[gentoo-user] NFS and user IDs

[gentoo-user] NFS and user IDs

[Ian Zimmerman]

Is there _any_ way around the need to keep the user IDs matched on NFS
clients and servers?

Or, is there any other remote filesystem (other than the one originally
made by Microsoft) that avoids that chore?

This is the main reason I have mostly stayed away from NFS all these
years.  Recently sshfs has been a good enough substitute, but now it's
proving not reliable enough for long term connections.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

Re: [gentoo-user] NFS and user IDs

[Wols Lists]

On 09/06/18 05:42, Ian Zimmerman wrote:
> Is there _any_ way around the need to keep the user IDs matched on NFS
> clients and servers?
> 
> Or, is there any other remote filesystem (other than the one originally
> made by Microsoft) that avoids that chore?

Which filesystem do you mean? Do you mean SMB/CIFS? Because that is NOT
originally an MS product, and unlike many things they stole, they never
bought it.

Read up on the history. Allison and whoever wrote Samba because they
wanted to talk to DEC. Only later did they realise that MS had copied
the same protocol.

Cheers,
Wol

Re: [gentoo-user] NFS and user IDs

[Andrew Udvare]

> On 2018-06-09, at 00:42, Ian Zimmerman <itz@very.loosely.org> wrote:
> 
> Is there _any_ way around the need to keep the user IDs matched on NFS
> clients and servers?

I checked and there is no way. It is recommended UID/GID be synced regularly on all client machines.

NFSv4 requires user names and group names be synced. IDs do not have to match, which makes syncing easier.

You should be controlling IDs/names from a central location and syncing as part of a deployment system, and not allowing client machine users to make modifications to those files.

Andrew

Re: [gentoo-user] NFS and user IDs

[dsonck]

On 2018-06-09 09:41, Andrew Udvare wrote:
>> On 2018-06-09, at 00:42, Ian Zimmerman <itz@very.loosely.org> wrote:
>> 
>> Is there _any_ way around the need to keep the user IDs matched on NFS
>> clients and servers?
> 
> I checked and there is no way. It is recommended UID/GID be synced
> regularly on all client machines.
> 
> NFSv4 requires user names and group names be synced. IDs do not have
> to match, which makes syncing easier.
> 
> You should be controlling IDs/names from a central location and
> syncing as part of a deployment system, and not allowing client
> machine users to make modifications to those files.
> 
> Andrew

In fact, you can use the nfsidmap service to supply a mapping. I do not 
know the specifics of this but here's the manpage for it

http://man7.org/linux/man-pages/man5/nfsidmap.5.html

Greetings,

Daniel

Re: [gentoo-user] NFS and user IDs

[J. Roeleveld]

On Saturday, June 9, 2018 6:42:56 AM CEST Ian Zimmerman wrote:
> Is there _any_ way around the need to keep the user IDs matched on NFS
> clients and servers?

Not to my knowledge.
I use OpenLDAP for my users and groups and this has worked perfectly ever 
since I implemented it.

> Or, is there any other remote filesystem (other than the one originally
> made by Microsoft) that avoids that chore?

I am only familiar with CIFS/SMB and NFS. Not sure if any other shared 
filesystems handle this. A minimum requirement would be that you need to login 
to the fileserver using a username and password.

> This is the main reason I have mostly stayed away from NFS all these
> years.  Recently sshfs has been a good enough substitute, but now it's
> proving not reliable enough for long term connections.

I found NFS to be stable for long term (months) connections. When working from 
mobile machines (Laptops), I use SMB/CIFS to access the same files.

--
Joost

Re: [gentoo-user] NFS and user IDs

[Tom H]

On Sat, Jun 9, 2018 at 6:43 AM Ian Zimmerman <itz@very.loosely.org> wrote:
>
> Is there _any_ way around the need to keep the user IDs matched on NFS
> clients and servers?

You have to use NIS, NIS+Kerberos, or LDAP+Kerberos.

I've never tried it but "/etc/idmapd.conf" has a "[Static]" section in
which you can set up a map but it'd be unpractical for more than a few
users.

Re: [gentoo-user] NFS and user IDs

[Grant Taylor]

On 06/08/2018 10:42 PM, Ian Zimmerman wrote:
> Is there _any_ way around the need to keep the user IDs matched on NFS 
> clients and servers?

I can argue that the IDs don't have to be synchronized to use NFS.  You 
just end up with unexpected complications from different IDs on 
different systems.

NFS will quite happily work with dissimilar IDs if you're using "other" 
permission to access everything.  }:-)

I had a friend & colleague that used a feature of (I think) Webmin to 
synchronize IDs between machines.  Purportedly it had an ability to edit 
the proper files to change IDs for accounts -and- walk the system 
chowning and chgrping things to reflect the change.



-- 
Grant. . . .
unix || die

Re: [gentoo-user] NFS and user IDs

[Rich Freeman]

On Sat, Jun 9, 2018 at 12:34 PM Grant Taylor
<gtaylor@gentoo.tnetconsulting.net> wrote:
>
> NFS will quite happily work with dissimilar IDs if you're using "other"
> permission to access everything.  }:-)
>

There are a few network filesystems with this property.  As long as
you just mount the whole filesystem with one user/group and umode and
don't care that the remote server(s) will just discard any permissions
changes you try to apply, they work fine without mapping UIDs.  If
you're using something like FUSE in a private mount namespace this can
be done in a way that is reasonably secure as well (only the user
logged into the remote server(s) can see the mountpoint).

I feel like this is something that Windows natively gets "better" than
POSIX.  They have a concept of UIDs being specific to a machine or
authentication server (or domain as they call it), and this concept is
enforced at the host level.  That said, I'm sure this approach has its
downsides as well, in particular it is certainly more complex and at
work we practically forbid any kind of windows ACLs at anything other
than the top mount level because it is so hard to control.

-- 
Rich

Re: [gentoo-user] NFS and user IDs

[Wol's lists]

On 09/06/18 18:09, Rich Freeman wrote:
> I feel like this is something that Windows natively gets "better" than
> POSIX.  They have a concept of UIDs being specific to a machine or
> authentication server (or domain as they call it), and this concept is
> enforced at the host level.  That said, I'm sure this approach has its
> downsides as well, in particular it is certainly more complex and at
> work we practically forbid any kind of windows ACLs at anything other
> than the top mount level because it is so hard to control.

Windows is better than POSIX?! That doesn't say much for POSIX then, 
seeing as I feel Windows ACLs are overly complex and difficult!

Okay, ACLs assume a directory structure, which have serious problems 
with Unix hard links, so I can understand the two features not mapping 
on to each other very well. In particular, if an object does not have a 
specific acl, it's supposed to inherit from its parent, but if you have 
hard links which parent does it inherit from?

The system I used which had ACLs, I *think* when you logged in to any 
machine, you could tell it to authenticate against a different machine 
so it must have had some machine/identity pair.

Then ACLs were simplicity itself as well, because they were 
user,group,other. If a user was named, that was what they got. If they 
weren't named, they got the sum of all the groups they belonged to. And 
if none of their groups were named, they just got the other permissions.

So if you wanted someone to get LESS than the sum of their groups, you 
just gave them personally what you wanted, and that was that.

Cheers,
Wol

Re: [gentoo-user] NFS and user IDs

[J. Roeleveld]

On June 9, 2018 1:20:14 PM UTC, Tom H <tomh0665@gmail.com> wrote:
>On Sat, Jun 9, 2018 at 6:43 AM Ian Zimmerman <itz@very.loosely.org>
>wrote:
>>
>> Is there _any_ way around the need to keep the user IDs matched on
>NFS
>> clients and servers?
>
>You have to use NIS, NIS+Kerberos, or LDAP+Kerberos.
>
>I've never tried it but "/etc/idmapd.conf" has a "[Static]" section in
>which you can set up a map but it'd be unpractical for more than a few
>users.

No need to add Kerberos to the mix.
I use LDAP along with nss_ldap. (Various howtos available online)

It works fine.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] NFS and user IDs

[Rich Freeman]

On Sat, Jun 9, 2018 at 4:31 PM Wol's lists <antlists@youngman.org.uk> wrote:
>
> On 09/06/18 18:09, Rich Freeman wrote:
> > I feel like this is something that Windows natively gets "better" than
> > POSIX.  They have a concept of UIDs being specific to a machine or
> > authentication server (or domain as they call it), and this concept is
> > enforced at the host level.  That said, I'm sure this approach has its
> > downsides as well, in particular it is certainly more complex and at
> > work we practically forbid any kind of windows ACLs at anything other
> > than the top mount level because it is so hard to control.
>
> Windows is better than POSIX?! That doesn't say much for POSIX then,
> seeing as I feel Windows ACLs are overly complex and difficult!

I wasn't talking about the ACLs (in fact I pointed out the issues with
those).  I was talking about the UIDs, which in windows are made of
two components so that users on one domain can have access to
resources on another domain, without having to replicate the UID
databases.

-- 
Rich

Re: [gentoo-user] NFS and user IDs

[Joerg Schilling]

Wol's lists <antlists@youngman.org.uk> wrote:

> On 09/06/18 18:09, Rich Freeman wrote:
...
> > downsides as well, in particular it is certainly more complex and at
> > work we practically forbid any kind of windows ACLs at anything other
> > than the top mount level because it is so hard to control.
>
> Windows is better than POSIX?! That doesn't say much for POSIX then, 
> seeing as I feel Windows ACLs are overly complex and difficult!

Well, "Windows ACLs" is the only ACL system that is standardized (as part of 
the NFSv4 standard). The old proposal in POSIX.1e from 1993 from Sun has been 
withdrawn in 1997 since the customers did not like it.

Jörg

-- 
 EMail:joerg@schily.net                    (home) Jörg Schilling D-13353 Berlin
    joerg.schilling@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/
 URL: http://cdrecord.org/private/ http://sf.net/projects/schilytools/files/'

Re: [gentoo-user] NFS and user IDs

[Wols Lists]

On 11/06/18 09:54, Joerg Schilling wrote:
> Wol's lists <antlists@youngman.org.uk> wrote:
> 
>> On 09/06/18 18:09, Rich Freeman wrote:
> ...
>>> downsides as well, in particular it is certainly more complex and at
>>> work we practically forbid any kind of windows ACLs at anything other
>>> than the top mount level because it is so hard to control.
>>
>> Windows is better than POSIX?! That doesn't say much for POSIX then, 
>> seeing as I feel Windows ACLs are overly complex and difficult!
> 
> Well, "Windows ACLs" is the only ACL system that is standardized (as part of 
> the NFSv4 standard). The old proposal in POSIX.1e from 1993 from Sun has been 
> withdrawn in 1997 since the customers did not like it.
> 
Ummm - just because it's standard doesn't mean it's any good :-)

This version I'm talking about dates from about 1983. The company making
it went bust in 1991.

I've just had a quick look at the NFS v4 RFC, and almost the first thing
I see is DENY entries. These ACLs don't have deny, because it's
pointless. And DENY is exactly why I think Posix/Windows ACLs are
confusing and hard to use.

Cheers,
Wol

Re: [gentoo-user] NFS and user IDs

[Joerg Schilling]

Wols Lists <antlists@youngman.org.uk> wrote:

> On 11/06/18 09:54, Joerg Schilling wrote:
> > Well, "Windows ACLs" is the only ACL system that is standardized (as part of 
> > the NFSv4 standard). The old proposal in POSIX.1e from 1993 from Sun has been 
> > withdrawn in 1997 since the customers did not like it.
> > 
> Ummm - just because it's standard doesn't mean it's any good :-)

Is is a result of a common discussion. At the same time, when Sun introduced 
NFSv4 ACLs, IBM and Apple did the same for their local filesystems.

> This version I'm talking about dates from about 1983. The company making
> it went bust in 1991.

What are you talking about?

IIRC, the first ACLs have been on VMS in the late 1980s.

> I've just had a quick look at the NFS v4 RFC, and almost the first thing
> I see is DENY entries. These ACLs don't have deny, because it's
> pointless. And DENY is exactly why I think Posix/Windows ACLs are
> confusing and hard to use.

Your text looks confusing. You claim DENY entries and no DENY entries in the 
same paragraph without explaining what you are talking about.

Jörg

-- 
 EMail:joerg@schily.net                    (home) Jörg Schilling D-13353 Berlin
    joerg.schilling@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/
 URL: http://cdrecord.org/private/ http://sf.net/projects/schilytools/files/'

Re: [gentoo-user] NFS and user IDs

[Wols Lists]

On 12/06/18 09:44, Joerg Schilling wrote:
> Wols Lists <antlists@youngman.org.uk> wrote:
> 
>> On 11/06/18 09:54, Joerg Schilling wrote:
>>> Well, "Windows ACLs" is the only ACL system that is standardized (as part of 
>>> the NFSv4 standard). The old proposal in POSIX.1e from 1993 from Sun has been 
>>> withdrawn in 1997 since the customers did not like it.
>>>
>> Ummm - just because it's standard doesn't mean it's any good :-)
> 
> Is is a result of a common discussion. At the same time, when Sun introduced 
> NFSv4 ACLs, IBM and Apple did the same for their local filesystems.
> 
>> This version I'm talking about dates from about 1983. The company making
>> it went bust in 1991.
> 
> What are you talking about?

Pr1me. Okay, I don't remember most of the dates accurately, but Pr1mos
19.4 had a working Access Control List setup. I was using that on their
Pr1me-2250 machines, at a company I left in 1984. (Wikipedia says the
2250 was released in 1982. I can't find a date for 19.4.)
> 
> IIRC, the first ACLs have been on VMS in the late 1980s.
> 
>> I've just had a quick look at the NFS v4 RFC, and almost the first thing
>> I see is DENY entries. These ACLs don't have deny, because it's
>> pointless. And DENY is exactly why I think Posix/Windows ACLs are
>> confusing and hard to use.
> 
> Your text looks confusing. You claim DENY entries and no DENY entries in the 
> same paragraph without explaining what you are talking about.

The RFC talks about deny entries.

Pr1me ACLs didn't have deny, because it doesn't make sense in that context.
> 
> Jörg
>