Re: Ldap authentication and NFS mounts

linuxnewbie1234 wrote:

Hi all,
we recently set up a MacOsX fileserver/ldap-server which should provide
centralized authentication for all our computers and provide the home
directories for all the users, so that an user can log in to whatever
machine and see his own home directory.

We have both Windows and Linux client machines. Windows imports them via
the domain system / CIFS (I suppose... somebody else is doing this part).

On Linux we were thinking about using NFS to share the homes.

The problem is that in Linux, the root of each machine can just do "su"
to become whatever other user, and see the home of whatever other user
from the MacOsX fileserver mount! This is not what we want.

You also do not want your local users to become root on the desktop
workstations. If really necessary, set up sudo for dedicated tasks.
Btw., thanks to the hopefully set "root_squash" on the homes share, a local
root cannot see much on the mounted /home.

Is there any way to prevent this? Can we mount the directories via SMB,
and would this help?

It would indeed be possible to mount the same HOMES share as used with
windows, upon user login. But then, users would have to store their
passwords in a "credentials" file in plaintext for smbmount authentication.
Other alternatives can be circumvented by a local root just like this one.
That appears pretty stupid then ....

Note that for now we were only able to do the mount of the homes in
linux machines *statically*, that is, with an entry in fstab which
mounts all the homes together, and not user-by-user at the moment of
login. Is our vulnerability only caused by this or it would exist anyway?

Root is root is root, and hacking on a linux machine may not be what your
employees are paid for. Do not give them a root password, not even local.
For the nfs, you may want to switch to kerberized versions.

Thanks for any help.
We are newbies of this ldap/windows-domain and shared homes thing.

--
vista policy violation: Microsoft optical mouse found penguin patterns
on mousepad. Partition scan in progress to remove offending
incompatible products. Reactivate MS software.
Linux 2.6.17-mm1,Xorg7.1/nvidia [LinuxCounter#295241,ICQ#4918962]
.

Relevant Pages

  • Re: Linux version of XP Media Center
    ... Sure, the lower end homes ... Windows on the front end and other proprietary system on the back. ... and he said, "Hey, I like linux. ... M$ success I suggest is built heavily upon marketing. ...
    (Ubuntu)
  • Re: linux for loaner computers to the masses?
    ... > homes, battered womens' shelters, and homes for orphans. ... Either Mandrake or SuSE. ... > Star Office 4.0 because it comes with Idiot's Guide to Linux but I ... you don't need to install anything. ...
    (comp.os.linux.misc)
  • Re: Samba W2K access problem
    ... I have on this computer a sambaRoot directory. ... Server role: ROLE_STANDALONE ... Directly on the linux Computer this user has all rights to the sambaRoot ... iirc you don't have to specify path and homes is a special section anyway ...
    (comp.os.linux.networking)
  • Re: Windows XP Issue (Activation) III
    ... So I preach against EULA ... > other people outside of their homes, and I also believe that their EULAs ... > fit in the PRIVACY of their own homes. ... > of Linux, that will run software developed for MS OSs. ...
    (microsoft.public.windowsxp.general)
  • Re: Windows XP Issue (Activation) III
    ... > the EULA for XP. ... other people outside of their homes, and I also believe that their EULAs ... of Linux, that will run software developed for MS OSs. ... their private non-commercial customer. ...
    (microsoft.public.windowsxp.general)