Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows to Linux Migration - File Server Security?

Posted by ryuzaki0 on from the user-level-shares dept.

Circuit Breaker asks: "I'm in the slow process of migrating my office from Windows to Linux. The servers have been Linux machines for quite a while now: Samba serves as PDC/BDC (not using Active Directory yet), and the Samba config is mirrored with rsync; all works well. No, it's time for the workstations, and all is NOT well. User lists are synchronized with NIS, which sort-of works, and will probably work better once we implement LDAP; but it seems that mounting of server directories can only effectively be done with NFS, which is a problem with security because some people really need local root. I've tried using NFS, CIFS and SSHFS, through pam_mount, automount, and independently, but it's not close to the usability of the Windows setup. It's either mounted per user, which requires a lot of work, or by root, in which case local root users bypass any remote permissions. How do you set up mounting directories that is easy to use like Windows -- everything automounted, but security settings are still respected for each user, even when local roots are involved?"

4 of 103 comments (clear)

  1. NFS with Kerberos by poopdeville · · Score: 3, Informative

    Some versions of NFS support kerberos authentication. Try that.

    --
    After all, I am strangely colored.
  2. NFS options by dbarclay10 · · Score: 4, Informative

    Recent NFS kernel implementations (for instance, whatever I have installed on my Debian/Sid boxen) have a few options which might be useful.

    First, in /etc/exports, you can do per-IP-address UID/GID squashing. 'man 5 exports' considered helpful. For instance (Slashdot will mangle this),

    /home/devel/fbar 10.60.55.20(rw,all_squash,anonuid=1001,anongid=100 1) 10.60.55.30(rw,all_squash,anonuid=1002,anongid=100 2)

    That will make the NFS connection from 10.60.55.20 have all access go via UID/GID 1001, and all accesses from 10.60.55.30 go via UID/GID 1002. This is most applicable when using single-user endpoints/workstations.

    Newer kernels (late 2.6.x-series) appear to have support for Kerberos and similar; of course, if you haven't even done LDAP yet (what's your excuse? If you're replacing Windows machines in an NT4 configuration, you should at least be migrating to something LDAP-based), then Kerberos is probably out of your league. Fix that.

    --

    Barclay family motto:
    Aut agere aut mori.
    (Either action or death.)
  3. Re:If it works now by erroneus · · Score: 3, Informative

    Ever got hit with a BSA audit? That alone will convince you of exactly how tyrannical those bastards can be. Beyond that, it may be as simple as they are tired of paying for software licenses for software that leaves them virtually no protection against intrusion and is quite famous for its insecurity and unreliability. (I'm not saying anything is better, just that it's famous for its exploitability and that many working exploits are still unknown to the white-hat security crowd.)

    Pick your favorite reason. But ultimately, whatever the reason, I'm sure they have a good one and have decided the pains involved with migrating over are worth moving away from what they are using now.

  4. smbmount by paugq · · Score: 3, Informative

    Ever heard of smbmount?

    Yes, it's part of the Samba package.

    Yes, it does exactly what it suggests: mounts a Samba share (the same thing you were doing when you were using Windows)

    So, point one: you do not need to use NFS

    Now let's go for point two. And I will not extend here. Just a tip: man fstab, then go to the fourth field (options) and look for help on the "user" option.

    All your problems fixed.