Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows to Linux Migration - File Server Security?

Posted by ryuzaki0 on from the user-level-shares dept.

Circuit Breaker asks: "I'm in the slow process of migrating my office from Windows to Linux. The servers have been Linux machines for quite a while now: Samba serves as PDC/BDC (not using Active Directory yet), and the Samba config is mirrored with rsync; all works well. No, it's time for the workstations, and all is NOT well. User lists are synchronized with NIS, which sort-of works, and will probably work better once we implement LDAP; but it seems that mounting of server directories can only effectively be done with NFS, which is a problem with security because some people really need local root. I've tried using NFS, CIFS and SSHFS, through pam_mount, automount, and independently, but it's not close to the usability of the Windows setup. It's either mounted per user, which requires a lot of work, or by root, in which case local root users bypass any remote permissions. How do you set up mounting directories that is easy to use like Windows -- everything automounted, but security settings are still respected for each user, even when local roots are involved?"

7 of 103 comments (clear)

  1. If it works now by mboverload · · Score: 4, Insightful

    If it works, why are you migrating? If it aint broke, don't fix it.

  2. NFS options by dbarclay10 · · Score: 4, Informative

    Recent NFS kernel implementations (for instance, whatever I have installed on my Debian/Sid boxen) have a few options which might be useful.

    First, in /etc/exports, you can do per-IP-address UID/GID squashing. 'man 5 exports' considered helpful. For instance (Slashdot will mangle this),

    /home/devel/fbar 10.60.55.20(rw,all_squash,anonuid=1001,anongid=100 1) 10.60.55.30(rw,all_squash,anonuid=1002,anongid=100 2)

    That will make the NFS connection from 10.60.55.20 have all access go via UID/GID 1001, and all accesses from 10.60.55.30 go via UID/GID 1002. This is most applicable when using single-user endpoints/workstations.

    Newer kernels (late 2.6.x-series) appear to have support for Kerberos and similar; of course, if you haven't even done LDAP yet (what's your excuse? If you're replacing Windows machines in an NT4 configuration, you should at least be migrating to something LDAP-based), then Kerberos is probably out of your league. Fix that.

    --

    Barclay family motto:
    Aut agere aut mori.
    (Either action or death.)
  3. Re:A good security by picklepuss · · Score: 4, Insightful
    By educating and training the users, there should be a minimum amount of confusion.

    IMHO, this is just asking for trouble. And having daily backups only ensures that you'll spend most of your day restoring backups when things start to get really messed up. Getting a signature doesn't do you squat, unless there is a real policy of enforcement. But once mangaement realizes they're going to have to discipline everyone because your security policy is lame, who do you think is going to get it in the end.

  4. Why are you doing this? by kiwimate · · Score: 4, Interesting

    As in the whole migration. Seriously. You don't list a reason, so it could be anything from saving money (in which case you've already failed with the amount of time and effort you're expending and the commensurate costs, including lost productivity, not even beginning to think about ongoing support costs, because you know the OS licensing costs saved have already been way exceeded by the migration costs) to idealism.

    But everything you've described is "we're trying to find a way to emulate this Windows functionality on Linux, and it's really hard". You're taking huge amounts of time, you can't get anything to work properly, and in the process I imagine you're causing your users a lot of aggravation.

    I don't even want to know how big the office is, what sort of packages you're trying to migrate, etcetera, but presumably either you're in charge of a very small office, your manager is a Linux idealist or the majority of your office colleagues are Linux idealists, or you made it sound really appealing to your manager. If the first two reasons, I'd be guessing sheer stubbornness is making you carry this on through. If the last, I'd be guessing your manager will be asking some questions sometime soon.

    So why are you doing this? Heck, just read the last few sentences...

    I've tried using ...{blah blah blah}... but it's not close to the usability of the Windows setup.

    It's either mounted per user, which requires a lot of work, or by root, in which case local root users bypass any remote permissions.

    How do you set up mounting directories that is easy to use like Windows?

    Mate...again, why, precisely, are you doing this? Now I really do want to know out of sheer curiosity...

  5. Because someone got bitten by the Linux bug by Sycraft-fu · · Score: 4, Interesting

    For various reasons, including the lack of per copy cost, the actions of MS in the past, UNIX compatiblity, and so on many orginizations look at Linux. Unfortunately, in some cases it's not a "Well let's see if Linux would be good for us" it's "Windows sucks, we need Linux, make it happen now." There's no thought as to why, other than that it's Linux.

    Happened to me at my last job. We needed an Oracle server for a project, had to be Oracle. No problem, we have a site license for it so there's no incrimental cost. We get a server, and then it falls to me to set it up. However I'm told it has to be on Linux. I'm given various reasons, all, none valid. Things like "Well Linux is more secure" though the server will be in private IP space, directly conected to another server. So I start fighting with various LInux distros and Oracle to no end. I finally get fed up with this shit and tell the people demanding Linxu if they want it, they can install it. The UNIX guru comes to try it, fighs with it for like a week and finally calls Oracle since we have support. Their reply? "You need to get a supported OS, until then we can't help you."

    See we were trying regular SuSe and Redhat. Part of the whole Linux thing is it's free right? Oracle will have nothing to do with that at all. Supported Linuxes were RHEL, SuSe EL, and UnitedLinux. So we hit a roadbloack. I asked for permission to try Windows XP since that was a supported OS, the system had come with a license and why not. Oracle ended up installing on that fine on the first try and working properly. Then the project was canceled, but that's another story.

    Nobody who was demanding Linux there ever gave any thought to if it was the right way to so things, it was just pushing Linux or, I suspect, pushing something not MS.

    So I'd bet that's what's going on here. Perhaps the submitter is in a bad situation where management has made an uninformed decision that they must be using Linux, and now he has to try and make it happen, even though it's a problem. Could also be he's a guy who dislikes MS and has used Linux at home, and decided it would be good for work without doing proper research.

    1. Re:Because someone got bitten by the Linux bug by Sycraft-fu · · Score: 4, Insightful

      You are free to believe what you like, it has no effect on the truth of what happened. Oracle refused to install on normal Linux. I don't know what the problem was, and apparantly neither did our Solaris guy. That's why he called Oracle, to ask them to help make it install, only they wouldn't because it's an unsupported OS. Now I should clarify that the a good part of the week wasn't fighting with Oracle, but with making RAID work, however he tried and failed to install Oracle several times before giving up and calling for support.

      And it sounds like you are another one bitten with the LInux bug, or rather the "anything but MS" bug. Why not Oracle on XP? I would draw your attention to the fact that it's an offically supported OS, as in Oracle themselves have declared "This OS is suitable to use with our database, and we will support installations on it." 10g2 is offically supported on Windows 2000 (Pro and Server), XP (32 and 64-bit) and 2003 Server (32 and 64-bit). While I haven't played with 10, when we did all this with 9, it installed on XP on the first try with no problems.

      So what's your reasoning that XP can't be used? Is there something really backing it up or is it just general "You can't use Windows" mentality?

      I'm not saying I'd recommend using Oracle on XP in most cases, however this is the same, knee-jerk "Linux bug" mentality I'm talking about. A Windows solution works, there's no problems with it, however you get this atitude like it should be Linux just because.

      Change needs to have a reason, at least in the corperate world. That reason can be something as simple as "we are tired of paying for MS licenses" but you need a legit reason. "I hate MS" isnt' a legit reason. Further, the benefits of the switch must outwiegh the costs. If you can switch to Linux with no additonal support costs, then the cost argument is a good one. If switching to Linux is going to require 500 man hours to implement and an additonal 200 per year to support over Windows, it may well be that the money spent on support is more than the savings from licensing.

  6. You Are Correct! by soloport · · Score: 4, Funny

    A properly secured Windows box is more secure than you think.

    [ 289 patches, 112 tweaks to services, sixty-eight re-boots, a half-dozen add-on packages -- Norton, AdAware, etc. -- and fourteen hours later... ]

    See?

    :)