Re: [gentoo-user] NFS and user IDs
On 12/06/18 09:44, Joerg Schilling wrote: > Wols Lists wrote: > >> On 11/06/18 09:54, Joerg Schilling wrote: >>> Well, "Windows ACLs" is the only ACL system that is standardized (as part >>> of >>> the NFSv4 standard). The old proposal in POSIX.1e from 1993 from Sun has >>> been >>> withdrawn in 1997 since the customers did not like it. >>> >> Ummm - just because it's standard doesn't mean it's any good :-) > > Is is a result of a common discussion. At the same time, when Sun introduced > NFSv4 ACLs, IBM and Apple did the same for their local filesystems. > >> This version I'm talking about dates from about 1983. The company making >> it went bust in 1991. > > What are you talking about? Pr1me. Okay, I don't remember most of the dates accurately, but Pr1mos 19.4 had a working Access Control List setup. I was using that on their Pr1me-2250 machines, at a company I left in 1984. (Wikipedia says the 2250 was released in 1982. I can't find a date for 19.4.) > > IIRC, the first ACLs have been on VMS in the late 1980s. > >> I've just had a quick look at the NFS v4 RFC, and almost the first thing >> I see is DENY entries. These ACLs don't have deny, because it's >> pointless. And DENY is exactly why I think Posix/Windows ACLs are >> confusing and hard to use. > > Your text looks confusing. You claim DENY entries and no DENY entries in the > same paragraph without explaining what you are talking about. The RFC talks about deny entries. Pr1me ACLs didn't have deny, because it doesn't make sense in that context. > > Jörg >
Re: [gentoo-user] NFS and user IDs
Wols Lists wrote: > On 11/06/18 09:54, Joerg Schilling wrote: > > Well, "Windows ACLs" is the only ACL system that is standardized (as part > > of > > the NFSv4 standard). The old proposal in POSIX.1e from 1993 from Sun has > > been > > withdrawn in 1997 since the customers did not like it. > > > Ummm - just because it's standard doesn't mean it's any good :-) Is is a result of a common discussion. At the same time, when Sun introduced NFSv4 ACLs, IBM and Apple did the same for their local filesystems. > This version I'm talking about dates from about 1983. The company making > it went bust in 1991. What are you talking about? IIRC, the first ACLs have been on VMS in the late 1980s. > I've just had a quick look at the NFS v4 RFC, and almost the first thing > I see is DENY entries. These ACLs don't have deny, because it's > pointless. And DENY is exactly why I think Posix/Windows ACLs are > confusing and hard to use. Your text looks confusing. You claim DENY entries and no DENY entries in the same paragraph without explaining what you are talking about. Jörg -- EMail:jo...@schily.net(home) Jörg Schilling D-13353 Berlin joerg.schill...@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.org/private/ http://sf.net/projects/schilytools/files/'
Re: [gentoo-user] NFS and user IDs
On 11/06/18 09:54, Joerg Schilling wrote: > Wol's lists wrote: > >> On 09/06/18 18:09, Rich Freeman wrote: > ... >>> downsides as well, in particular it is certainly more complex and at >>> work we practically forbid any kind of windows ACLs at anything other >>> than the top mount level because it is so hard to control. >> >> Windows is better than POSIX?! That doesn't say much for POSIX then, >> seeing as I feel Windows ACLs are overly complex and difficult! > > Well, "Windows ACLs" is the only ACL system that is standardized (as part of > the NFSv4 standard). The old proposal in POSIX.1e from 1993 from Sun has been > withdrawn in 1997 since the customers did not like it. > Ummm - just because it's standard doesn't mean it's any good :-) This version I'm talking about dates from about 1983. The company making it went bust in 1991. I've just had a quick look at the NFS v4 RFC, and almost the first thing I see is DENY entries. These ACLs don't have deny, because it's pointless. And DENY is exactly why I think Posix/Windows ACLs are confusing and hard to use. Cheers, Wol
Re: [gentoo-user] NFS and user IDs
Wol's lists wrote: > On 09/06/18 18:09, Rich Freeman wrote: ... > > downsides as well, in particular it is certainly more complex and at > > work we practically forbid any kind of windows ACLs at anything other > > than the top mount level because it is so hard to control. > > Windows is better than POSIX?! That doesn't say much for POSIX then, > seeing as I feel Windows ACLs are overly complex and difficult! Well, "Windows ACLs" is the only ACL system that is standardized (as part of the NFSv4 standard). The old proposal in POSIX.1e from 1993 from Sun has been withdrawn in 1997 since the customers did not like it. Jörg -- EMail:jo...@schily.net(home) Jörg Schilling D-13353 Berlin joerg.schill...@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.org/private/ http://sf.net/projects/schilytools/files/'
Re: [gentoo-user] NFS and user IDs
On Sat, Jun 9, 2018 at 4:31 PM Wol's lists wrote: > > On 09/06/18 18:09, Rich Freeman wrote: > > I feel like this is something that Windows natively gets "better" than > > POSIX. They have a concept of UIDs being specific to a machine or > > authentication server (or domain as they call it), and this concept is > > enforced at the host level. That said, I'm sure this approach has its > > downsides as well, in particular it is certainly more complex and at > > work we practically forbid any kind of windows ACLs at anything other > > than the top mount level because it is so hard to control. > > Windows is better than POSIX?! That doesn't say much for POSIX then, > seeing as I feel Windows ACLs are overly complex and difficult! I wasn't talking about the ACLs (in fact I pointed out the issues with those). I was talking about the UIDs, which in windows are made of two components so that users on one domain can have access to resources on another domain, without having to replicate the UID databases. -- Rich
Re: [gentoo-user] NFS and user IDs
On June 9, 2018 1:20:14 PM UTC, Tom H wrote: >On Sat, Jun 9, 2018 at 6:43 AM Ian Zimmerman >wrote: >> >> Is there _any_ way around the need to keep the user IDs matched on >NFS >> clients and servers? > >You have to use NIS, NIS+Kerberos, or LDAP+Kerberos. > >I've never tried it but "/etc/idmapd.conf" has a "[Static]" section in >which you can set up a map but it'd be unpractical for more than a few >users. No need to add Kerberos to the mix. I use LDAP along with nss_ldap. (Various howtos available online) It works fine. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] NFS and user IDs
On 09/06/18 18:09, Rich Freeman wrote: I feel like this is something that Windows natively gets "better" than POSIX. They have a concept of UIDs being specific to a machine or authentication server (or domain as they call it), and this concept is enforced at the host level. That said, I'm sure this approach has its downsides as well, in particular it is certainly more complex and at work we practically forbid any kind of windows ACLs at anything other than the top mount level because it is so hard to control. Windows is better than POSIX?! That doesn't say much for POSIX then, seeing as I feel Windows ACLs are overly complex and difficult! Okay, ACLs assume a directory structure, which have serious problems with Unix hard links, so I can understand the two features not mapping on to each other very well. In particular, if an object does not have a specific acl, it's supposed to inherit from its parent, but if you have hard links which parent does it inherit from? The system I used which had ACLs, I *think* when you logged in to any machine, you could tell it to authenticate against a different machine so it must have had some machine/identity pair. Then ACLs were simplicity itself as well, because they were user,group,other. If a user was named, that was what they got. If they weren't named, they got the sum of all the groups they belonged to. And if none of their groups were named, they just got the other permissions. So if you wanted someone to get LESS than the sum of their groups, you just gave them personally what you wanted, and that was that. Cheers, Wol
Re: [gentoo-user] NFS and user IDs
On Sat, Jun 9, 2018 at 12:34 PM Grant Taylor wrote: > > NFS will quite happily work with dissimilar IDs if you're using "other" > permission to access everything. }:-) > There are a few network filesystems with this property. As long as you just mount the whole filesystem with one user/group and umode and don't care that the remote server(s) will just discard any permissions changes you try to apply, they work fine without mapping UIDs. If you're using something like FUSE in a private mount namespace this can be done in a way that is reasonably secure as well (only the user logged into the remote server(s) can see the mountpoint). I feel like this is something that Windows natively gets "better" than POSIX. They have a concept of UIDs being specific to a machine or authentication server (or domain as they call it), and this concept is enforced at the host level. That said, I'm sure this approach has its downsides as well, in particular it is certainly more complex and at work we practically forbid any kind of windows ACLs at anything other than the top mount level because it is so hard to control. -- Rich
Re: [gentoo-user] NFS and user IDs
On 06/08/2018 10:42 PM, Ian Zimmerman wrote: Is there _any_ way around the need to keep the user IDs matched on NFS clients and servers? I can argue that the IDs don't have to be synchronized to use NFS. You just end up with unexpected complications from different IDs on different systems. NFS will quite happily work with dissimilar IDs if you're using "other" permission to access everything. }:-) I had a friend & colleague that used a feature of (I think) Webmin to synchronize IDs between machines. Purportedly it had an ability to edit the proper files to change IDs for accounts -and- walk the system chowning and chgrping things to reflect the change. -- Grant. . . . unix || die
Re: [gentoo-user] NFS and user IDs
On Sat, Jun 9, 2018 at 6:43 AM Ian Zimmerman wrote: > > Is there _any_ way around the need to keep the user IDs matched on NFS > clients and servers? You have to use NIS, NIS+Kerberos, or LDAP+Kerberos. I've never tried it but "/etc/idmapd.conf" has a "[Static]" section in which you can set up a map but it'd be unpractical for more than a few users.
Re: [gentoo-user] NFS and user IDs
On Saturday, June 9, 2018 6:42:56 AM CEST Ian Zimmerman wrote: > Is there _any_ way around the need to keep the user IDs matched on NFS > clients and servers? Not to my knowledge. I use OpenLDAP for my users and groups and this has worked perfectly ever since I implemented it. > Or, is there any other remote filesystem (other than the one originally > made by Microsoft) that avoids that chore? I am only familiar with CIFS/SMB and NFS. Not sure if any other shared filesystems handle this. A minimum requirement would be that you need to login to the fileserver using a username and password. > This is the main reason I have mostly stayed away from NFS all these > years. Recently sshfs has been a good enough substitute, but now it's > proving not reliable enough for long term connections. I found NFS to be stable for long term (months) connections. When working from mobile machines (Laptops), I use SMB/CIFS to access the same files. -- Joost
Re: [gentoo-user] NFS and user IDs
On 2018-06-09 09:41, Andrew Udvare wrote: On 2018-06-09, at 00:42, Ian Zimmerman wrote: Is there _any_ way around the need to keep the user IDs matched on NFS clients and servers? I checked and there is no way. It is recommended UID/GID be synced regularly on all client machines. NFSv4 requires user names and group names be synced. IDs do not have to match, which makes syncing easier. You should be controlling IDs/names from a central location and syncing as part of a deployment system, and not allowing client machine users to make modifications to those files. Andrew In fact, you can use the nfsidmap service to supply a mapping. I do not know the specifics of this but here's the manpage for it http://man7.org/linux/man-pages/man5/nfsidmap.5.html Greetings, Daniel
Re: [gentoo-user] NFS and user IDs
> On 2018-06-09, at 00:42, Ian Zimmerman wrote: > > Is there _any_ way around the need to keep the user IDs matched on NFS > clients and servers? I checked and there is no way. It is recommended UID/GID be synced regularly on all client machines. NFSv4 requires user names and group names be synced. IDs do not have to match, which makes syncing easier. You should be controlling IDs/names from a central location and syncing as part of a deployment system, and not allowing client machine users to make modifications to those files. Andrew
Re: [gentoo-user] NFS and user IDs
On 09/06/18 05:42, Ian Zimmerman wrote: > Is there _any_ way around the need to keep the user IDs matched on NFS > clients and servers? > > Or, is there any other remote filesystem (other than the one originally > made by Microsoft) that avoids that chore? Which filesystem do you mean? Do you mean SMB/CIFS? Because that is NOT originally an MS product, and unlike many things they stole, they never bought it. Read up on the history. Allison and whoever wrote Samba because they wanted to talk to DEC. Only later did they realise that MS had copied the same protocol. Cheers, Wol