Default Permissions Unix Client/Windows NFS Server Need to be 777

I am having an issue with a migration I am doing from a 2000 server box to a 2012 server box for some NFS shares I need to create.  I have installed "Services for Unix" and that seems to go fine.  The issue I am having is with the permissions from the Unix side.  When the unix box creates a file or directory, in essence, I need the file created to get 777 permission.  I keep reading that that setting is set from the client side, but I need to see if I can set it up some way from the server side (Server 2012) box.  I am letting unmapped users access the NFS share and they can mount it and see the files in it.  Is what I am trying to do possible and if so, how?  I currently have a 2000 server box running the services for unix and it is working fine and for the life of me I can't see any large differences in the setup.  Any and all help is greatly appreciated.
LVL 3
pitsterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
This is client side. There is no way to my knowledge to set any default permissions. You need to change the default umask for processes writing on that share.
Winodws (even 2012) does not support NFSv4, where you could work with ACL's solving this problem.

I think it was working because you set the nobody user and group for unmapped users - effectively all files are accessed by this user; so there is no need for 777, you will be fine with unix default umask 0002.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pitsterAuthor Commented:
helge000, thanks for that info.  Can you expand on the nobody user and group for unmapped users, and how that would have been allowing things to work previously?
0
Daniel HelgenbergerCommented:
You said you have unmapped users. Normally, POSIX defines a user is ID'ed by User ID (UID Number) and a Group ID (GID Number).
Unmapped means, the user account doing the connection from the client is not known to the NFS server. But, there has to be some UID/GID for the connecting client if you want to allow it. Therefore, you create a dummy user account assigned to unmapped objects. In Unix. this account is generally called 'nobody' and the UID is traditionally 32767 (in ancient times the largest possible value for 15bit UID/GID numbers).
Now, all unmapped users get the same UID assigned. Since by default a user in Unix has full permissions on the file he creates, you do not have to worry about the POSIX permissions at all.

I hope this did shed some light into the matter?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

pitsterAuthor Commented:
Got it I think.  So once ther server is setup on the windows side and I have allowed the "No Server authentication" option, with the "enable unmapped user access" and "Allow unmapped user Unix access (by UID/GID)" and the permissions are set to all machines that should be it.  Then from the Unix side, we should simply test writing to the directory as the "nobody" user and then see what we see without having to do a umask setting.  We have been testing as a super user so perhaps that is where our plight has been.

I guess should also ask this.  We have hundreds of Unix users that will need to access the file.  Since the file will sit on the NFS share, will that user just map or talk to the windows server as "nobody" or will it try to use its own UID?

Again, really appreciate the help.
0
Daniel HelgenbergerCommented:
Then from the Unix side, we should simply test writing to the directory as the "nobody" user and then see what we see without having to do a umask setting.

Not quite right, but basically a good test.
You can connect to the share with any unix user. ATM i am not sure how to show real unix permissions on the windows share; but this test should suffice:
Connect to that share from two hosts. On host A, create a file, on host B try to delete it.

Since the file will sit on the NFS share, will that user just map or talk to the windows server as "nobody" or will it try to use its own UID?
It will use the 'nobody' user/group and the file will be owned by 'nobody' (witch is, in this case actually somebody :). This is, as I said earlier, intentionally in this case.

If you want file system security on NFS, you can have that. But you would need to ensure your unix Users have transparent UID - meaning a user needs to have the same UID on any machine. For instance, you can configure UID and GID numbers centrally in active directory which you could then use with something like winbind.
0
pitsterAuthor Commented:
Thanks so much!  I will get that test done and report back.  Again, really appreciate all the help.
0
pitsterAuthor Commented:
helge000.  Spoke to my boss/unix admin and he had one question that I wanted to post and I apologize if you already answered it and I didn't catch on.  The question is about the nobody user.  If the old system was using the nobody user, on the new system, what needs to be configured so that also takes affect.  Or another way to ask, we have users like cp05, cp06.  If cp05 writes to the NFS mount, how do we ensure that the file written is written as the "Nobody" account as well as handling how cp06 will be able to read/amend/write to the same file, also as "Nobody"?
0
Daniel HelgenbergerCommented:
Is the windows 2000 server already dead, and you can't look at the config any more? The problem is, I can only suggest a way to do it; this might or might not be how it was done on your server.

I think I may have not been clear either and did mean anonymous access, not unmapped (sorry, long time gone since I set this up on Windows, I just looked at my config here at work).
By using the 'nobody' UID/GID, you have basically only a simple NFS client mount effectively ignoring access permissions on file system level (the same would be true for 777). It is imported though you set up some access permissions per host in this scenario.
You do not need to use this UID, but it is much 'nicer' because it is known on the clients.
Here the TN how to set this up:
http://technet.microsoft.com/en-us/library/hh509019(v=ws.10).aspx
And here a general guide how unmapped access and SID is working:
http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx

In theory, you are working on an DACL capable NTFS file system; and could set default ACLs - but I think they are not honored and POSIX is emulated.

I hope this helps?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.