Find the answer to your Linux question:
Results 1 to 4 of 4
Hi all - I've got some problems making a directory tree transparently accessible via SMB, NFS, and HTTP all at the same time. I have a Centos 5.X server (shortly ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2012
    Posts
    2

    Issues with cross-protocol permissions - NFS/SMB/HTTP all to same spot


    Hi all -

    I've got some problems making a directory tree
    transparently accessible via SMB, NFS, and HTTP all at the same time.

    I have a Centos 5.X server (shortly to be 6.5) that I
    have a directory on that is essentially _the_ main website/directory structure for the home network.

    My home network consists of a mixture of Centos/Ubuntu/XP/Vista/Win7/Android platforms, which all need to access this site, either over SMB, NFS, or HTTP.

    I don't have any harsh security requirements in particular, really any family user should be able to fully access any part of the structure and be able to have create/edit/save/delete rights to files.

    What's tripping me up is even how to get sane access going for a single username - much less using groups to give the same access.

    Writes really don't happen under HTTP, although having some sort of write access for a CMS system would be nice-

    I just can't work out what the rights need to be for the Apache user who sees this under DocumentRoot, the various SMB users who access mapped drives on Winders, or
    the NFS users who see it as mounted on /mnt.

    I know that in NFS, one requirement is that I have matched UID/GID numbers--
    I've adjusted that on the Ubuntu workstation, and made sure
    the owner/group is the same.


    NFS looks OK and appears to work -
    now that I've appropriately chown'ed everything to matching usernames across the board.

    Odds are, that just borked HTTP viewing of some pages.
    And odds are equally good that now some SMB user
    cannot save/edit/view files...

    I think part of the HTTP problem is that I want it to be transparent to users -- I don't want to force a login to the pages on small children (or non-technical people like SWMBO)
    So user apache is trying to access files that are owned/created by other users.

    I know in smb.conf I can specify that all files created/edited
    should always be a forced user - which would do well to fix the NFS piece, right??


    I've tried reading various HOWTOs- but keep running into situtations where YMMV - and I suspect it's because the author's experience was with Xenix/FreeBSD, or was on some older version, etc--
    And in any case, so much of the time people are thinking
    "make NFS work", without considering how to make HTTP also work, and SMB also work...


    I know this is long --
    Can anyone give cross-protocol basic thoughts??

    thanks...

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    888
    In CentOS / Red Hat, httpd executes as user 'apache'
    I suggest adding whatever the other services execute as, as well as apache to a new group.

    groupadd mypublicgroup
    usermod apache -Ga mypublicgroup
    usermod <user for samba, etc> -Ga mypublicgroup

    chgrp mypublicgroup /path/to

    Make sure you set the necessary permissions for the group.
    If you have SELinux up and enforcing, then good luck having all 3 services, you might have to make some custom policies, which will be a real PITA.

  3. #3
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by elarion37 View Post
    Hi all -

    I've got some problems making a directory tree
    transparently accessible via SMB, NFS, and HTTP all at the same time.

    I have a Centos 5.X server (shortly to be 6.5) that I
    have a directory on that is essentially _the_ main website/directory structure for the home network.

    My home network consists of a mixture of Centos/Ubuntu/XP/Vista/Win7/Android platforms, which all need to access this site, either over SMB, NFS, or HTTP.

    I don't have any harsh security requirements in particular, really any family user should be able to fully access any part of the structure and be able to have create/edit/save/delete rights to files.

    What's tripping me up is even how to get sane access going for a single username - much less using groups to give the same access.

    Writes really don't happen under HTTP, although having some sort of write access for a CMS system would be nice-

    I just can't work out what the rights need to be for the Apache user who sees this under DocumentRoot, the various SMB users who access mapped drives on Winders, or
    the NFS users who see it as mounted on /mnt.

    I know that in NFS, one requirement is that I have matched UID/GID numbers--
    I've adjusted that on the Ubuntu workstation, and made sure
    the owner/group is the same.


    NFS looks OK and appears to work -
    now that I've appropriately chown'ed everything to matching usernames across the board.

    Odds are, that just borked HTTP viewing of some pages.
    And odds are equally good that now some SMB user
    cannot save/edit/view files...

    I think part of the HTTP problem is that I want it to be transparent to users -- I don't want to force a login to the pages on small children (or non-technical people like SWMBO)
    So user apache is trying to access files that are owned/created by other users.

    I know in smb.conf I can specify that all files created/edited
    should always be a forced user - which would do well to fix the NFS piece, right??


    I've tried reading various HOWTOs- but keep running into situtations where YMMV - and I suspect it's because the author's experience was with Xenix/FreeBSD, or was on some older version, etc--
    And in any case, so much of the time people are thinking
    "make NFS work", without considering how to make HTTP also work, and SMB also work...


    I know this is long --
    Can anyone give cross-protocol basic thoughts??

    thanks...
    Hi. This is an interesting problem, one I've thought about doing in my home network. I did a quick, minimal run-thru, and it worked, so I'll post what i did - maybe it will help you.

    1. create a group on the linux server, e.g.:

    Code:
    groupadd family
    2. add any users to this group that will be accessing the share via samba, e.g.:
    Code:
    usermod -a -G family <username>
    If you haven't created any samba users before, don't forget to set the passwords using the smbpasswd utility. use it to add a new user like this:
    Code:
    smbpasswd -a <username>
    3. create a directory structure to be shared by the users:

    Code:
    install -d /data/family -o root -g family -m 0775
    this directory will be owned by root, group owned by "family" and have group write permissions (in Linux, anyway).

    4. Configure samba: add these lines to the end of /etc/samba/smb.conf:

    Code:
    [family]
      path = /data/family
      valid users = @family
      writable = yes
    5. Configure nfs: add this line to /etc/exports:
    Code:
    /data/family 192.168.1.0/24(rw,sync)
    obviously, substitute your ip subnet for the one given here.

    don't forget to re-export the NFS filesystem, e.g.:
    Code:
    exportfs -rv
    6. Configure apache: add a file to /etc/httpd/conf.d/ and call it "family.conf". In it, put:
    Code:
    # family share 
    Alias /family "/data/family/"
    <Directory "/data/family">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    7. Configure apache users. the first command will create the file:
    Code:
    htpasswd -c /etc/httpd/conf/http-users.txt dad
    now add "mom":
    Code:
    htpasswd /etc/httpd/conf/http-users.txt mom
    8. Configure apache group. create a file called "/etc/httpd/conf/http-group.txt", and in it put this line:
    Code:
    family: dad mom
    9. now protect the family directory using an .htaccess file that looks up users/groups in the above files you created. create a file called ".htaccess" and put it in /data/family/. In the file put:
    Code:
    AuthUserFile /etc/httpd/conf/http-users.txt
    AuthGroupFile /etc/httpd/conf/http-group.txt
    AuthName "Enter Password"
    AuthType Basic
    
    require user dad mom
    Restart the webserver:
    Code:
    service httpd restart

    ---

    That should be it. i probably forgot something, though.
    My tests showed that I could mount the "family" share in Windows, using the Windows username that is also a samba user in the Linux server. I was able to mount the NFS share from another Linux PC. In a browser I was able to access the directory by going to http://<LINUX_PC_IPADDRESS>/family/ and logging in using either "mom" or "dad". In the case of SMB and NFS, I was able to successfully write to the directory.

    hth!

  4. #4
    Just Joined!
    Join Date
    May 2012
    Posts
    2
    Thanks guys!!!

    It may take me another week, but I'll find another of my 'round tuits' and reconfigure things with groups..
    I have discovered that I have to change the UID/GID on my existing Centos installs for my account.
    They are numbered less than 1000, and Ubuntu 12.04 doesn't like showing all users available to log in, something about lightdm.conf
    doesn't like users with UID less than 1000.

    So between that and the NFS (in)sanity of having matching UID/GID to solve permissions problems on that side, it's probably going to be "change all the other UID to be higher than 1000" so I can create those users on the Ubuntu box.

    I expect _that_ will break a few things.....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •