Re: Help me replace some Windows installations

From: ZnU (znu_at_acedsl.com)
Date: 09/13/04 

Date: Mon, 13 Sep 2004 02:24:38 -0400

In article <hs9f12-025.ln1@triangulo.it.uc3m.es>,
 ptb@oboe.it.uc3m.es (P.T. Breuer) wrote:

> ZnU <znu@acedsl.com> wrote:

[snip]

> > I'm not terribly familiar with NFS. But if I just mount the whole /Users
> > hierarchy from the OS X server on the Linux machines via NFS, don't I
> > have to trust the client machines to enforce permissions on it?
>
> Eh? What are these "permissions"? If you gave access to your client
> machines you gave them access as a machine, and it is up to the client
> machines to decide what to do with the access rights you gave them.
> They cannot access more than you gave them "permission" to access.
>
> Are you asking if a user on your machine has a directory that is o-r,
> whether that will be honoured on the client? That's up to the client
> ("none of your business"). You gave read permission to the client, and
> its users (or if it has any, or if it has any concept of user) are
> really not business of yours. If you don't want the client to decide
> how to allocate out access to the access you gave it, then don't give it
> it. The client may remap users any way it likes.
>
> Bottom line - you gave permission to the machine.
>
> You may modify this using kerberos.

Look, I don't understand what the miscommunication is here. Basically,
what I want to do, is let a user log in and have appropriate access to
his home directory, and appropriate lack of access to the home
directories of other users. The way Windows and OS X handle this is by
mounting home directories as share points using the authentication
information for the user logging in on each machine. In other words, if
I log in as 'znu' on Client-1, Client-1 logs into the file server using
the 'znu' account, and the 'Users' share is mounted with the privileges
defined for 'znu' on the server.

With NFS, my understanding is that I'd create a system-wide entry to
mount the 'Users' share at, say, /home. If I did that, I'd have to grant
the client full read-write access on the entire share, because it has to
be able to grant the appropriate access to any user who might sit down
and log in, and that potentially requires being able to read from and
write to any home directory. I then have to trust the client to make
sure that user A doesn't delete files from user B's home directory or
whatever. I can't necessarily trust every client that might be connected
to this network.

> > OpenDirectory is basically OpenLDAP with an Apple schema that provides
> > everything OS X needs. I *think* this schema is a superset of RFC 2307
> > (which is what I'd want for Linux clients, right?), but it's hard to
>
> I have no idea. If you have an ldap server, then linux can use it for
> authentication. It's a question of putting a few entries in the pam.d
> files, and arranging that nsswitch.conf is rigged to refer libc getpwent
> through ldap for the passwords.

See, this is the kind of thing that makes people say Linux is not ready
for prime time.

With OS X cleints, this same procedure requires *no* client-side
configuration, aside from clicking a single checkbox to tell the machine
to obtain LDAP server information automatically from DHCP.

With Windows clients, the equivalent procedure involves running a wizard
and filling in a couple of obvious things in its fields.

> > find documentation for this sort of thing. I was hoping someone here had
>
> All the docs are on the ldap site for linux (and presumably in the
> howto).
>
> > done this and could tell me.
> >
> > I've managed to Google up lots of information about using a Linux server
> > with OS X clients, but I've found practically nothing about doing things
> > the other way around.
>
> ??? 

-- 
"I want to thank my friend, Sen. Bill Frist, for joining us today.... He married
a Texas girl, I want you to know. (Laughter.) Karyn is with us. A West Texas
girl, just like me."
                       -- George W. Bush in Nashville, Tenn., May 27, 2004

Relevant Pages

  • Re: The ole "Linux vs Windows Server 2003" question - help?
    ... >I have a client with about 50 desktops all running Windows XP. ... >service and the LInux box runs Lotus Notes. ... >I know that some say "let them install the Windows server and then ...
    (comp.os.linux.misc)
  • Re: File servers, web servers ?
    ... with the "server" to perform the activity. ... In the case of "web services", the distributed client is your web ... Finally, in the case of "FTP services", the distributed client is your ... what does this all have to do with Linux? ...
    (alt.os.linux)
  • Re: Web listener
    ... Then run D3 on Linux. ... That's neither a client ... nor server set-up. ... are extremely adept at uploading and downloading stuff to their phones. ...
    (comp.databases.pick)
  • problem with publickey authentication
    ... I have a business client who is running a SSH Communications SSH Tectia Server on a Windows NT Server. ... I need to connect to their server from dozens of FreeBSD servers in my organization using OpenSSH client, ... He claimed that he tested on his side, and was able to connect from a Linux client to his own Windows Tectia SSH box. ...
    (SSH)
  • Re: Excel to Linux DDE solution?
    ... >> commands to the client, the client forwards them to the server, the ... Plus I could use a Linux based Database ... You have Excel running on Windows and want to _connect_ to the database ...
    (comp.os.linux.networking)