Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- May 2012
Issues with cross-protocol permissions - NFS/SMB/HTTP all to same spot
I've got some problems making a directory tree
transparently accessible via SMB, NFS, and HTTP all at the same time.
I have a Centos 5.X server (shortly to be 6.5) that I
have a directory on that is essentially _the_ main website/directory structure for the home network.
My home network consists of a mixture of Centos/Ubuntu/XP/Vista/Win7/Android platforms, which all need to access this site, either over SMB, NFS, or HTTP.
I don't have any harsh security requirements in particular, really any family user should be able to fully access any part of the structure and be able to have create/edit/save/delete rights to files.
What's tripping me up is even how to get sane access going for a single username - much less using groups to give the same access.
Writes really don't happen under HTTP, although having some sort of write access for a CMS system would be nice-
I just can't work out what the rights need to be for the Apache user who sees this under DocumentRoot, the various SMB users who access mapped drives on Winders, or
the NFS users who see it as mounted on /mnt.
I know that in NFS, one requirement is that I have matched UID/GID numbers--
I've adjusted that on the Ubuntu workstation, and made sure
the owner/group is the same.
NFS looks OK and appears to work -
now that I've appropriately chown'ed everything to matching usernames across the board.
Odds are, that just borked HTTP viewing of some pages.
And odds are equally good that now some SMB user
cannot save/edit/view files...
I think part of the HTTP problem is that I want it to be transparent to users -- I don't want to force a login to the pages on small children (or non-technical people like SWMBO)
So user apache is trying to access files that are owned/created by other users.
I know in smb.conf I can specify that all files created/edited
should always be a forced user - which would do well to fix the NFS piece, right??
I've tried reading various HOWTOs- but keep running into situtations where YMMV - and I suspect it's because the author's experience was with Xenix/FreeBSD, or was on some older version, etc--
And in any case, so much of the time people are thinking
"make NFS work", without considering how to make HTTP also work, and SMB also work...
I know this is long --
Can anyone give cross-protocol basic thoughts??
- Join Date
- Apr 2012
- Virginia, USA
In CentOS / Red Hat, httpd executes as user 'apache'
I suggest adding whatever the other services execute as, as well as apache to a new group.
usermod apache -Ga mypublicgroup
usermod <user for samba, etc> -Ga mypublicgroup
chgrp mypublicgroup /path/to
Make sure you set the necessary permissions for the group.
If you have SELinux up and enforcing, then good luck having all 3 services, you might have to make some custom policies, which will be a real PITA.
- Join Date
- May 2011
1. create a group on the linux server, e.g.:
usermod -a -G family <username>
smbpasswd -a <username>
install -d /data/family -o root -g family -m 0775
4. Configure samba: add these lines to the end of /etc/samba/smb.conf:
[family] path = /data/family valid users = @family writable = yes
don't forget to re-export the NFS filesystem, e.g.:
# family share Alias /family "/data/family/" <Directory "/data/family"> Options Indexes MultiViews FollowSymLinks AllowOverride All Order allow,deny Allow from all </Directory>
htpasswd -c /etc/httpd/conf/http-users.txt dad
htpasswd /etc/httpd/conf/http-users.txt mom
family: dad mom
AuthUserFile /etc/httpd/conf/http-users.txt AuthGroupFile /etc/httpd/conf/http-group.txt AuthName "Enter Password" AuthType Basic require user dad mom
service httpd restart
That should be it. i probably forgot something, though.
My tests showed that I could mount the "family" share in Windows, using the Windows username that is also a samba user in the Linux server. I was able to mount the NFS share from another Linux PC. In a browser I was able to access the directory by going to http://<LINUX_PC_IPADDRESS>/family/ and logging in using either "mom" or "dad". In the case of SMB and NFS, I was able to successfully write to the directory.
- Join Date
- May 2012
It may take me another week, but I'll find another of my 'round tuits' and reconfigure things with groups..
I have discovered that I have to change the UID/GID on my existing Centos installs for my account.
They are numbered less than 1000, and Ubuntu 12.04 doesn't like showing all users available to log in, something about lightdm.conf
doesn't like users with UID less than 1000.
So between that and the NFS (in)sanity of having matching UID/GID to solve permissions problems on that side, it's probably going to be "change all the other UID to be higher than 1000" so I can create those users on the Ubuntu box.
I expect _that_ will break a few things.....