CIFS with NFS-like permissions?

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
matt_garman
Posts: 40
Joined: 2006/10/18 14:14:21

CIFS with NFS-like permissions?

Post by matt_garman » 2009/08/24 20:52:49

We have several servers that share files and directories among each other using NFS.

We are trying to be a bit more secure, and would basically disable the ability for anyone to mount our NFS shares. Ideally, we'd like a username/password authentication mechanism for NFS. As far as I can tell NFS doesn't offer a "require password for mounting" option. (I know you can restrict mounting to IP addresses, but that's not too hard to defeat.)

So I started looking at CIFS, i.e. sharing via Samba. CIFS allows username/password authentication, but it's permission model doesn't appear to be the same as NFS. I've only dabbled a bit so far, but it appears that the following is true:
- Samba server sharing files on machine S
- Client server C mounts share, with username="Cifs"
- User "Matt" on server C creates a file on the mounted share
- The created file is owned by "Cifs", instead of "Matt"

What I would prefer is that the created file is owned by "Matt", or at least, created with the UID of Matt on machine C (i.e. just like NFS would do).

Is there a way for me to setup a Samba share in such a way that it's permission policies are like NFS (i.e. UID/GID-based)?

Or, alternatively, is there a way to secure NFS mounting via password or certificate?

Thanks!
Matt

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

CIFS with NFS-like permissions?

Post by gerald_clark » 2009/08/24 21:20:03

A user cannot access an NFS share unless that user has permissions on the server.
You must setup the user and group numbers to be the same on both machines.

matt_garman
Posts: 40
Joined: 2006/10/18 14:14:21

Re: CIFS with NFS-like permissions?

Post by matt_garman » 2009/08/25 20:32:21

[quote]
gerald_clark wrote:
A user cannot access an NFS share unless that user has permissions on the server.
You must setup the user and group numbers to be the same on both machines.[/quote]

Right, that is what we have. (Sorry I wasn't explicit.)

So, given that we have machines with sync'ed /etc/group and /etc/passwd files, how can I prevent an NFS share from being mounted without a username/password or certificate? As far as I can tell, this requires NFSv4 + Kerberos.

Or, is there a way to have "NFS-like" UID/GID-based permissions with CIFS?

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: CIFS with NFS-like permissions?

Post by gerald_clark » 2009/08/26 14:06:53

If the NFS share is mounted, but the user has no permissions on the underlying directories and files, what is the problem?

pjwelsh
Posts: 2598
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: CIFS with NFS-like permissions?

Post by pjwelsh » 2009/08/27 15:51:25

I think the general issue is that the /etc/exports specifies host's/IP's and that I can unplug some other allowed PC, change my address and have correct UID/GID mappings and get data. There are non-CIFS ways to help mitigate this but get more complicated like RADIUS, arpwatch + iptables etc.

matt_garman
Posts: 40
Joined: 2006/10/18 14:14:21

Re: CIFS with NFS-like permissions?

Post by matt_garman » 2009/09/01 20:19:53

[quote]
pjwelsh wrote:
I think the general issue is that the /etc/exports specifies host's/IP's and that I can unplug some other allowed PC, change my address and have correct UID/GID mappings and get data. There are non-CIFS ways to help mitigate this but get more complicated like RADIUS, arpwatch + iptables etc.[/quote]

Exactly. That's even easier to do with virtual machines.

I think I'm going to try to get NFSv4 to work. Anyone have any experience with NFSv4 + Kerberos authentication on CentOS 4.x?

PS pjwelsh - I noticed you're info said you're in Central Illinois... whereabouts? I'm in Chicago now, but originally from Peoria. Planning to move back eventually.

Post Reply

Return to “CentOS 4 - Server Support”