Issues with cross-protocol permissions - NFS/SMB/HTTP all to same spot

[elarion37]

Hi all -

I've got some problems making a directory tree
transparently accessible via SMB, NFS, and HTTP all at the same time.

I have a Centos 5.X server (shortly to be 6.5) that I
have a directory on that is essentially _the_ main website/directory structure for the home network.

My home network consists of a mixture of Centos/Ubuntu/XP/Vista/Win7/Android platforms, which all need to access this site, either over SMB, NFS, or HTTP.

I don't have any harsh security requirements in particular, really any family user should be able to fully access any part of the structure and be able to have create/edit/save/delete rights to files.

What's tripping me up is even how to get sane access going for a single username - much less using groups to give the same access.

Writes really don't happen under HTTP, although having some sort of write access for a CMS system would be nice-

I just can't work out what the rights need to be for the Apache user who sees this under DocumentRoot, the various SMB users who access mapped drives on Winders, or
the NFS users who see it as mounted on /mnt.

I know that in NFS, one requirement is that I have matched UID/GID numbers--
I've adjusted that on the Ubuntu workstation, and made sure
the owner/group is the same.


NFS looks OK and appears to work -
now that I've appropriately chown'ed everything to matching usernames across the board.

Odds are, that just borked HTTP viewing of some pages.
And odds are equally good that now some SMB user
cannot save/edit/view files...

I think part of the HTTP problem is that I want it to be transparent to users -- I don't want to force a login to the pages on small children (or non-technical people like SWMBO)
So user apache is trying to access files that are owned/created by other users.

I know in smb.conf I can specify that all files created/edited
should always be a forced user - which would do well to fix the NFS piece, right??


I've tried reading various HOWTOs- but keep running into situtations where YMMV - and I suspect it's because the author's experience was with Xenix/FreeBSD, or was on some older version, etc--
And in any case, so much of the time people are thinking
"make NFS work", without considering how to make HTTP also work, and SMB also work...


I know this is long --
Can anyone give cross-protocol basic thoughts??

thanks...

[mizzle]

In CentOS / Red Hat, httpd executes as user 'apache'
I suggest adding whatever the other services execute as, as well as apache to a new group.

groupadd mypublicgroup
usermod apache -Ga mypublicgroup
usermod <user for samba, etc> -Ga mypublicgroup

chgrp mypublicgroup /path/to

Make sure you set the necessary permissions for the group.
If you have SELinux up and enforcing, then good luck having all 3 services, you might have to make some custom policies, which will be a real PITA.

[atreyu]

Hi all -

I've got some problems making a directory tree
transparently accessible via SMB, NFS, and HTTP all at the same time.

I have a Centos 5.X server (shortly to be 6.5) that I
have a directory on that is essentially _the_ main website/directory structure for the home network.

My home network consists of a mixture of Centos/Ubuntu/XP/Vista/Win7/Android platforms, which all need to access this site, either over SMB, NFS, or HTTP.

I don't have any harsh security requirements in particular, really any family user should be able to fully access any part of the structure and be able to have create/edit/save/delete rights to files.

What's tripping me up is even how to get sane access going for a single username - much less using groups to give the same access.

Writes really don't happen under HTTP, although having some sort of write access for a CMS system would be nice-

I just can't work out what the rights need to be for the Apache user who sees this under DocumentRoot, the various SMB users who access mapped drives on Winders, or
the NFS users who see it as mounted on /mnt.

I know that in NFS, one requirement is that I have matched UID/GID numbers--
I've adjusted that on the Ubuntu workstation, and made sure
the owner/group is the same.


NFS looks OK and appears to work -
now that I've appropriately chown'ed everything to matching usernames across the board.

Odds are, that just borked HTTP viewing of some pages.
And odds are equally good that now some SMB user
cannot save/edit/view files...

I think part of the HTTP problem is that I want it to be transparent to users -- I don't want to force a login to the pages on small children (or non-technical people like SWMBO)
So user apache is trying to access files that are owned/created by other users.

I know in smb.conf I can specify that all files created/edited
should always be a forced user - which would do well to fix the NFS piece, right??


I've tried reading various HOWTOs- but keep running into situtations where YMMV - and I suspect it's because the author's experience was with Xenix/FreeBSD, or was on some older version, etc--
And in any case, so much of the time people are thinking
"make NFS work", without considering how to make HTTP also work, and SMB also work...


I know this is long --
Can anyone give cross-protocol basic thoughts??

thanks...

Hi. This is an interesting problem, one I've thought about doing in my home network. I did a quick, minimal run-thru, and it worked, so I'll post what i did - maybe it will help you.

1. create a group on the linux server, e.g.:

Code:

groupadd family

2. add any users to this group that will be accessing the share via samba, e.g.:

Code:

usermod -a -G family <username>

If you haven't created any samba users before, don't forget to set the passwords using the smbpasswd utility. use it to add a new user like this:

Code:

smbpasswd -a <username>

3. create a directory structure to be shared by the users:

Code:

install -d /data/family -o root -g family -m 0775

this directory will be owned by root, group owned by "family" and have group write permissions (in Linux, anyway).

4. Configure samba: add these lines to the end of /etc/samba/smb.conf:

Code:

[family]
  path = /data/family
  valid users = @family
  writable = yes

5. Configure nfs: add this line to /etc/exports:

Code:

/data/family 192.168.1.0/24(rw,sync)

obviously, substitute your ip subnet for the one given here.

don't forget to re-export the NFS filesystem, e.g.:

Code:

exportfs -rv

6. Configure apache: add a file to /etc/httpd/conf.d/ and call it "family.conf". In it, put:

Code:

# family share 
Alias /family "/data/family/"
<Directory "/data/family">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

7. Configure apache users. the first command will create the file:

Code:

htpasswd -c /etc/httpd/conf/http-users.txt dad

now add "mom":

Code:

htpasswd /etc/httpd/conf/http-users.txt mom

8. Configure apache group. create a file called "/etc/httpd/conf/http-group.txt", and in it put this line:

Code:

family: dad mom

9. now protect the family directory using an .htaccess file that looks up users/groups in the above files you created. create a file called ".htaccess" and put it in /data/family/. In the file put:

Code:

AuthUserFile /etc/httpd/conf/http-users.txt
AuthGroupFile /etc/httpd/conf/http-group.txt
AuthName "Enter Password"
AuthType Basic

require user dad mom

Restart the webserver:

Code:

service httpd restart

---

That should be it. i probably forgot something, though.
My tests showed that I could mount the "family" share in Windows, using the Windows username that is also a samba user in the Linux server. I was able to mount the NFS share from another Linux PC. In a browser I was able to access the directory by going to http://<LINUX_PC_IPADDRESS>/family/ and logging in using either "mom" or "dad". In the case of SMB and NFS, I was able to successfully write to the directory.

hth!

[elarion37]

Thanks guys!!!

It may take me another week, but I'll find another of my 'round tuits' and reconfigure things with groups..
I have discovered that I have to change the UID/GID on my existing Centos installs for my account.
They are numbered less than 1000, and Ubuntu 12.04 doesn't like showing all users available to log in, something about lightdm.conf
doesn't like users with UID less than 1000.

So between that and the NFS (in)sanity of having matching UID/GID to solve permissions problems on that side, it's probably going to be "change all the other UID to be higher than 1000" so I can create those users on the Ubuntu box.

I expect _that_ will break a few things.....