[SOLVED] Fileserver on centos 4.8

petervroegop · 05-19-2011, 07:36 AM

Hi,

I'm setting up a linux (centos 4.8) file server.
My users are administrated in Win 2003 AD.
I created the users home directories, set the authentication to AD with winbind.
So the users can access there home directories without any problems.
With a loginscript the users create a mapping to their home directory.

I also create a group directory.
This directory is also available. The users can also map to this directory.
The problem I got is the visibality of the groups directories. The users seen all group directories also those without any permission. The cannot access those directories, however in the old (windows) situation the users sees only those directories they can access.

Is there a way to create this in my linux fileserver also?

With regards,

Peter Vroegop

John VV · 05-20-2011, 03:59 PM

just off hand why 4.8 ?
4.8 cent is not supported -- 4.9 is
Also is the a hardware or software problem that you can not use the current version of Cent 5.6

for this

Quote:

My users are administrated in Win 2003 AD.

PAY for red hat RHEL 6.1

or better yet use SELS 11 from novell
suse has great support for active directory ( support FROM Microsoft )

rhbegin · 05-20-2011, 09:11 PM

Scientific Linux 6 is based off RHEL and is available in x86 & x86_64, unless you need the support.

I am going to run SL6 x86_64 on my workstation and my laptop getting away from Fedora. I like Fedora but it is hard to keep up with all of the updates and it is hard to reload my 'work' box and laptops frequently.

ComputerErik · 05-21-2011, 07:27 AM

What you haven't mentioned is how you are doing the mapping from a Windows group to a Linux group, if you are doing it at all. With the winbind setup are users able to login to the server? What are the permissions set on the actual directories? How are the shared out in samba?

The root of your problem will be in the different ways Linux and Windows handle user identity. Linux uses UID and GID, Windows does not. When mapping to the drives on the server are they prompted to enter a password again? Are the directories owned by Windows groups, or did you create Linux groups?

You might want to check out Centrify, they have some free tools for integrating Linux and Windows in a mixed environment and a customized version of Samba as well.

petervroegop · 05-23-2011, 01:43 AM

Hi,

The version of the OS is not a discussion here.
We uses centos 4.8 because we uses a custom made applucation whice cann't handle a newer OS.
We working at an upgrade, but for the time being we want to keep our OS's the same.

@ComputerErik:
The permissions are not a problem.
Every user can map the shares every share, every user can map there home directory directly without any additional password.
Mapping the group directory is also no problem.

The issue is that every user sees all the directories stored in the share groups.
The have only access to the directories whice they are authorized to, but seen also those where they are not authorized to.
On the production file server (windows) they are used to see only those directories they are authorized to.
If possible I want to reproduce this on the Linux fileserver aswell.

With regards,

Peter

jlcasado · 05-23-2011, 10:25 AM

Hi peter,

how the setup of the group directory looks like? I guess you are using samba and a look at the configuration you are using for the share it could help us.

best regards
jose

petervroegop · 05-24-2011, 05:15 AM

Hi JLcasado, and others offcourse,

The complete configuration, this will bee a great post, but if it helps to fix the "prblem" her it is.

SMB.config:

[global]
log file = /var/log/samba/%m.log
load printers = yes
idmap gid = 16777216-33554431
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
encrypt passwords = yes
realm = compaxo.local
winbind use default domain = yes
template shell = /bin/bash
dns proxy = no
server string = Linux02
idmap uid = 16777216-33554431
password server = srvmgt01.compaxo.local srvdc01.compaxo.local
workgroup = compaxo-ad
printcap name = /etc/printcap
security = ads
max log size = 50

[homes]
force create mode = 0660
browseable = no
comment = Home Directories
writeable = yes
path = /home/COMPAXO-AD/%s
force directory mode = 0770

[groep]
browsable = yes
comment = Group directories
writeable = yes
path = /home/groups

-------
ls -la from /home/groups:
total 56
drwxrwsrwt+ 7 root terminalserver_gebruikers 4096 May 24 08:41 .
drwxr-xr-x 5 root ict 4096 May 18 14:49 ..
drwxrws---+ 2 root cleaner 4096 May 18 12:27 cleaner
drwxrws---+ 2 root crediadm 4096 May 18 12:25 crediadm
drwxrws---+ 2 root debiadm 4096 May 18 12:33 debiadm
drwxrws---+ 2 root ict 4096 May 18 15:35 ICT
drwxrwsrwt+ 3 root terminalserver_gebruikers 4096 May 12 14:26 publiek

The showed groups are Win 2003 groups.
-----
the acl of cleaner

[root@linux02 groups]# getfacl cleaner
# file: cleaner
# owner: root
# group: cleaner
user::rwx
group::rwx
group:ict:rwx
other::---
default:user::rwx
default:group::rwx
default:group:ict:rwx
default:mask::rwx
default

ther::---

ICT must have access toe hte directory for support
----

The ACL of crediadm

[root@linux02 groups]# getfacl crediadm
# file: crediadm
# owner: root
# group: crediadm
user::rwx
group::rwx
group:ict:rwx
other::---
default:user::rwx
default:group::rwx
default:group:ict:rwx
default:mask::rwx
default

ther::---

------

The problem:

User1 is member of terminalserver_gebruikers
User2 is member of terminalserver_gebruikers and ict
User3 is member of terminalserver_gebruikers and crediadm

Every user creates, at login in windows, a mapping H: to \\linux\username
So the have full access to there own directory without seeing the directory of other users

Every user create also, at windows login, a mapping G: to \\linux\group

When the user opens windowsexplorer the access is as follow:
User1 has only access to the publiek directorie
User2 Has access to all directories
User3 has access to the directories publiek and crediadm

This is exactly the way it has to bee, however
All users sees al other directories in G: and get a access denied messages when the try to access a directory without the right permissions

In the old situation (with the windows fileserver) the users saw only those directories they get access to.

For example:
- user1 saw only g:\publiek
- user2 saw all directories
- user3 saw the directories publiek and crediadm.

I hope thie is enough config stuff.
If u need more pls let me know.

regards Peter

petervroegop · 05-25-2011, 01:26 AM

I found the solution when I searched the internet on the Windows function for my question : "access-based enumeration linux"
One hit told me to at two lines in the SMB.config file.

I show the solution below.

Quote:

Originally Posted by petervroegop

Hi JLcasado, and others offcourse,

The complete configuration, this will bee a great post, but if it helps to fix the "prblem" her it is.

SMB.config:

[global]
log file = /var/log/samba/%m.log
load printers = yes
idmap gid = 16777216-33554431
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
encrypt passwords = yes
realm = compaxo.local
winbind use default domain = yes
template shell = /bin/bash
dns proxy = no
server string = Linux02
idmap uid = 16777216-33554431
password server = srvmgt01.compaxo.local srvdc01.compaxo.local
workgroup = compaxo-ad
printcap name = /etc/printcap
security = ads
max log size = 50

[homes]
force create mode = 0660
browseable = no
comment = Home Directories
writeable = yes
path = /home/COMPAXO-AD/%s
force directory mode = 0770

[groep]
hide unreadable = true
hide unwriteable files = true
browsable = yes
comment = Group directories
writeable = yes
path = /home/groups

-------
ls -la from /home/groups:
total 56
drwxrwsrwt+ 7 root terminalserver_gebruikers 4096 May 24 08:41 .
drwxr-xr-x 5 root ict 4096 May 18 14:49 ..
drwxrws---+ 2 root cleaner 4096 May 18 12:27 cleaner
drwxrws---+ 2 root crediadm 4096 May 18 12:25 crediadm
drwxrws---+ 2 root debiadm 4096 May 18 12:33 debiadm
drwxrws---+ 2 root ict 4096 May 18 15:35 ICT
drwxrwsrwt+ 3 root terminalserver_gebruikers 4096 May 12 14:26 publiek

The showed groups are Win 2003 groups.
-----
the acl of cleaner

[root@linux02 groups]# getfacl cleaner
# file: cleaner
# owner: root
# group: cleaner
user::rwx
group::rwx
group:ict:rwx # I forgot this line in the last post
other::---
default:user::rwx
default:group::rwx
default:group:ict:rwx
default:mask::rwx
default

ther::---

ICT must have access toe hte directory for support
----

The ACL of crediadm

[root@linux02 groups]# getfacl crediadm
# file: crediadm
# owner: root
# group: crediadm
user::rwx
group::rwx
group:ict:rwx # I forgot this line in the last post
other::---
default:user::rwx
default:group::rwx
default:group:ict:rwx
default:mask::rwx
default

ther::---

------

The problem:

User1 is member of terminalserver_gebruikers
User2 is member of terminalserver_gebruikers and ict
User3 is member of terminalserver_gebruikers and crediadm

Every user creates, at login in windows, a mapping H: to \\linux\username
So the have full access to there own directory without seeing the directory of other users

Every user create also, at windows login, a mapping G: to \\linux\group

When the user opens windowsexplorer the access is as follow:
User1 has only access to the publiek directorie
User2 Has access to all directories
User3 has access to the directories publiek and crediadm

This is exactly the way it has to bee, however
All users sees al other directories in G: and get a access denied messages when the try to access a directory without the right permissions

In the old situation (with the windows fileserver) the users saw only those directories they get access to.

For example:
- user1 saw only g:\publiek
- user2 saw all directories
- user3 saw the directories publiek and crediadm.

I hope thie is enough config stuff.
If u need more pls let me know.

regards Peter

So an other question is solved.

Peter