[COLUG] NFS on Windows Unified Data Storage Server 2003
Scott Merrill
skippy at skippy.net
Mon Aug 20 17:02:23 EDT 2007
We have a Windows Unified Data Storage Server 2003 running at $work,
which we would like to use to provide unified home directories to users
in our (upcoming) Active Directory, allowing folks to log on using
either Windows or GNU/Linux (RHEL4 and RHEL5) workstations.
Windows UDS speaks CIFS, NFS2 and NFS3. The file server is a member of
the Active Directory. The workstations with which I am testing are
members of the AD, using Kerberos for login authentication, and LDAP for
nsswitch lookups. From a Linux client, I can do `getent passwd` and
`getent group` to see those user and group accounts which have been
supplied with UNIX credentials within the AD.
I used this tutorial for joining the Linux clients to the AD:
http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
I have created NFS shares on the Windows UDS server, and defined two
hosts as having permission to mount them. I have enabled anonymous
connections, using UID and GID of 65534. I have also permitted root
connections.
The first time I mount the share from the Linux client, it is owned by
nfsnobody; so it appears that the Windows UDS server is applying a
root_squash (even though I told it that root was permitted). All of the
files and directories inside the share are also owned by
nfsnobody.nfsnobody.
If I do nothing else, then domain users on the Linux client are unable
to access the contents of the share, regardless of the NTFS permissions
that are applied to that share.
If I chgrp the share to the domainusers group, then my domain users can
access the share, but may not access their home directories inside that
share:
# su - user.1
su: warning: cannot change directory to /home/user.1: Permission denied
-bash: /home/user.1/.bash_profile: Permission denied
-bash-3.1$ exit
logout
-bash: /home/user.1/.bash_logout: Permission denied
After executing from the Linux clint (as root)
# chown user.1 /home/user.1
# chgrp domainusers /home/user.1
I can successfully `su - user1`, as well as log in via GDM. I see that
user.1 owns /home/user when I do an `ls -lha /home`.
I have examined the resultant NTFS permissions from the above chown and
chgrp commands, and replicated them using the Windows Explorer security
controls to user.2 (using user.2 as the owner of /home/user.2). After
changing ownership and NTFS permissions from Windows, I can `su -
user.2`, for example.
If leave the Linux client alone for a while (current tests have been a
couple hours -- I haven't gotten more granular than that, yet), then the
permissions on the share and the contents of the share "revert" back to
nfsnobody when I do `ls -la /home`. I _can_ do `su - user.1`, and when
I exit out, `ls -lha /home` shows me that user.1 owns /home/user.1, but
nfsnobody still owns all the other directories. I can repeat the
process for user.2, and see that he now owns /home/user.2, but no other
directories are modified.
I left for the weekend on Friday, leaving the share mounted on the Linux
client. When I came back in this morning, I found that nfsnobody again
owned the share, and the contents of the share. This time, however, I
was unable to `su - user.1`: I got "permission denied" as above. I had
to `chgrp domainusers /home`, and then `chown user.1 /home/user.1`
Looking to Google for help on this issue is particularly unhelpful.
There's not a lot of non-sales review stuff on Windows UDS yet; and "NFS
permissions" isn't a sufficiently specific term to weed out all the
unrelated hits that Google feeds me.
I'm curious if anyone on the list has any insight that might assist me.
Are there client-side NFS mount options I can try? I'm currently
using these:
rw,nosuid,nodev,noatime,nodiratime,nfsvers=3,posix,rsize=32768,wsize=32768
I have tried with both nfsvers=2 and nfsvers=3.
Thanks in advance,
Scott
--
GPG 9CFA4B35 | skippy at skippy.net | http://skippy.net/
More information about the colug432
mailing list