I am trying to allow a Windows 7 machine to access files on my main computer. Under Linux I just use NFS and all Linux boxes can see all network shares if they have an IP address to start with. No username and password monkey business. With SAMBA this seems impossible. The Windows machine user is presented with demand for a username and password that have never been created. The SAMBA shared directories are visible from the Windows 7 client but just un-accessible. Is it not possible to not require a user name and password combination? This is on openSUSE 12.1. There is nothing I can find on the openSUSE Wiki and I see no SAMBA articles when I look for articles at the openSUSE site. NFS just works SAMBA is non functional. The stuff I am seeing when I google is just confusing nonsense that isn't openSUSE specific. Steven -- ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-15 05:23, Steven Hess wrote:
are visible from the Windows 7 client but just un-accessible. Is it not possible to not require a user name and password combination?
You may give guest access. By the way, the problem is that NFS does not have passwords, not that samba has them.
This is on openSUSE 12.1. There is nothing I can find on the openSUSE Wiki and I see no SAMBA articles when I look for articles at the openSUSE site.
There is the book, and yast has two modules. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9htUEACgkQIvFNjefEBxoxwgCfXPhDxOdrLz1SxCwyK3GGC1iB pl8AoIFoSxIuYpAyDWJm820LMiSjy4Er =BwmE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
To me it is a problem. NFS works without password. I don't want passwords. I am not sharing this stuff on the Internet but on private network of personally owned computers. Windows 7 Pro does not have the ability to do NFS. I want to share my files to a WIndows 7 computer. I have to use SAMBA. I can't make it share files. I am not finding getting information on what to do easy or executing the actually doing things that allows me to share my files to that Windows 7 machine easy. Nothing has worked so far I keep getting prompted for a password that does not exist. In /etc/samba/smb.conf it say a commented file exist in /usr/share/doc/packages/samba/examples/smb.conf I am looking there now and I see no place to turn off username/ password. In YAST configuration for SAMBA I see no place to turn off username / password. In SWAT I see no place to turn off username / password. Even on the local machine if I try and browse SMB I am prompted for a username / password. So far nothing has worked. All I have gotten frustrated and was ridiculed in a IRC channel because I can't make it work. Like I said I checked the Wiki and the articles and openSUSE.org and didn't see anything relevant. You shouldn't need a book to make it work.You shouldn't need to be an IT pro or even an advanced hobbyist. Stuff should 'just work' as much as possible. Steven ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 15/03/12 10:49, Steven Hess wrote:
To me it is a problem.
NFS works without password. I don't want passwords. I am not sharing this stuff on the Internet but on private network of personally owned computers. Windows 7 Pro does not have the ability to do NFS. I want to share my files to a WIndows 7 computer. I have to use SAMBA. I can't make it share files.
I am not finding getting information on what to do easy or executing the actually doing things that allows me to share my files to that Windows 7 machine easy. Nothing has worked so far I keep getting prompted for a password that does not exist. In /etc/samba/smb.conf it say a commented file exist in /usr/share/doc/packages/samba/examples/smb.conf I am looking there now and I see no place to turn off username/ password. In YAST configuration for SAMBA I see no place to turn off username / password. In SWAT I see no place to turn off username / password. Even on the local machine if I try and browse SMB I am prompted for a username / password. So far nothing has worked. All I have gotten frustrated and was ridiculed in a IRC channel because I can't make it work.
Like I said I checked the Wiki and the articles and openSUSE.org and didn't see anything relevant. You shouldn't need a book to make it work.You shouldn't need to be an IT pro or even an advanced hobbyist. Stuff should 'just work' as much as possible.
Steven ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 64 Hi
Maybe the directory you are sharing has the wrong permissions? You do not have guest ok = yes in the share? security = share? Without seeing what you have in smb.conf it's very difficult to help. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-15 10:49, Steven Hess wrote:
To me it is a problem.
NFS works without password. I don't want passwords. I am not sharing this stuff on the Internet but on private network of personally owned computers. Windows 7 Pro does not have the ability to do NFS.
Windows does have NFS support. It is hidden, but it is there. Google it! <http://sagehacks.wordpress.com/2009/01/21/howto-mount-nfs-shares-under-windows-7/> <http://support.microsoft.com/kb/324055> <http://support.microsoft.com/kb/324089> <http://en.wikipedia.org/wiki/Windows_Services_for_UNIX>
/usr/share/doc/packages/samba/examples/smb.conf I am looking there now and I see no place to turn off username/ password.
guest access.
Like I said I checked the Wiki and the articles and openSUSE.org and didn't see anything relevant. You shouldn't need a book to make it work.You shouldn't need to be an IT pro or even an advanced hobbyist. Stuff should 'just work' as much as possible.
You didn't look at the book, I see. <http://doc.opensuse.org/documentation/html/openSUSE/opensuse-reference/cha.samba.html> A whole chapter dedicated to samba. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9hwJkACgkQIvFNjefEBxqkuACg2G0qxx28zGIzhf923zksf3GJ ZbcAn0PNoz//3JAdk+TOjn0FyL6Newys =943U -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
To me it is a problem.
NFS works without password. I don't want passwords. I am not sharing this stuff on the Internet but on private network of personally owned computers. Windows 7 Pro does not have the ability to do NFS. I want to share my files to a WIndows 7 computer. I have to use SAMBA. I can't make it share files.
I am not finding getting information on what to do easy or executing the actually doing things that allows me to share my files to that Windows 7 machine easy. Nothing has worked so far I keep getting prompted for a password that does not exist. In /etc/samba/smb.conf it say a commented file exist in /usr/share/doc/packages/samba/examples/smb.conf I am looking there now and I see no place to turn off username/ password. In YAST configuration for SAMBA I see no place to turn off username / password. In SWAT I see no place to turn off username / password. Even on the local machine if I try and browse SMB I am prompted for a username / password. So far nothing has worked. All I have gotten frustrated and was ridiculed in a IRC channel because I can't make it work.
Like I said I checked the Wiki and the articles and openSUSE.org and didn't see anything relevant. You shouldn't need a book to make it work.You shouldn't need to be an IT pro or even an advanced hobbyist. Stuff should 'just work' as much as possible.
Never heard of google, eh? First result: http://amazingrando.wordpress.com/2007/06/03/share-folders-via-samba-without...
Steven ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- L. de Braal BraHa Systems NL - Terneuzen T +31 115 649333 F +31 115 649444 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
In case it helps: NFS for Windows : Windows Services for UNIX http://en.wikipedia.org/wiki/Microsoft_Windows_Services_for_UNIX - Should work on any Windows. In case you wanna upgrade to Windows 7 Ultimate or Enterprise. * http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/... * http://www.blackviper.com/windows-services/client-for-nfs/ The following mentioned a method to disable security setting on the WINDOWS 7 box. http://blog.t-error.ch/article/1027/mit_windows_7_auf_samba-shares_zugreifen... or search the inet for "lmcompatibilitylevel windows 7 samba " hth Hajo -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2012-03-15 at 02:49 -0700, Steven Hess wrote:
To me it is a problem. NFS works without password. I don't want passwords. I am not sharing this stuff on the Internet but on private network of personally owned computers. Windows 7 Pro does not have the ability to do NFS. I want to share my files to a WIndows 7 computer. I have to use SAMBA. I can't make it share files. I am not finding getting information on what to do easy
Then you are seriously looking in the wrong place. For setting up Samba use the SAMBA PROJECT DOCUMENTATION AND NOTHING ELSE, ABSOLUTELY NOTHING ELSE. There are trainloads of WRONG and obsolete information on the 'net about Samba. The documentation provided by the project is very good and well organized. Especially just the smb.conf manual page [already on your computer] is a good read. See the section "NOTE ABOUT USERNAME/PASSWORD VALIDATION" in `man smb.conf`. Searching the smb.conf man page immediately turns up: "Sections may be designated guest services, in which case no password is required to access them. A specified UNIX guest account is used to define access privileges in this case." Guest access is a but confusing. But generally it is [share] .. guest ok = yes ... as long as you have a valid guest user configured and map bad user to guest. Make 110% sure that guest account = indicates a real valid user account; that is the most common mistake for guest account setup. And that user must have permissions to access/modify the underlying folder.
and I see no place to turn off username/ password.
Because it is impossible. You have to map bad user to a valid guest account.
In YAST configuration for SAMBA I see no place to turn off username / password.
Because you can't; you just manage failure to authenticate into a guest state.
In SWAT I see no place to turn off username / password. Even on the local machine if I try and browse SMB I am prompted for a username / password.
Yep.
Like I said I checked the Wiki and the articles and openSUSE.org
See the Samba project documentation. I agree it is confusing; there is no reason for a distribution to have any pages or documentation about Samba; everything should just point the user to samba.org. Setting up Samba, Postfix, Named, ... or whatever service really has nothing to do with openSUSE, Ubuntu, Debian, Slackware, OpenBSD, AIX, HP/UX, Solaris, etc... it is sad that distribution-mindedness has gunked up the search for documentation to such an extent. Other than where a few files might be found the distribution is pretty much irrelevant once whatever the appropriate package manager is has installed the software.
On 03/15/2012 03:28 AM, Adam Tauno Williams wrote:
Other than where a few files might be found the distribution is pretty much irrelevant once whatever the appropriate package manager is has installed the software.
This is quite true. Others replicating the documentation was necessary in the days that distros were all sent on CD, but now we have the net, and as long as you can get there you can find all the stuff you want. Personally I would never set up sharing with no passwords, even (or especially) on a home network. I refuse to even help others set up such insecure installations. Not on Linux, and Not on Windows. You set this up insecurly and anyone who visits your home with a laptop has access all your data. The baby sitter with a tablet, your mom, your neighbors. (The same people who use this approach probably don't secure their wifi either). If you set your windows login and password the same as your Linux log in and password Samba and windows just takes care if it automatically. If not you have to set up samba passwords for every user. In the time it takes to ask about setting up an insecure network you could have done it the secure way with yast. But it is the correct way to do it, and there is no reason NOT to learn the correct way, and any effort expended trying to work around linux security is a waste of time. Even if you succeed, you have failed. -- Explain again the part about rm -rf / -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-15 18:39, jsa wrote:
This is quite true. Others replicating the documentation was necessary in the days that distros were all sent on CD, but now we have the net, and as long as you can get there you can find all the stuff you want.
Even today, there are people without internet.
Personally I would never set up sharing with no passwords, even (or especially) on a home network. I refuse to even help others set up such insecure installations. Not on Linux, and Not on Windows.
It depends what you put there. I might give read access to everybody to a music or video collection. I might give free write access to my partners so that they can send me files. I would not export my Documents, not even home. On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure. You give access to certain users on certain IPs, but IPs can be faked and user ID changed. And the transport is not encrypted. Yet we use it. Theoretically, it is to be used in controlled environments, but is that always true? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9iZ10ACgkQIvFNjefEBxog3QCffa4xne/0d5ZaUkdnX+otMB5k r1AAoNbZIYG/MBQjdcNx4cIdB3zNA/nO =PcnO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Personally I would never set up sharing with no passwords, even (or especially) on a home network. I refuse to even help others set up such insecure installations. Not on Linux, and Not on Windows.
It depends what you put there. I might give read access to everybody to a music or video collection. I might give free write access to my partners so that they can send me files. I would not export my Documents, not even home.
On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure. You give access to certain users on certain IPs, but IPs can be faked and user ID changed. And the transport is not encrypted. Yet we use it. Theoretically, it is to be used in controlled environments, but is that always true?
It used to be insecure but NFS3/4 with Kerberos is pretty good these days. You'd only need to login once per session. Maybe that would suit the op, whilst still being secure. BTW nfs on m$ don't come cheap. You need a top of the range model. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-15 23:52, lynn wrote:
It used to be insecure but NFS3/4 with Kerberos is pretty good these days. You'd only need to login once per session. Maybe that would suit the op, whilst still being secure.
Which it is unknown. I've never used it, no idea how to set it up. YaST doesn't do it, AFAIK.
BTW nfs on m$ don't come cheap. You need a top of the range model.
Heavy on CPU usage, is it? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9ifQYACgkQIvFNjefEBxqfggCgwYY6HGvwp/eBciwyIFjiK+1M 3XEAn0RUTLbFTgTcWAgbb0d9LLBrcwaF =pT7k -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I think this is hijacking so maybe we should rename the thread. On 16/03/12 00:36, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-15 23:52, lynn wrote:
It used to be insecure but NFS3/4 with Kerberos is pretty good these days. You'd only need to login once per session. Maybe that would suit the op, whilst still being secure.
Which it is unknown. I've never used it, no idea how to set it up. YaST doesn't do it, AFAIK.
Yast does the nfs and Kerberos client stuff OK.
BTW nfs on m$ don't come cheap. You need a top of the range model.
Heavy on CPU usage, is it?
No, capital outlay. You can't use the you-have-to-buy-it-because-this-is-a-monopoly-and-you-have-no-choice windows you get with your supermarket sourced netbook. salu2 L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 08:05, lynn wrote:
I think this is hijacking so maybe we should rename the thread.
Done
Yast does the nfs and Kerberos client stuff OK.
I did setup an nfs share and it did not offer to setup passwords for me. True, I was not looking for it. I will try again to find out, time permitting.
BTW nfs on m$ don't come cheap. You need a top of the range model.
Heavy on CPU usage, is it?
No, capital outlay. You can't use the you-have-to-buy-it-because-this-is-a-monopoly-and-you-have-no-choice windows you get with your supermarket sourced netbook.
I don't understand. Are you talking of expensive computer models? Or are you saying it needs a top end Windows version, which doesn't come included on the computer you buy on a supermarket? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jIfAACgkQIvFNjefEBxpbYACgjDOStt7wFuG3vfxfKYN3Qxea kFcAoMlWxfHrOmMvwk6xnTeb1zOPQc3b =BxbP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
[16.03.2012 12:20] [Carlos E. R.]:
On 2012-03-16 08:05, lynn wrote:
I think this is hijacking so maybe we should rename the thread.
Done
Yast does the nfs and Kerberos client stuff OK.
I did setup an nfs share and it did not offer to setup passwords for me. True, I was not looking for it. I will try again to find out, time permitting.
You do not set up a password per share. You set up Kerberos. NFS is able to use Kerberos then. So the user authenticates against Kerberos, not against NFS. Regards, Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 13:53, Werner Flamme wrote:
[16.03.2012 12:20] [Carlos E. R.]:
You do not set up a password per share.
You set up Kerberos. NFS is able to use Kerberos then. So the user authenticates against Kerberos, not against NFS.
Do you know of a howto or easy to follow documentation on this? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jRrsACgkQIvFNjefEBxpO9wCeJLU0o2qLCp/pdO72ITRvm0nB 4EIAoK1gQfmUUlpVmq+kHpKlbs3gYD8F =Yl8T -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
[16.03.2012 14:57] [Carlos E. R.]:
On 2012-03-16 13:53, Werner Flamme wrote:
[16.03.2012 12:20] [Carlos E. R.]:
You do not set up a password per share.
You set up Kerberos. NFS is able to use Kerberos then. So the user authenticates against Kerberos, not against NFS.
Do you know of a howto or easy to follow documentation on this?
There are bazillions of HOWTO setup Kerberos. I think <http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/> is quite old, but still OK, since there were not too many changes ;-) And for using NFS4 with and without Kerberos, you might look at <https://help.ubuntu.com/community/NFSv4Howto>. Ubuntu tends to long, descriptive texts because of the experience the users already have ;-) So, the package name may differ, but the rest of the article is OK. You can even use a search engine (google.com, alltheweb.com, ...) and search for "howto kerberos nfs4 opensuse" and you might find something like <http://www.novell.com/communities/node/3787/configuring-nfsv4-server-and-client-suse-linux-enterprise-server-10> :-) A bit more up to date is <http://www.linuxtopia.org/online_books/opensuse_guides/opensuse11.1_reference_guide/sec_nfs_kerberos.html>, but they propose merely the same ;-) And to "easy to follow": I read one page (in german, iirc) and did as the author described, it worked fine after I adapted everything to my environment. So I guess you can take about any howto ;-) Regards, Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16/03/12 21:02, Werner Flamme wrote:
[16.03.2012 14:57] [Carlos E. R.]:
On 2012-03-16 13:53, Werner Flamme wrote:
[16.03.2012 12:20] [Carlos E. R.]:
You do not set up a password per share.
You set up Kerberos. NFS is able to use Kerberos then. So the user authenticates against Kerberos, not against NFS.
Do you know of a howto or easy to follow documentation on this?
There are bazillions of HOWTO setup Kerberos. I think <http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/> is quite old, but still OK, since there were not too many changes ;-)
And for using NFS4 with and without Kerberos, you might look at <https://help.ubuntu.com/community/NFSv4Howto>. Ubuntu tends to long, descriptive texts because of the experience the users already have ;-) So, the package name may differ, but the rest of the article is OK.
You can even use a search engine (google.com, alltheweb.com, ...) and search for "howto kerberos nfs4 opensuse" and you might find something like <http://www.novell.com/communities/node/3787/configuring-nfsv4-server-and-client-suse-linux-enterprise-server-10> :-) A bit more up to date is <http://www.linuxtopia.org/online_books/opensuse_guides/opensuse11.1_reference_guide/sec_nfs_kerberos.html>, but they propose merely the same ;-)
And to "easy to follow": I read one page (in german, iirc) and did as the author described, it worked fine after I adapted everything to my environment. So I guess you can take about any howto ;-)
Regards, Werner
Hi Some good links there. An easy way to get an excellent Kerberos server is to install Samba 4: https://wiki.samba.org/index.php/Samba4/HOWTO We are using that as our KDC for Kerberized NFS for our openSUSE and Ubuntu clients. Our win 7 boxes use the cifs side of it. It's interesting to compare the speeds of the two filesystems. Details here: http://linuxcostablanca.blogspot.com.es/p/samba-4.html L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-16 08:05, lynn wrote:
I think this is hijacking so maybe we should rename the thread. Done
Yast does the nfs and Kerberos client stuff OK. I did setup an nfs share and it did not offer to setup passwords for me. True, I was not looking for it. I will try again to find out, time permitting. Maybe you are thinking of Kerberos. Both nfs3 and 4 can be Kerberized making them pretty bulletproof. _Then_ the mount would be
On 16/03/12 12:20, Carlos E. R. wrote: password/keytab/ticket protected.
BTW nfs on m$ don't come cheap. You need a top of the range model. Heavy on CPU usage, is it?
No, capital outlay. You can't use the you-have-to-buy-it-because-this-is-a-monopoly-and-you-have-no-choice windows you get with your supermarket sourced netbook. I don't understand. Are you talking of expensive computer models? Or are you saying it needs a top end Windows version, which doesn't come included on the computer you buy on a supermarket?
- -- I think it's called enterprize or ultimate. If you have the basic version, you have to buy a new licence. L x
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure.
I thought NFS access was via user ID. The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me & you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16/03/12 02:18, James Knott wrote:
Carlos E. R. wrote:
On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure.
I thought NFS access was via user ID. The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me & you.
But surely, no decent admin would allow her network to have id collision. e.g. Yast always chooses a unique uid be it /etc/passwd or ldap. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 08:11, lynn wrote:
On 16/03/12 02:18, James Knott wrote:
I thought NFS access was via user ID. The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me & you.
But surely, no decent admin would allow her network to have id collision. e.g. Yast always chooses a unique uid be it /etc/passwd or ldap.
I don't see why, unless it was your initial intention. Yast chooses the same ID, 1000, for different users on different computers. Only if you are doing an organization and have that idea in mind, you are careful. And... does YaST setup that automatically? It does setup ldap automatically on SLES, but I doubt it does it in openSUSE. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jIvoACgkQIvFNjefEBxrqggCgwZ8PtPha70wR6MWfsjWrhvSx hiUAn3HULXOvKf9ezw/a0VjqAIwsP9IV =4Lqp -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16/03/12 12:24, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-16 08:11, lynn wrote:
On 16/03/12 02:18, James Knott wrote:
I thought NFS access was via user ID. The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me & you.
But surely, no decent admin would allow her network to have id collision. e.g. Yast always chooses a unique uid be it /etc/passwd or ldap.
I don't see why, unless it was your initial intention. Yast chooses the same ID, 1000, for different users on different computers. Only if you are doing an organization and have that idea in mind, you are careful.
I don't think we're talking the same language here. On a network, user ID, be it uid/gid or m$ SID _has_ to be done centrally. You could not have more than one master server for the purpose of user and group management. If you did, it would be a race.
And... does YaST setup that automatically? It does setup ldap automatically on SLES, but I doubt it does it in openSUSE.
Yes. There are Yast modules for both Server and Client. You can point and click your way to a LDAP server just as you can with sles. There is even a nice graphical front end called LDAP Browser all without leaving Yast. Ideal for looking up names, addresses, telephone numbers and, if you must, uid's! L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 15:59, lynn wrote:
On 16/03/12 12:24, Carlos E. R. wrote:
I don't see why, unless it was your initial intention. Yast chooses the same ID, 1000, for different users on different computers. Only if you are doing an organization and have that idea in mind, you are careful.
I don't think we're talking the same language here. On a network, user ID, be it uid/gid or m$ SID _has_ to be done centrally. You could not have more than one master server for the purpose of user and group management. If you did, it would be a race.
It doesn't really have to be done centrally. In fact, none of the Linux setups I have seen in the enterprise were done this way, they were independent machines serving whatever they did.
And... does YaST setup that automatically? It does setup ldap automatically on SLES, but I doubt it does it in openSUSE.
Yes. There are Yast modules for both Server and Client. You can point and click your way to a LDAP server just as you can with sles. There is even a nice graphical front end called LDAP Browser all without leaving Yast. Ideal for looking up names, addresses, telephone numbers and, if you must, uid's!
Yes, but I haven't seen a module to create the LDAP setup for this unless you really know what you are doing. I tried right now. It says that "CA certificate file does not exist". I press the button to launch the CA Management module. I create a root certificate, and try again, same error. As said, it is not that simple. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jpK8ACgkQIvFNjefEBxpYPACcCsoQeLLEr8l7c+RgrSRgwg25 3/cAn1Z32vaGWTxBysz5SCbtd0hkgH3F =pudU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16/03/12 21:38, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-16 15:59, lynn wrote:
On 16/03/12 12:24, Carlos E. R. wrote:
I don't see why, unless it was your initial intention. Yast chooses the same ID, 1000, for different users on different computers. Only if you are doing an organization and have that idea in mind, you are careful.
I don't think we're talking the same language here. On a network, user ID, be it uid/gid or m$ SID _has_ to be done centrally. You could not have more than one master server for the purpose of user and group management. If you did, it would be a race.
It doesn't really have to be done centrally. In fact, none of the Linux setups I have seen in the enterprise were done this way, they were independent machines serving whatever they did.
And... does YaST setup that automatically? It does setup ldap automatically on SLES, but I doubt it does it in openSUSE.
Yes. There are Yast modules for both Server and Client. You can point and click your way to a LDAP server just as you can with sles. There is even a nice graphical front end called LDAP Browser all without leaving Yast. Ideal for looking up names, addresses, telephone numbers and, if you must, uid's!
Yes, but I haven't seen a module to create the LDAP setup for this unless you really know what you are doing.
I tried right now. It says that "CA certificate file does not exist". I press the button to launch the CA Management module. I create a root certificate, and try again, same error.
As said, it is not that simple.
Maybe you missed that the CN of the CA certificate must be the same as the fqdn of your server. There is a howto here: http://digiplan.eu.org/ldap-samba-howto-v4.html HTH L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-17 10:30, lynn wrote:
Maybe you missed that the CN of the CA certificate must be the same as the fqdn of your server. There is a howto here: http://digiplan.eu.org/ldap-samba-howto-v4.html
Yes, I did miss that. Obviously, if that is necessary and yast knows that I'm setting up LDAP, that field should be already filled. Ok, trying again. No, I can't delete the root certificate to create it again correctly: RuntimeException:-1:Deleting the CA is not allowed. The CA must be expired or never have signed a certificate. But that clent certificate I revoked and deleted... Ok, I create another certificate, try again with LDAP creation and... same error, CA certificate file does not exist. Do I need a client certificate too? I don't want to create one and then not being able to delete it. As I said, not that easy. No, reading a ldap-samba documentation made for version 4 is not adequate. I'm supposed to be setting NFS with the same user IDs on several computers (trial, not for real). - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9km9MACgkQIvFNjefEBxrWVACfbdMu0BfeMFHK0z7YFOQPaYku IAEAoMiI0BPYlSOxJR7dI66nzjaJhGW2 =Tnhc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-17 10:30, lynn wrote:
Maybe you missed that the CN of the CA certificate must be the same as the fqdn of your server. There is a howto here: http://digiplan.eu.org/ldap-samba-howto-v4.html Yes, I did miss that. Obviously, if that is necessary and yast knows that I'm setting up LDAP, that field should be already filled. You may want the certificate for something else other than LDAP server verification. Anyway, you don't need to have a server certificate if
On 17/03/12 15:12, Carlos E. R. wrote: this is just a test lan. Get it working without security first. In Yast LDAP Client, don't check the sssd or tls options.
Ok, trying again.
No, I can't delete the root certificate to create it again correctly:
RuntimeException:-1:Deleting the CA is not allowed. The CA must be expired or never have signed a certificategain. It's.
But that clent certificate I revoked and deleted...
Ok, I create another certificate, try again with LDAP creation and... same error, CA certificate file does not exist. Do I need a client certificate too? I don't want to create one and then not being able to delete it.
As I said, not that easy.
To be able to start again, you need to get rid of the root-ca. It's in either /var/lib/ca-certificates or /var/lib/CAM. Depending on how far you got, there may also be a server certificate under /etc/openldap. Lose that too. One thing which really helped us was to draw out the tree of what you are trying to put into the database. Make sure that _every_ node is unique. I mean draw it with pen and paper and blu-tak it to your screen. With LDAP, having an aim is essential, otherwise the learning curve is just too steep. e.g. start with just cn, uid, gid and 'phone number. Armed with that you should be able to pinpoint everyone both personally and over NFS. Salu2, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-17 16:31, lynn wrote:
On 17/03/12 15:12, Carlos E. R. wrote:
You may want the certificate for something else other than LDAP server verification. Anyway, you don't need to have a server certificate if this is just a test lan. Get it working without security first. In Yast LDAP Client, don't check the sssd or tls options.
Noted. I think that the certificate I had created previously (years ago) I did because dovecot required it. I think it was dovecot, not sure now. So I'll try again to create it correctly (Thunderbird did complain once about incorrect certificate or something).
As I said, not that easy.
To be able to start again, you need to get rid of the root-ca. It's in either /var/lib/ca-certificates or /var/lib/CAM. Depending on how far you got, there may also be a server certificate under /etc/openldap. Lose that too.
I was thinking on those lines. /var/lib/ca-certificates: ca-bundle.pem, gcj-cacerts, java-cacerts, dated sep 15 2011, so they are not the files. /var/lib/CAM: Two directories named as my phony business name, so this is the place. Ok, deleted all that, created new certificate, but ldap module still refused to continue. The files in /etc/ldap are some dated 2005, some 2011, so they are not of interest.
One thing which really helped us was to draw out the tree of what you are trying to put into the database. Make sure that _every_ node is unique. I mean draw it with pen and paper and blu-tak it to your screen. With LDAP, having an aim is essential, otherwise the learning curve is just too steep. e.g. start with just cn, uid, gid and 'phone number. Armed with that you should be able to pinpoint everyone both personally and over NFS.
Understandable... but I have absolutely no idea of what to put on all those fields. I have been trying since 1998 when I started with Linux to put up an Ldap server. My initial intention was simply to store mail addresses of my friends, to be able to import them in any mail browser, because it is the only standard all mail clients understand. This time, for NFS usage, I have absolutely no idea what to put. If Yast does it with me clicking "next", fine, otherwise I quit. I have always abandoned. In all these years I have never put up an LDAP server. Compared with Microsoft Windows Active Directory, which is put up in under an hour (mostly waiting for it to finish with me doing nothing), ldap is terribly difficult. I quit again. This is absurdly difficult. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9lBWsACgkQIvFNjefEBxoB5gCggc4ZNVAcQJ5P6+BwmH5/vrmI BMkAnj6GAiwylcaOUiJTMchr0TRf5TvY =SSjk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 17/03/12 22:43, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-17 16:31, lynn wrote:
On 17/03/12 15:12, Carlos E. R. wrote: You may want the certificate for something else other than LDAP server verification. Anyway, you don't need to have a server certificate if this is just a test lan. Get it working without security first. In Yast LDAP Client, don't check the sssd or tls options. Noted.
I think that the certificate I had created previously (years ago) I did because dovecot required it. I think it was dovecot, not sure now. So I'll try again to create it correctly (Thunderbird did complain once about incorrect certificate or something).
As I said, not that easy.
To be able to start again, you need to get rid of the root-ca. It's in either /var/lib/ca-certificates or /var/lib/CAM. Depending on how far you got, there may also be a server certificate under /etc/openldap. Lose that too. I was thinking on those lines.
/var/lib/ca-certificates: ca-bundle.pem, gcj-cacerts, java-cacerts, dated sep 15 2011, so they are not the files.
/var/lib/CAM:
Two directories named as my phony business name, so this is the place.
Ok, deleted all that, created new certificate, but ldap module still refused to continue.
The files in /etc/ldap are some dated 2005, some 2011, so they are not of interest.
One thing which really helped us was to draw out the tree of what you are trying to put into the database. Make sure that _every_ node is unique. I mean draw it with pen and paper and blu-tak it to your screen. With LDAP, having an aim is essential, otherwise the learning curve is just too steep. e.g. start with just cn, uid, gid and 'phone number. Armed with that you should be able to pinpoint everyone both personally and over NFS.
Understandable... but I have absolutely no idea of what to put on all those fields. I have been trying since 1998 when I started with Linux to put up an Ldap server. My initial intention was simply to store mail addresses of my friends, to be able to import them in any mail browser, because it is the only standard all mail clients understand.
This time, for NFS usage, I have absolutely no idea what to put. If Yast does it with me clicking "next", fine, otherwise I quit.
I have always abandoned.
In all these years I have never put up an LDAP server.
Compared with Microsoft Windows Active Directory, which is put up in under an hour (mostly waiting for it to finish with me doing nothing), ldap is terribly difficult.
I quit again.
This is absurdly difficult.
Don't quit. You're nearly there! Just take my advice. For now, _forget about the certificate_. That's the only reason you have not got a database yet. You can always add the security layer just before you go live. The only two objectClasses you need for NFS are posixAccount and posixGroup. These are defined in the rcf2307 schema that you already have if you have installed openldap. I think it's selected as default. If not, you can choose it in the Yast LDAP Server dialogue. You put into it exactly what you have under /etc/passwd, /etc/group and /etc/shadow. Yast User Management will create the users and groups for you. You can choose there if you want them written to /etc or to LDAP. You can then add 'phone numbers, e-mail addresses etc. Once you have LDAP, you wonder how you managed so long without it. It's interesting that you mention AD since we use a script to add Linux users to it. Interesting too that m$ lost the European court case which made them divulge their LDAP AD schema. We have the Samba guys to thank for that. If you want AD under Linux then you have Samba4 but it's a bit over the top for just nfs and 'phone numbers;-) Salu2, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I quit again. This is absurdly difficult.
I'd forgotten how fiddly it was with Yast, and there's a bug in the CA management module. I've put together a howto with a workaround: http://linuxcostablanca.blogspot.com.es/2012/03/your-own-lightening-fast-lda... I agree that LDAP servers are not exactly for mac users, but this should get you there. Cheers and HTH, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn wrote:
On 16/03/12 02:18, James Knott wrote:
Carlos E. R. wrote:
On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure.
I thought NFS access was via user ID. The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me & you.
But surely, no decent admin would allow her network to have id collision. e.g. Yast always chooses a unique uid be it /etc/passwd or ldap. L x
That's ssuming the admin controlled all the computers on a network. What's to stop someone from bringing in a notebook and plugging it in? At many companies, nothing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16/03/12 13:05, James Knott wrote:
lynn wrote:
On 16/03/12 02:18, James Knott wrote:
Carlos E. R. wrote:
On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure.
I thought NFS access was via user ID. The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me & you.
But surely, no decent admin would allow her network to have id collision. e.g. Yast always chooses a unique uid be it /etc/passwd or ldap. L x
That's ssuming the admin controlled all the computers on a network. What's to stop someone from bringing in a notebook and plugging it in? At many companies, nothing.
Hi The admin controls _every_ computer on the network. It's one thing plugging in your laptop and a totally different thing authenticate using it. For us it's easy. Under Kerberos, you'd need to decrypt a machine and a user key in under 8 hours. I don't think it can be done. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 15:46, lynn wrote:
On 16/03/12 13:05, James Knott wrote:
That's ssuming the admin controlled all the computers on a network. What's to stop someone from bringing in a notebook and plugging it in? At many companies, nothing.
The admin controls _every_ computer on the network. It's one thing plugging in your laptop and a totally different thing authenticate using it. For us it's easy. Under Kerberos, you'd need to decrypt a machine and a user key in under 8 hours. I don't think it can be done.
That is if you are using kerberos, and NFS encryption. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jpRgACgkQIvFNjefEBxpFTwCeJkql4Jk5KViGFWC86rguZPVH QDYAn0r5r0Y7bKnVQ7QCbbWCLogn6qcD =RlbM -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 02:18, James Knott wrote:
Carlos E. R. wrote:
On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure.
I thought NFS access was via user ID.
Precisely. And they can be faked.
The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me & you.
Absolutely. Users can not be remapped, to my knowledge. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jIMYACgkQIvFNjefEBxpZZACfbSP/Pt5r0jgEC7CGdPZNV2jv x+gAmgOZyWDbDP836TRso1cbQvQ+NXgr =+mzt -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. said the following on 03/16/2012 07:15 AM:
On 2012-03-16 02:18, James Knott wrote:
Carlos E. R. wrote:
On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure.
I thought NFS access was via user ID.
Precisely. And they can be faked.
The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me & you.
Absolutely. Users can not be remapped, to my knowledge.
While I count my self fortunate in that I've always been able to ensure matching user IDs, I thought there was a tool for remapping ... nfsmapid(4) or rpc.idmapd and idmapd.conf(5) http://www.dcache.org/manuals/Book-2.1/config/cf-idmap-fhs.shtml https://wiki.archlinux.org/index.php/NFSv4#ID_mapping There's probably more too it and there's probably a need to experiment, but this isn't a "there isn't a way" suituation. Oh, yes, there will be user IDs that don't map, a user that exists on one machine and not the other. Such is real life. -- Leadership is understanding people and involving them to help you do a job. That takes all of the good characteristics, like integrity, dedication of purpose, selflessness, knowledge, skill, implacability, as well as determination not to accept failure. ~ Admiral Arleigh A. Burke -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 12:44, Anton Aylward wrote:
While I count my self fortunate in that I've always been able to ensure matching user IDs, I thought there was a tool for remapping ... nfsmapid(4) or rpc.idmapd and idmapd.conf(5)
Must be new, I don't have those two manuals in my 11.4
http://www.dcache.org/manuals/Book-2.1/config/cf-idmap-fhs.shtml
Doesn't say much :-?
This one only uses: Nobody-User = nobody Nobody-Group = nobody This is, I think, the generic mapping that was always available, no other user could be remapped.
There's probably more too it and there's probably a need to experiment, but this isn't a "there isn't a way" suituation.
Perhaps... - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jKtQACgkQIvFNjefEBxomEgCgz67AoCCUinlxeDVN2vmuacww yXIAniCQ2z2cxOWCGuBivYrdxLhdP+Lj =QRG0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. said the following on 03/16/2012 07:58 AM:
On 2012-03-16 12:44, Anton Aylward wrote:
While I count my self fortunate in that I've always been able to ensure matching user IDs, I thought there was a tool for remapping ... nfsmapid(4) or rpc.idmapd and idmapd.conf(5)
Must be new, I don't have those two manuals in my 11.4
I do seem to recall seeing something like this back in the 1990s when I first used NFS cross a enterprise level network, but as I said, it turned out that it was easy enough to have centralised (YP in those days) UID management.
http://www.dcache.org/manuals/Book-2.1/config/cf-idmap-fhs.shtml
Doesn't say much :-?
This one only uses:
Nobody-User = nobody Nobody-Group = nobody
This is, I think, the generic mapping that was always available, no other user could be remapped.
I think otherwise. I think all users get remapped but the ones that can't (aka don't exist on the 'other' system) need to be dealt with. I think the default is that the two daemons talk to each other and do the remapping. Its only the exceptions that need to appear in the config. Perhaps you missed it, perhaps the references didn't make it clear, but the daemon has to run on both ends. Of course, as Lynn points out, Kerberos and LDAP can come to play as well, but make sure you set up the realms/domains properly www.citi.umich.edu/projects/nfsv4/crossrealm/ASC_NFSv4_WKSHP_X_DOMAIN_N2ID.pdf In that case you are really authenticating against Kerberos so I'm not sure the ID #s are that important. -- Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. -- Gene Spafford -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16/03/12 12:58, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-16 12:44, Anton Aylward wrote:
While I count my self fortunate in that I've always been able to ensure matching user IDs, I thought there was a tool for remapping ... nfsmapid(4) or rpc.idmapd and idmapd.conf(5) Must be new, I don't have those two manuals in my 11.4
http://www.dcache.org/manuals/Book-2.1/config/cf-idmap-fhs.shtml Doesn't say much :-?
https://wiki.archlinux.org/index.php/NFSv4#ID_mapping This one only uses:
Nobody-User = nobody Nobody-Group = nobody
This is, I think, the generic mapping that was always available, no other user could be remapped.
There's probably more too it and there's probably a need to experiment, but this isn't a "there isn't a way" suituation. Perhaps...
Well, there's always winbind. That's good at remapping id's no?. I'd rather keep the same id both client and server side though. rpc.idmapd does it fine for nfs4 and statd for nfs3. /etc/idmapd.conf only maps the user to nobody if it can't find a matching id at the client end. There is oodles of misinformation out there on nfs4:-( L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 17:25, lynn wrote:
Well, there's always winbind. That's good at remapping id's no?. I'd rather keep the same id both client and server side though. rpc.idmapd does it fine for nfs4 and statd for nfs3. /etc/idmapd.conf only maps the user to nobody if it can't find a matching id at the client end. There is oodles of misinformation out there on nfs4:-(
Well, that is what I have been saying, there is no real user remapping on NFS. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jpuQACgkQIvFNjefEBxoW6wCfeW5ToiZwbUvUOR0EfOCmMPO5 hHIAnjOKpbi22NYeljKWDcvHQOZe/m7K =53vO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 16/03/12 12:44, Anton Aylward wrote:
Carlos E. R. said the following on 03/16/2012 07:15 AM:
On 2012-03-16 02:18, James Knott wrote:
Carlos E. R. wrote:
On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure. I thought NFS access was via user ID. Precisely. And they can be faked.
The drawback of this is different users could have the same ID on different computers. For example, I could be user 1000 on my computer and you would be 1000 on yours. An NFS file server sharing for ID 1000 couldn't tell the difference between me& you. Absolutely. Users can not be remapped, to my knowledge. While I count my self fortunate in that I've always been able to ensure matching user IDs, I thought there was a tool for remapping ... nfsmapid(4) or rpc.idmapd and idmapd.conf(5)
http://www.dcache.org/manuals/Book-2.1/config/cf-idmap-fhs.shtml https://wiki.archlinux.org/index.php/NFSv4#ID_mapping
There's probably more too it and there's probably a need to experiment, but this isn't a "there isn't a way" suituation.
Oh, yes, there will be user IDs that don't map, a user that exists on one machine and not the other. Such is real life.
Hi For nfs, the user need (should) only exist at the server end of the connection. If the same user exists on both the client and the server then which set of files does she get and how does she benefit from an nfs mount? The only advantage I could see in that would be if she required two sets of userspace. One for her files on the server and another for her files on the client. You would then mount her server files on a separate mount point on the client so she would have the benefit of both. But surely, the point of nfs is that the client needs only bare bones. The data is mounted on the client. It is as if the user were sitting at the server. Just thinking out loud:-) L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Mar 16, 2012 at 06:07:52PM +0100, lynn wrote: [ 8< ]
For nfs, the user need (should) only exist at the server end of the connection. If the same user exists on both the client and the server then which set of files does she get and how does she benefit from an nfs mount? The only advantage I could see in that would be if she required two sets of userspace. One for her files on the server and another for her files on the client. You would then mount her server files on a separate mount point on the client so she would have the benefit of both. But surely, the point of nfs is that the client needs only bare bones. The data is mounted on the client. It is as if the user were sitting at the server.
But how does a NFS setup handles the disconnected use case? That's the most tricky part. As we're all used to work with more than one system and mobile computing is already post pleading edge this is the bigger itenm to me. Even with a system permanently connected to the network a local copy of the current content has a huge advantage. Think of network or server outage situations. It might also reduce the load, pressure to the server. Andreas, one of my freinds from the samba.org side, works on http://www.csync.org/ to get this well integrated. The general idea had been to have something like roaming profiles with Linux. We had been faced by this while working on the integration of Linux system into an existing Microsoft Active Directory environment. The goal is to have a mechanism which works independent from the actual authentication target your're using. With the ID mapping as used in Samba's winbindd we're quite flexible. From my very quick check dcache.conf doen't offer this. But one of you might have some more experience with it. Cheers, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On 16/03/12 18:44, Lars Müller wrote:
On Fri, Mar 16, 2012 at 06:07:52PM +0100, lynn wrote: [ 8< ]
For nfs, the user need (should) only exist at the server end of the connection. If the same user exists on both the client and the server then which set of files does she get and how does she benefit from an nfs mount? The only advantage I could see in that would be if she required two sets of userspace. One for her files on the server and another for her files on the client. You would then mount her server files on a separate mount point on the client so she would have the benefit of both. But surely, the point of nfs is that the client needs only bare bones. The data is mounted on the client. It is as if the user were sitting at the server. But how does a NFS setup handles the disconnected use case?
That's the most tricky part. As we're all used to work with more than one system and mobile computing is already post pleading edge this is the bigger itenm to me.
Even with a system permanently connected to the network a local copy of the current content has a huge advantage. Think of network or server outage situations.
It might also reduce the load, pressure to the server.
Andreas, one of my freinds from the samba.org side, works on http://www.csync.org/ to get this well integrated.
The general idea had been to have something like roaming profiles with Linux. We had been faced by this while working on the integration of Linux system into an existing Microsoft Active Directory environment.
The goal is to have a mechanism which works independent from the actual authentication target your're using.
With the ID mapping as used in Samba's winbindd we're quite flexible. From my very quick check dcache.conf doen't offer this. But one of you might have some more experience with it.
Cheers,
Lars Hi Lars, Hi everyone
We're using Samba4 AD at the moment, bypassing winbind and serving our Linux clients via kerberized nfs with nss-ldap mapping having added the necessary posix classes and attributes to the S4 ldap. It's all very new but also very stable and really is proving to be a good alternative to winbind and which of course is available now. We have found the nfs throughput to our openSUSE clients to be superior to cifs, especially when the lan is busy. It would be interesting to do some actual timings but the effect is evident when working with e.g. large jpgs. The only real problem we have to get over is the mapping between nt sddl, nfs4 and posix acl xattr's. The Samba gurus tell us that this will fall into place when the s4 fileserver is consolidated but even then, I think we'll be on our own with the acl stuff over nfs4. I don't think there are many openSUSE Samba 4 installations just yet so please step forward if you get any of this. The Debian mob seem to have it stiched up:-( Meanwhile, we have put together a S4/nfs/openSUSE howto here: http://linuxcostablanca.blogspot.com/p/samba-4.html L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 18:07, lynn wrote:
But surely, the point of nfs is that the client needs only bare bones. The data is mounted on the client. It is as if the user were sitting at the server.
That's one use of NFS. I prefer full fledged client machines storing in the server only that what needs to be shared, if at all. And as the majority of users would be using Windows, it would be done via samba. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jpoIACgkQIvFNjefEBxox7gCfeVQc9TV2J7bDh2fZ+xLuLwNk wfsAoL5F6lRh7qWgzfBaKTJalHuavARs =yKLt -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 13:10, James Knott wrote:
Carlos E. R. wrote:
Absolutely. Users can not be remapped, to my knowledge.
You can change the user ID in Yast and there's probably a command to do that too.
That's not the meaning Re NFS. You can not map UID 1600 on the client to UID 1999 on the server, and to UID 1700 on another client, all on the same network. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jMJYACgkQIvFNjefEBxqCXwCgu0APzP+6uO7WUEf6xIdN+Dcg YeAAoLq0BMFi1X5pNEmae5mJq2Rwi6Xi =folC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2012-03-15 at 23:04 +0100, Carlos E. R. wrote:
On 2012-03-15 18:39, jsa wrote: On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure.
This isn't true and has not been true for awhile. Recent NFS support Kerberos authentication/authorization. NFS can be very secure.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-16 02:34, Adam Tauno Williams wrote:
On Thu, 2012-03-15 at 23:04 +0100, Carlos E. R. wrote:
On 2012-03-15 18:39, jsa wrote: On the other hand, Linux native filesystem protocol, NFS, has no passwords at all, it is completely insecure.
This isn't true and has not been true for awhile. Recent NFS support Kerberos authentication/authorization. NFS can be very secure.
Then it is unknown. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9jIuQACgkQIvFNjefEBxqOtgCdHL5+oQxb0ZbDotuNNsIjLm8W DDgAoJqcAw4ReIP+AppJD+21ZauG3yJ1 =v2t1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi! Stumbled across this about SAMBA authentication and windows On Thu, Mar 15, 2012 at 7:39 PM, jsa <jsamyth@gmail.com> wrote:
If you set your windows login and password the same as your Linux log in and password Samba and windows just takes care if it automatically. If not you have to set up samba passwords for every user. In the time it takes to ask about setting up an insecure network you could have done it the secure way with yast.
Yes, if you have the same user name as in windows and same password, you will not need to enter them in windows even once I think, as Windows will try those by default. However, what has been nagging me always is why is the SAMBA authentication separate from the general linux authentication (I don't know the correct word, sorry)? Why not have that synced, so that when user changes her password on the linux server, also the samba password changes. And even earlier on, why not have that linked with samba-users group or something, so that the users who are in that group would be able to use samba (same way as ssh)? Yes, I know all this can be done! But it is really, really hard. Ok, I'm still on 11.3 so I'm not sure if this has changed :-) But it has at least been really hard. Why not make this easy for openSUSE home users? This is really the worst parts of setting up a home server. Have user click "Enable Samba" somewhere in YaST and it would do all this. Would be excellent. Any real good reason why not to do this? -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/7/2012 9:30 AM, HG wrote:
Hi!
Stumbled across this about SAMBA authentication and windows
On Thu, Mar 15, 2012 at 7:39 PM, jsa <jsamyth@gmail.com> wrote:
If you set your windows login and password the same as your Linux log in and password Samba and windows just takes care if it automatically. �If not you have to set up samba passwords for every user. In the time it takes to ask about setting up an insecure network you could have done it the secure way with yast.
Yes, if you have the same user name as in windows and same password, you will not need to enter them in windows even once I think, as Windows will try those by default.
However, what has been nagging me always is why is the SAMBA authentication separate from the general linux authentication (I don't know the correct word, sorry)? Why not have that synced, so that when user changes her password on the linux server, also the samba password changes. And even earlier on, why not have that linked with samba-users group or something, so that the users who are in that group would be able to use samba (same way as ssh)? Yes, I know all this can be done! But it is really, really hard. Ok, I'm still on 11.3 so I'm not sure if this has changed :-) But it has at least been really hard. Why not make this easy for openSUSE home users? This is really the worst parts of setting up a home server. Have user click "Enable Samba" somewhere in YaST and it would do all this. Would be excellent. Any real good reason why not to do this?
The reason this isn't automated from the Linux side like you suggest is because that is not the normal use case for Samba. The normal use for Samba is to allow your Linux machine to be a file/print server for windows machines, in many (i dare say Most) case those windows users don't even have an account on the linux machine. The simply use data folders that are shared with other windows users and which are managed by the Samba software. If fact, sharing the same file structures with linux users can be problematic and you have to think about and plan your file-ownership and permissions, because files created by Linux users may not be available for Windows users, if user/group and permissions are not taken into account. So SAMBA approached via the other end. That is, when your users change their Windows Password, you can set up samba to change their samba passwords at the same time, and all you have to do as administrator is make sure there is an entry in the samba password file for each windows user. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/04/12 18:48, John Andersen wrote:
On 4/7/2012 9:30 AM, HG wrote: why is the SAMBA
authentication separate from the general linux authentication (I don't know the correct word, sorry)? Why not have that synced, so that when user changes her password on the linux server, also the samba password changes. And even earlier on, why not have that linked with samba-users group or something, so that the users who are in that group would be able to use samba (same way as ssh)? Yes, I know all this can be done! But it is really, really hard.
Hi On the contrary. It's easy. It's also one of the most closely guarded secrets of Yast. Instead of holding your users in flat files, you stick them in LDAP. This gives you single sign on from either Linux or windows. openSUSE includes a schema to enable you to setup a full NT style domain. Join your windows and Linux clients to it and away you go. http://digiplan.eu.org/ldap-samba-howto-v4.html HTH L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/8/2012 11:00 AM, lynn wrote:
On the contrary. It's easy.
Says the poster who has posted struggle after struggle for 6 or 8 months to get this all working.... ;-) In SLES LDAP is so well integrated that it all just works out of the box, but in OS, its more than a trivial task to get it all working well, and then tie Windows in on top of it. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/04/12 21:48, John Andersen wrote:
On 4/8/2012 11:00 AM, lynn wrote:
On the contrary. It's easy. Says the poster who has posted struggle after struggle for 6 or 8 months to get this all working.... ;-) Please try not to discourage others from having a go. Samba3-LDAP-Windows is covered perfectly well by pointing and clicking in Yast. There are Modules for LDAP Server, LDAP Client, Samba-Server and a front-end to joining Linux clients to the domain.
In SLES LDAP is so well integrated that it all just works out of the box, but in OS, its more than a trivial task to get it all working well, and then tie Windows in on top of it.
A NT style domain with Samba3-LDAP integration takes around an hour using YAST. I posted a link to a howto. An AD style domain with Samba4-Linux integration takes considerably longer. There are not many of us who have taken the s4-Linux route yet. It will be interesting to see what Yast does with s4 when it is out of alpha. HTH L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi! On Sun, Apr 8, 2012 at 7:48 PM, John Andersen <jsamyth@gmail.com> wrote:
On 4/7/2012 9:30 AM, HG wrote:
Hi!
Stumbled across this about SAMBA authentication and windows
On Thu, Mar 15, 2012 at 7:39 PM, jsa <jsamyth@gmail.com> wrote:
If you set your windows login and password the same as your Linux log in and password Samba and windows just takes care if it automatically. �If not you have to set up samba passwords for every user. In the time it takes to ask about setting up an insecure network you could have done it the secure way with yast.
Yes, if you have the same user name as in windows and same password, you will not need to enter them in windows even once I think, as Windows will try those by default.
However, what has been nagging me always is why is the SAMBA authentication separate from the general linux authentication (I don't know the correct word, sorry)? Why not have that synced, so that when user changes her password on the linux server, also the samba password changes. And even earlier on, why not have that linked with samba-users group or something, so that the users who are in that group would be able to use samba (same way as ssh)? Yes, I know all this can be done! But it is really, really hard. Ok, I'm still on 11.3 so I'm not sure if this has changed :-) But it has at least been really hard. Why not make this easy for openSUSE home users? This is really the worst parts of setting up a home server. Have user click "Enable Samba" somewhere in YaST and it would do all this. Would be excellent. Any real good reason why not to do this?
The reason this isn't automated from the Linux side like you suggest is because that is not the normal use case for Samba.
The normal use for Samba is to allow your Linux machine to be a file/print server for windows machines, in many (i dare say Most) case those windows users don't even have an account on the linux machine.
This may have been the situation some day - but I dare to claim that it's not it anymore. In fact, I've never seen such use actually. Small companies, who look for cheaper alternatives, use samba as their file server. Larger companies go with MS and they do not mix. Yes, you can probably give examples of companies that do what you say. I claim that it doesn't even matter that much. What matters, and what I think is the biggest use case, is to make linux act as a server at home! Coolest, would be to enable it to work as private cloud sharing docs securely over the internet! If home server use case is not yet the biggest, it could be made the biggest. The future of openSUSE as desktop only has been very long coming. I'm proposing, let's make it easy for normal home users to get also server functionality, to backup their Windows and Mac laptops to the dependable linux, and make that as one of the biggest selling points. People are buying NAS storage like crazy and you could do so much more with openSUSE .... if it would just work. But from the home users point of view, samba server doesn't work. (As seen even in this thread). And that's why I propose that the linux account would be synced to the samba accounts. It would make the whole system accessible. It does not hurt the print sharing one bit. And why not have the same users (specially at home) on the linux side also? Actually, there is a UI for adding users to linux and most often that is done during the installation. But there is AFAIK no easy way for the dad to add users to samba specially as he doesn't even know he needs to do that. Currently, when you create a linux user and give it a password. Then you create the same user for samba and give it a password. And when user changes the password, he needs to make it twice - probably from different place. I don't believe it needs LDAP. But if it does, fine - as long as it is completely hidden from the user. And no, it definitely does not need a domain. Actually, making user join to domain, would be again one more hurdle for the home user to just go about his business of using Linux as it can be used. I know here are lot of guys who are very smart and know how to do this and it would not even be a big project. But do you really not see the opportunity in home servers? Think about it: "Desktop computer that you can use to safely surf the internet, hold all your photos and videos and share them to all your devices inside your home network. Host backups of your laptop. Just install, add the same user accounts you have on your laptops and everything works. Even streams your videos to your TV." Now, that would be more value for home user than Libre Office :-) Yes, Libre Office is cool! But it's time to make the server side easy too. -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
HG said the following on 04/10/2012 02:14 AM:
This may have been the situation some day - but I dare to claim that it's not it anymore. In fact, I've never seen such use actually. Small companies, who look for cheaper alternatives, use samba as their file server. Larger companies go with MS and they do not mix. Yes, you can probably give examples of companies that do what you say. I claim that it doesn't even matter that much.
I don't know about small companies, but my clients, who are international banks and large Telecoms firms use SAMBA. Not on Linux mind; they run it on "Big iron", HP/UX or AIX and it serves 5000 to 20,000 seats. What makes you think that larger companies aren't looking for 'cheaper alternatives' or to get away from MS licensing? Mind you, at one Telecom firm the reason given was "the stability and reliability of SAMBA so exceeds that of Windows servers that its not even worth discussing". Oh, and yes, I know people who use it at home. -- The Internet is not the greatest threat to information security; stupidity is the greatest threat to information security. - Will Spencer <will.spencer@gte.net> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/10/2012 5:07 AM, Anton Aylward wrote:
HG said the following on 04/10/2012 02:14 AM:
This may have been the situation some day - but I dare to claim that it's not it anymore. In fact, I've never seen such use actually. Small companies, who look for cheaper alternatives, use samba as their file server. Larger companies go with MS and they do not mix. Yes, you can probably give examples of companies that do what you say. I claim that it doesn't even matter that much.
I don't know about small companies, but my clients, who are international banks and large Telecoms firms use SAMBA. Not on Linux mind; they run it on "Big iron", HP/UX or AIX and it serves 5000 to 20,000 seats. What makes you think that larger companies aren't looking for 'cheaper alternatives' or to get away from MS licensing?
Mind you, at one Telecom firm the reason given was "the stability and reliability of SAMBA so exceeds that of Windows servers that its not even worth discussing".
Oh, and yes, I know people who use it at home.
Exactly. For every home user there several hundred corporate workstations connected to SAMBA without the users even knowing about it. The samba team didn't bother to make full MS Domain controller technology work to impress the home enthusiast. And in nearly all of the sites I've worked with that use samba, (mostly at the state government level) none of the users actually had accounts on the Linux machine. The proposal for Linux side management of passwords is already do-able with existing utilities. Just takes a little scripting. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi! On Tue, Apr 10, 2012 at 7:20 PM, John Andersen <jsamyth@gmail.com> wrote:
The proposal for Linux side management of passwords is already do-able with existing utilities. Just takes a little scripting.
With all due respect... then why not make it easy for home users if it's not even a big thing? Isn't the goal to make openSUSE best and easiest to use distro? -- HG. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
I don't know about small companies, but my clients, who are international banks and large Telecoms firms use SAMBA. Not on Linux mind; they run it on "Big iron", HP/UX or AIX and it serves 5000 to 20,000 seats. What makes you think that larger companies aren't looking for 'cheaper alternatives' or to get away from MS licensing?
A few months ago, I set up an IMAP & file server on Linux for a small company. It used both samba and sshfs for file sharing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Mar 14, 2012 at 09:23:21PM -0700, Steven Hess wrote:
I am trying to allow a Windows 7 machine to access files on my main computer. Under Linux I just use NFS and all Linux boxes can see all network shares if they have an IP address to start with. No username and password monkey business. With SAMBA this seems impossible. The Windows machine user is presented with demand for a username and password that have never been created. The SAMBA shared directories are visible from the Windows 7 client but just un-accessible. Is it not possible to not require a user name and password combination? This is on openSUSE 12.1. There is nothing I can find on the openSUSE Wiki and I see no SAMBA articles when I look for articles at the openSUSE site.
NFS just works SAMBA is non functional.
man smb.conf ... guest ok (S) If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account. ... See also ... Come on, you're able to read a man pag at your own. :) Also the Samba wiki mention this option. See https://wiki.samba.org/index.php/Frequently_Asked_Questions#guest_access
The stuff I am seeing when I google is just confusing nonsense that isn't openSUSE specific.
Confusion is something we implemented with highest priority! How else can you get a solid and reliable workplace till retirement these days? ;) Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Twenty open browser tabs at once and a large bowl of pop corn and the issue is solved. I am still pretty confused smb.conf but no password is required. Files streamed across the Windows 7 machine to my tablet as a test perfectly. "guest ok = Yes" for each share pretty much took care of the only issue that was stopping it from just working. I had already properly configured the other two changes needed in smb.conf. Steven -- ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Mar 15, 2012 at 05:19:35AM -0700, Steven Hess wrote:
Twenty open browser tabs at once and a large bowl of pop corn and the issue is solved.
Twenty only? And are you keeping the pop corn for you only? tststs
I am still pretty confused smb.conf but no password is required. Files streamed across the Windows 7 machine to my tablet as a test perfectly.
Bah, all files from /usr/share/samba/templates/ are empty. Bad. Else it wouild be easy to get a diff. Use mc - GNU Midnight Commander a visual shell for Unix-like systems - to brows into the samba-client RPM from there grab a copy of /etc/samba/smb.conf and the you're able to diff -u If you think we're doing something wrong pass the issue to bugzilla in the wik we've written a dedicated section labeled with 'Samba bug reporting and advanced debugging information'. See http://en.openSUSE.org/Samba
"guest ok = Yes" for each share pretty much took care of the only issue that was stopping it from just working. I had already properly configured the other two changes needed in smb.conf.
Well, it's very polite to keep these other two secret issues for you. ;) Look, others migth later run into the same trouble, find this thread and are faced by issues as well. But the lame dudes of the openSUSE lists kept this secret well hidden. Come on, make the others and all of us happy too! Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Thu, 2012-03-15 at 14:15 +0100, Lars Müller wrote:
I am still pretty confused smb.conf but no password is required.
Confused about what specifically? "map to guest = Bad Password" means that any failed authentication attempt just gets connected as the guest user. "guest ok = yes" for the share means that the guest user has access to the share. The assumption is that : (a) "guest account = somebody" where "somebody" is a valid account. (b) the underlying filesystem permissions allow "somebody" access to the folder indicated by "path" in the share definition.
Bah, all files from /usr/share/samba/templates/ are empty. Bad. Else it wouild be easy to get a diff.
Eh?
"guest ok = Yes" for each share pretty much took care of the only issue that was stopping it from just working. I had already properly configured the other two changes needed in smb.conf. Well, it's very polite to keep these other two secret issues for you. ;) Look, others migth later run into the same trouble, find this thread and are faced by issues as well. But the lame dudes of the openSUSE lists kept this secret well hidden. Come on, make the others and all of us happy too!
I assume those other two changes where the two entries required in [globals]. A working config is - [global] security = user map to guest = Bad Password [share_definition] guest ok = yes - taken directly from the link previously posted to the project documentation. <https://wiki.samba.org/index.php/Frequently_Asked_Questions#guest_access> -- System & Network Administrator [ LPI & NCLA ] <http://www.whitemiceconsulting.com> OpenGroupware Developer <http://www.opengroupware.us> Adam Tauno Williams -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Mar 15, 2012 at 02:40:59PM -0400, Adam Tauno Williams wrote:
On Thu, 2012-03-15 at 14:15 +0100, Lars Müller wrote:
I am still pretty confused smb.conf but no password is required.
Confused about what specifically?
"map to guest = Bad Password" means that any failed authentication attempt just gets connected as the guest user. "guest ok = yes" for the share means that the guest user has access to the share.
The assumption is that : (a) "guest account = somebody" where "somebody" is a valid account. (b) the underlying filesystem permissions allow "somebody" access to the folder indicated by "path" in the share definition.
Bah, all files from /usr/share/samba/templates/ are empty. Bad. Else it wouild be easy to get a diff.
Eh?
The intention was to place separate viewes - named section in ini speach - of the default configuration into single files. And it looks like this is broken or even unused. If IIRC we created these snippets for YaST to allow the reset of an individual section to it's defaults. I have to check back with the YaST guys.
"guest ok = Yes" for each share pretty much took care of the only issue that was stopping it from just working. I had already properly configured the other two changes needed in smb.conf. Well, it's very polite to keep these other two secret issues for you. ;) Look, others migth later run into the same trouble, find this thread and are faced by issues as well. But the lame dudes of the openSUSE lists kept this secret well hidden. Come on, make the others and all of us happy too!
I assume those other two changes where the two entries required in [globals]. A working config is -
[global] security = user
This is the Samba upstream default.
map to guest = Bad Password
This is the default we set in /etc/samba/smb.conf installed with the samba-client package. Therefore no further changes than 'guest ok = yes' as part of the share definition are required. I've tested it and that's even proofen by the 3.6.3 code. I also don't see commits to master which might have changed this. IIRC Jiri added a simple tick to allow guest access to a share in the YaST module.
- taken directly from the link previously posted to the project documentation. <https://wiki.samba.org/index.php/Frequently_Asked_Questions#guest_access>
Yes. IIRC one quoted this URL earlier in this thread too. Then it must be correct. ;) On Thu, Mar 15, 2012 at 02:42:32PM -0400, Adam Tauno Williams wrote:
On Thu, 2012-03-15 at 14:29 +0100, Lars Müller wrote:
On Thu, Mar 15, 2012 at 05:36:37AM -0700, Steven Hess wrote:
"guest ok = yes" for each share makes it password-less if you have guests enabled and "security = share" set. Setting 'security = share' is not a must requirement to get a public accessible share.
I believe it is also deprecated in the latest Samba releases (???). At least there was talk about doing so on samba-technical.
"security=share" has never actually worked correctly/intuitively anyway.
'security = server' is depricated. Cheers, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
This is my smb.conf it's not pretty and Adam and Lars have pretty much covered it I left the printer stuff in as I may have a need to enable it some day. I didn't not touch the preamble stuff other than "security = share" # smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2012-02-16 [global] workgroup = kitfox passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = Yes add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ domain logons = Yes domain master = Yes local master = Yes os level = 65 preferred master = Yes security = share wins support = No usershare max shares = 100 ## Share disabled by YaST # [homes] # comment = Home Directories # valid users = %S, %D%w%S # browseable = No # read only = No # inherit acls = Yes ## Share disabled by YaST # [profiles] # comment = Network Profiles Service # path = %H # read only = No # store dos attributes = Yes # create mask = 0600 # directory mask = 0700 ## Share disabled by me [users#] # comment = All users # path = /home # read only = Yes # inherit acls = Yes # veto files = /aquota.user/groups/shares/ ## Share disabled by YaST # [groups] # comment = All groups # path = /home/groups # read only = No # inherit acls = Yes ## Share disabled by YaST # [printers] # comment = All Printers # path = /var/tmp # printable = Yes # create mask = 0600 # browseable = No ## Share disabled by YaST # [print$] # comment = Printer Drivers # path = /var/lib/samba/drivers # write list = @ntadmin root # force group = ntadmin # create mask = 0664 # directory mask = 0775 ## Share disabled by YaST # [netlogon] # comment = Network Logon Service # path = /var/lib/samba/netlogon # write list = root [Music] comment = Music inherit acls = Yes path = /home/flamebait/Music guest ok = Yes read only = Yes [NewPlace] comment = NewPlace inherit acls = Yes path = /Four/NewPlace guest ok = Yes read only = Yes [ReallyBigPlace] comment = reallybigplace inherit acls = Yes path = /moreAnime/reallybigplace guest ok =Yes read only = Yes [adata] comment = adata inherit acls = Yes path = /data/adata guest ok = Yes read only = Yes [asusAnime] comment = asusAnime inherit acls = Yes path = /home/flamebait/asusAnime guest ok = Yes read only = Yes [mmshare] comment = mmshare inherit acls = Yes path = /mmshare/mmshare guest ok = Yes read only = Yes Steven -- ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
LOL and I see out of place hash. I was really sleepy. Steeven -- ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Steven Hess wrote:
I am trying to allow a Windows 7 machine to access files on my main computer. Under Linux I just use NFS and all Linux boxes can see all network shares if they have an IP address to start with. No username and password monkey business. With SAMBA this seems impossible. The Windows machine user is presented with demand for a username and password that have never been created. The SAMBA shared directories are visible from the Windows 7 client but just un-accessible. Is it not possible to not require a user name and password combination? This is on openSUSE 12.1. There is nothing I can find on the openSUSE Wiki and I see no SAMBA articles when I look for articles at the openSUSE site.
NFS just works SAMBA is non functional.
The stuff I am seeing when I google is just confusing nonsense that isn't openSUSE specific.
Steven
NFS uses the user ID number, IIRC, so you have access control that way. To enable SAMBA access you have to use the smbpasswd command to set a password for an account. I believe it's also possible to set up passwordless shares, but I haven't done so, as I have never had a need to. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
"guest ok = yes" for each share makes it password-less if you have guests enabled and "security = share" set. -- ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Mar 15, 2012 at 05:36:37AM -0700, Steven Hess wrote:
"guest ok = yes" for each share makes it password-less if you have guests enabled and "security = share" set.
Setting 'security = share' is not a must requirement to get a public accessible share. lmuelle@hip:~> smbget -a smb://hip/ftp/opensuse/distribution/12.1/iso/openSUSE-12.1-Addon-Lang-i586.iso Using workgroup WORKGROUP, guest user smb://hip/ftp/opensuse/distribution/12.1/iso/openSUSE-12.1-Addon-Lang-i586.iso Downloaded 623,48MB in 8 seconds All I did is adding this share definition to the defualt smb.conf we use by default as part of the samba-client package: [ftp] comment = ftp area path = /srv/ftp/pub guest ok = Yes Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Thu, 2012-03-15 at 14:29 +0100, Lars Müller wrote:
On Thu, Mar 15, 2012 at 05:36:37AM -0700, Steven Hess wrote:
"guest ok = yes" for each share makes it password-less if you have guests enabled and "security = share" set. Setting 'security = share' is not a must requirement to get a public accessible share.
I believe it is also deprecated in the latest Samba releases (???). At least there was talk about doing so on samba-technical. "security=share" has never actually worked correctly/intuitively anyway. -- System & Network Administrator [ LPI & NCLA ] <http://www.whitemiceconsulting.com> OpenGroupware Developer <http://www.opengroupware.us> Adam Tauno Williams -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (13)
-
Adam Tauno Williams -
Anton Aylward -
Carlos E. R. -
Hans-Joachim Ehlers -
HG -
James Knott -
John Andersen -
jsa
-
Lars Müller -
Leen de Braal -
lynn -
Steven Hess -
Werner Flamme