[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How can I grant local accounts group-rights access to NIS/NFS mount points?

Posted on 2009-04-20
14
Medium Priority
?
1,109 Views
Last Modified: 2012-05-06
I have exported "home directory" folders using NetWare 6.0 SP5 NFAP/NFS, and successfully automount them using autofs at login time, logging into SLES10 SP2.

NIS master is MS SFU 3.5 (Windows 2003 R2).   (note: not my choice - corporate directive.)

I have the POSIX user and group set, and have POSIX rights of 750 applied on the mount point.  I can successfully write data to the folder as the logged in user.

However, there's a process the user has to run that is owned by a different, local (non-NIS) user.  That application wants to write temp files to the home directory, but is not able to.

If I add that local user to the NIS group that is on the ownership properties of the folder, it still can't write anything.  Presumably, that's because that local user the process belongs to doesn't have permissions to write to that folder on the NFS server.

Making an eDirectory user with the same name as the local user in question, with the same POSIX UID, and making that user a member of the NIS group that "owns" the mount point doesn't seem to help any.

I've read something about using NIS netgroups for conferring permissions across NFS mounts, but am unsure how to go about doing that.  Does anyone know anything about a) NIS/NFS and the use of NIS netgroup and b) whether that could help me in an environment where the NFS server is NetWare 6.0 SP5 NFAP/NFS, or c) is there another way to make this work?
0
Comment
Question by:ShineOn
  • 8
  • 3
12 Comments
 
LVL 18

Expert Comment

by:ZENandEmailguy
ID: 24188206
Is the target server straight SLES or is the Novell OESv2 on top of SLES?  If there is OESv2, then you need to LUM (Linux User Management) each eDirectory user that needs access.  This is done thru iManager running on the OESv2 via a web browser.  There is an iManager Role called Linux User Management and you LUM enable users that are already in eDirectory

You don't actually make an eDirectory user also a local user.  By LUM-enabling an eDirectory user, you grant access to that user, and that access is controlled by the Linux permissions (you mentioned 750) for the directory/file(s).

Hope that helps.

Scott
0
 
LVL 35

Author Comment

by:ShineOn
ID: 24189939
Straight SLES10 SP2, X86_64 (if it makes any diff) running as a guest on ESX 3.5 update3.  No LUM, no eDir.

App is Progress OpenEdge 10.1C-based.  Character-based client app runs under the user that owns Progress, which is what needs to be given access to the user's home directory so it can write to it.

I didn't want to give world write rights to the user directories, but I may have to.  I suppose if I create a subfolder for the sole purpose of the exported mount point, such that the rest of the home directory isn't part of the export, much less the mount, whether everyone can see and access everyone else's home directory mount point won't matter much, and making it world-writable should take care of the permissions problem.

I'd much rather give the Progress owner permissions via netgroup membership, if the NFAP/NIS/NFS/NSS combo on NetWare will allow netgroup permissions through.

I do need to know what else I need to do to get the netgroup permissions to pass through to the local user, though.  Anything in pam.d or anything special in passwd or in nsswitch or anything else relevant, to ensure that the local user has appropriate access to the mount point at least.  Anything past that, on the NFS server side, would be the NFAP/NIS/NFS/NSS issue.

If that can't be resolved, I may have to fall back to world-writable mounts anyway.

0
 
LVL 35

Author Comment

by:ShineOn
ID: 24391534
I'm going to do something else altogether - giving up on NIS/NFS.

Now I'm working on changing gears 180 degrees and using LDAP/Kerberos/AD and SMBFS/CIFS.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 18

Expert Comment

by:ZENandEmailguy
ID: 24394247
I did a project where we made an OESv1 (SLES9) server into what "looked like" a Windows domain controller using the various SAMBA tools from Novell.  We had a complete trust between a NT4 domain controller and the OESv1 server.  We used a SAMBA tool to transfer the user accounts and group accounts.

In another project, using both ReiserFS and ext3 file systems as cluster resources for GroupWise components, we connected from a variety of XP desktops using SAMBA/CIFS to get to the domain directories to manage GW.

Good luck and enjoy the geeking <g>.
0
 
LVL 35

Author Comment

by:ShineOn
ID: 24824558
Still working on this... just so you know.

It's not as simple as it sounds.
0
 
LVL 35

Author Comment

by:ShineOn
ID: 24961360
I'm just going to close this puppy and if I need help on the Kerberos/AD/CIFS process I'll start a fresh Q.  Sorry, ZenAndEmailGuy, but I don't feel right giving you points for your good wishes... ;)
0
 
LVL 35

Author Comment

by:ShineOn
ID: 24975260
I thought I closed it already.... I wanted it PAQ.   I even had a warning message to any and all attempting to go down the same road...  What's up wit  dat?
0
 
LVL 35

Author Comment

by:ShineOn
ID: 24975261
I thought I closed it already.... I wanted it PAQ.   I even had a warning message to any and all attempting to go down the same road...  What's up wit  dat?
0
 
LVL 18

Expert Comment

by:ZENandEmailguy
ID: 24976192
No worries, mates.  I didn't really offer a clear suggestion or fix.  I don't believe points should be awarded to me for just posting my thoughts.

Scott
0
 
LVL 35

Author Comment

by:ShineOn
ID: 24984440
In my original close comment, which is now in the bit-bucket in the sky, I said something along the lines of  - there is no "answer" to this.  I wanted it PAQ so it could serve as a warning to any that are planning to integrate Linux with Windows/AD to avoid the MSSFU/NIS/NFS integration path altogether, and to focus on LDAP/Kerberos/CIFS  alternatives.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 25011454
Question PAQ'd, 500 points refunded, and stored in the solution database.
0
 
LVL 35

Author Closing Comment

by:ShineOn
ID: 31572358
This should serve as a warning for anyone that wants to integrate Linux with Windows/AD.  Don't use NIS / MSSFU.  Go straight for the LDAP/Kerberos/CIFS option.  It will save you a lot of headaches and sleepless nights.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses
Course of the Month18 days, 18 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question