identical to the server, permissions
    > too. Check this with ls -l. Once this is correct then the mounted user
    > should be able to create files and will be seen as the correct user and
    > primary gid. You even get POSIX ACL support (and EA's).
    >
    > If you have problems, please log bugs with the SuSE bugzilla. This is
    > supported and should work well.
    >
    > Jeremy Allison,
    > Samba Team.


    WOW! Great Jeremy;

    I will give this a go and post my results.

    Thanks,

    Bob

  18. Re: Mount Linux to Linux Samba share w/permissions?


    "bobmct" wrote in message
    news:K73kg.7$kH.632@news.ntplx.net...
    > Jeremy Allison wrote:
    >
    >> On Wed, 07 Jun 2006 22:31:00 -0400, bobmct wrote:
    >>
    >>> I've been using Samba for about a decade now quite successfully.
    >>> However, I'm in the process of replacing most (hopefully all) of my
    >>> windoze
    >>> desktops with SUSE 10.1 desktops. I wish to mount the remote server
    >>> samba shares on these new desktops but retain the ownership and
    >>> permissions as
    >>> they currently exist on the server. I've tried both "mount" and
    >>> "smbmount" but cannot seem to get my parameters correct for this. Yes -
    >>> I can mount them, see them and access them but I need to be able to
    >>> create files and have them created with the desktop user's name and
    >>> group.
    >>>
    >>> Other than forcing a user/group in the smb.conf... can anyone recommend
    >>> how I can achieve this?

    >>
    >> Ignore the nay-sayers in this group - this is *exactly* what we're
    >> hoping people will do with SuSE Linux 10.1 clients and Samba servers.
    >> Use the CIFSFS client, not the unsupported smbfs client.
    >>
    >> The UNIX to UNIX CIFS modifications are directly designed to do this.
    >> NFS to the desktop is dead, as you've noticed it has some severe
    >> deficiencies.
    >>
    >> You firstly need to share uid and gid info between the server and
    >> clients,
    >> until we've finished the UNIXINFO pipe use either NIS or an LDAP backend
    >> to do this. Ensure the Samba server is modern (3.0.22 or the 3.0.23RC2
    >> candidates) and make sure the users are added into the passdb backend of
    >> your choice (LDAP if you're using an LDAP server, tdb is you're using
    >> NIS).
    >>
    >> The UNIX extensions in the client and server should mean that the uids
    >> and gids as seen on the clients are identical to the server, permissions
    >> too. Check this with ls -l. Once this is correct then the mounted user
    >> should be able to create files and will be seen as the correct user and
    >> primary gid. You even get POSIX ACL support (and EA's).
    >>
    >> If you have problems, please log bugs with the SuSE bugzilla. This is
    >> supported and should work well.
    >>
    >> Jeremy Allison,
    >> Samba Team.

    >
    > WOW! Great Jeremy;
    >
    > I will give this a go and post my results.


    The note is a keeper: I can point people to some details and help with
    setting up LDAP to integrate Samba with it, but the O'Reilly book is really
    very good, as are some articles in Linux Journal over the last year.

    Please note that 3.022 is very recent: Fedora Core 5 is only at 3.0.21b,
    with a published update to 3.0.22 from March 31. For Sun freeware from
    www.sunfreeware.com, RedHat or CentOS 4.x, it's only at 3.0.10, so you'll
    need to roll your own update for those OS's.



+ Reply to Thread