Topic: NFSv4

[Old Lodge Skins]

Hi all,

I've just replaced my server and the new one has a "big" 200GB hard drive so I'm looking for a solution to do some serious file sharing (I didn't look too much into it before because my old server had a small 18GB drive). Thanks to the guy who wrote the Affa tutorial by the way, this saved me a lot of time!
I've looked into several solutions, and considering I only have Linux workstations (mostly running OpenSUSE 11.1) it appears NFS would be the best way to go. Not the old NFSv3 as I am aware of its security flaws, so I've been looking into NFSv4.

I've been following this tutorial: http://sme.firewall-services.com/spip.php?article11

I now have NFS running on the server. At first I could only mount the shared folder using NFSv3, but thanks to http://nfsv4.bullopensource.org/doc/NFS3_NFS4_migration.pdf I now have removed my NFSv3 export, replaced it with NFSv4 exports (which are lost upon reboot but that's only a detail I can solve later):

Code: [Select]

exportfs -ofsid=0,insecure,no_subtree_check *:/home/e-smith/files
exportfs -orw,nohide,insecure,no_subtree_check *:/home/e-smith/files/users/seb/home

 and I can mount it from one of the clients with:

Code: [Select]

mount -t nfs4 -o rw,users,rsize=32768,wsize=32768 sme-server-7:/users/seb /home/seb/nfs

The only problem is that the mount is read-only... All the files belong to user 4294967294... And I obviously don't have write permissions. Which, actually, seem to be a good behavior - I am not authenticated, from the server's end I'm nobody...

Now the question is, how can I access that share "normally", i.e. how can I authenticate so the server recognizes me and gives me back the rights on my own files? I've been thinking about NIS but can't find any good tutorial to get it up and running on SME 7.4... All I could find was a tutorial for 6.0 that I won't dare trying. LDAP might also be a solution but I'm completely lost with it.

Any idea is welcome.

Thanks in advance.

Seb.

[Old Lodge Skins]

After further searches, it appears that LDAP would be a better choice than NIS...
But although I do have the LDAP contrib installed, as well as PhpLdapAdmin, I still don't have a clear idea of how to link NFS with LDAP, and get my clients to authenticate.

[Old Lodge Skins]

Ok, I'm progressing...

* I can now log in from my workstations with a user defined on the LDAP server. At least I can from the command line, as there is no home for this user.
* If I mount the nfs4 share as previously, the ldap authenticated user can browse the share while other users can't. That's good.
* There is still a permissions problem as all the files in the mount point are now owned by nobody:nobody!

[Old Lodge Skins]

Ok, it was a domain problem in /etc/idmapd.conf on the server... This is now solved, the files do belong to my user (the one authenticated through ldap), but the share is still read-only (that's the message I get while trying to create a folder).

[Old Lodge Skins]

Finally... Got it working now. The rw option was missing in one of the exports.
So the situation is this:

* A user who has an account on the server, but not on the client, can log in and have his distant /home inside the mount point.
* A user who exists on both the server and the client (same login, same UID, but different passwords) can log in locally (but not on the server as the password is not the same), have his local /home as normal, BUT he can also access the folder in the mount point that belongs to the same user on the server... That's not a desirable behavior, so I'd like to deny the access to any user that hasn't been authenticated through LDAP. Is there a way I can do this?

Thanks.

Seb.

[David Harper]

You could disable local logins on the workstations altogether, but this might be overkill.

[Old Lodge Skins]

Thanks for the idea but no, that'd be too much... The point is, I still want to keep my local homes, while being able to access the distant share... I've made a user with his home on the server just for the fun of it, to see if I could actually do it. And anyway that wouldn't solve the problem - all you'd have to do would be to insert a new workstation in the network or even start on a Knoppix on one of the existing workstations... So that wouldn't really solve the problem anyway.
I believe the only way to go is to make the server deny the access to anyone who isn't identified.