Windows to Linux Migration - File Server Security?

Circuit Breaker asks: "I'm in the slow process of migrating my office from Windows to Linux. The servers have been Linux machines for quite a while now: Samba serves as PDC/BDC (not using Active Directory yet), and the Samba config is mirrored with rsync; all works well. No, it's time for the workstations, and all is NOT well. User lists are synchronized with NIS, which sort-of works, and will probably work better once we implement LDAP; but it seems that mounting of server directories can only effectively be done with NFS, which is a problem with security because some people really need local root. I've tried using NFS, CIFS and SSHFS, through pam_mount, automount, and independently, but it's not close to the usability of the Windows setup. It's either mounted per user, which requires a lot of work, or by root, in which case local root users bypass any remote permissions. How do you set up mounting directories that is easy to use like Windows -- everything automounted, but security settings are still respected for each user, even when local roots are involved?"

Re:NFS with Kerberos

Just a quick note; the use of Kerberos requires a commercial license. Export outside of US, Canada and Poland requires permission from the government due to cypher strength restrictions.

Why are you doing this?

[kiwimate]

As in the whole migration. Seriously. You don't list a reason, so it could be anything from saving money (in which case you've already failed with the amount of time and effort you're expending and the commensurate costs, including lost productivity, not even beginning to think about ongoing support costs, because you know the OS licensing costs saved have already been way exceeded by the migration costs) to idealism.

But everything you've described is "we're trying to find a way to emulate this Windows functionality on Linux, and it's really hard". You're taking huge amounts of time, you can't get anything to work properly, and in the process I imagine you're causing your users a lot of aggravation.

I don't even want to know how big the office is, what sort of packages you're trying to migrate, etcetera, but presumably either you're in charge of a very small office, your manager is a Linux idealist or the majority of your office colleagues are Linux idealists, or you made it sound really appealing to your manager. If the first two reasons, I'd be guessing sheer stubbornness is making you carry this on through. If the last, I'd be guessing your manager will be asking some questions sometime soon.

So why are you doing this? Heck, just read the last few sentences...

I've tried using ...{blah blah blah}... but it's not close to the usability of the Windows setup.

It's either mounted per user, which requires a lot of work, or by root, in which case local root users bypass any remote permissions.

How do you set up mounting directories that is easy to use like Windows?

Mate...again, why, precisely, are you doing this? Now I really do want to know out of sheer curiosity...

Re:Why are you doing this?

[Vrejakti]

Why does it matter why he is doing this? I has hoping to read this topic and find a simple solution to implementing NFS on a Local Area Network under Linux.

An organization like Free Shell uses NFS for all user accounts and much of their core orginization.

If I could use NFS, I'd fill an older computer with hard drives so I could have a massive file server. I know Google has the answer, but you have to admit, if someone on slashdot had the answer, it'd be nicer to get it here, then dig through pages and pages of Google results.

Re:Why are you doing this?

[kbielefe]

You're thinking too short term. Presumably, this guy wasn't hired specifically for the Linux migration. If he wasn't spending some time on this, he would be working on the next service pack upgrade or whatever. It sounds like he is doing it right by taking it slow, and I'd be really suprised if he was rolling anything out to users that wasn't fully tested.

You're right -- in the short term this is more trouble than it's worth. There are a lot of things he needs to learn, and the initial setup can be difficult and time consuming when you have never done it before. The payoff only comes in the long run.

Imagine how much your company would have saved in licensing costs if they had migrated to open source software in 1995. Imagine how easy it would be to support Linux if the IT staff and employees had 10 years of solid Linux experience.

This guy's company is going to be in a great position in 2015, and people who couldn't tolerate some short term inconvenience will be even further entrenched in a single-source solution. In fact, I think the Linux migration will more than adequately prove itself financially much sooner -- by the time his friends are in the middle of a Vista migration. (I'll resist the temptation to insert a cheap shot about 2015 here).

As for the original question, I would suggest if he wants something that shares files like Windows, to use Samba. It's not just for interoperability; KDE and Gnome both integrate with Samba very nicely.

What I don't understand

[overshoot]

is the whole "local root user" thing.

Yes, there are advantages to having clued users able to do things on their systems [1] -- which is quite a different thing from having root access to the network stores.

In other words, I don't see the problem unless you've created it.

[1] Example: my system at $WORK. Note that most of the other engineers neither have, nor need, root access and I neither need nor have root access to anything but my own box.

Because someone got bitten by the Linux bug

[Sycraft-fu]

For various reasons, including the lack of per copy cost, the actions of MS in the past, UNIX compatiblity, and so on many orginizations look at Linux. Unfortunately, in some cases it's not a "Well let's see if Linux would be good for us" it's "Windows sucks, we need Linux, make it happen now." There's no thought as to why, other than that it's Linux.

Happened to me at my last job. We needed an Oracle server for a project, had to be Oracle. No problem, we have a site license for it so there's no incrimental cost. We get a server, and then it falls to me to set it up. However I'm told it has to be on Linux. I'm given various reasons, all, none valid. Things like "Well Linux is more secure" though the server will be in private IP space, directly conected to another server. So I start fighting with various LInux distros and Oracle to no end. I finally get fed up with this shit and tell the people demanding Linxu if they want it, they can install it. The UNIX guru comes to try it, fighs with it for like a week and finally calls Oracle since we have support. Their reply? "You need to get a supported OS, until then we can't help you."

See we were trying regular SuSe and Redhat. Part of the whole Linux thing is it's free right? Oracle will have nothing to do with that at all. Supported Linuxes were RHEL, SuSe EL, and UnitedLinux. So we hit a roadbloack. I asked for permission to try Windows XP since that was a supported OS, the system had come with a license and why not. Oracle ended up installing on that fine on the first try and working properly. Then the project was canceled, but that's another story.

Nobody who was demanding Linux there ever gave any thought to if it was the right way to so things, it was just pushing Linux or, I suspect, pushing something not MS.

So I'd bet that's what's going on here. Perhaps the submitter is in a bad situation where management has made an uninformed decision that they must be using Linux, and now he has to try and make it happen, even though it's a problem. Could also be he's a guy who dislikes MS and has used Linux at home, and decided it would be good for work without doing proper research.

AFS

[Borealid]

Why not give OpenAFS from http://www.openafs.org/ a try? It has its own permissions model, and (if you choose to have it so) is completely Kerberos-5 secured. Local root means literally nothing to AFS. It may be a bit beyond your needs, but in terms of scalability and security it beats NFS any day...

Re:If it works now

[Bert64]

Because it's dangerous to use microsoft. The more of their products you start becoming dependant on, the greater the risk of being screwed over.

It is always dangerous to become dependant on a single source for anything. No other vendor produces a windows-compatible OS or other drop in replacements for their products, your always faced with a costly migration. Unlike with x86 hardware (dell, hp, ibm, acer whatever, you can easily drop in replacements) and linux (debian, redhat, suse, easy enough to change) where you always have an easy exit-strategy incase something bad happens. Isn't it better to migrate now rather than waiting until it will be even more expensive and risky?

Aside from that, with microsoft you are reliant on a single source for patches and support etc.

Re:You Are Incorrect!

[ 289 patches, 112 tweaks to services, sixty-eight re-boots, a half-dozen add-on packages -- Norton, AdAware, etc. -- and fourteen hours later... ]

AdAware? Is that how you imagine Windows servers must be run? Why would someone need AdAware, which blocks spyware and cleans up private web browsing information, on a server? Do you flip through all your favorite sites on your production Linux servers?

Norton? Why would someone need Norton (presumably Internet Security for the firewall and AV for virus scanning) on a server? Windows comes with a built-in highly configurable firewall (called Routing and Remote Access, not Windows Firewall) and Symantec has an antivirus product specifically for use on servers called Symantec AntiVirus.

You need to check your information; the default installation of Windows Server 2003 with SP1 and all the updates (which the user is prompted to download immediately post-setup, which are batched together and require four clicks to download and install) is pretty secure and requires very little configuration to make it a file server: create the directory, right-click it and share it.

4 clicks to install all patches, no changes to services, one reboot, zero add-on packages, and a half hour later... I'm no Microsoft apologist, but at least I don't drink the Kool-Aid.