Il giorno dom, 11/06/2006 alle 17.34 +0930, Tim ha scritto: > Tim: > >>> That's never been my experience. Firstly, normally only the root use > >>> can mount something. Secondly, when mounting a Linux file system over > >>> NFS, the original ownership is maintained, but numerically: User 500 > >>> remote is treated as user 500 local, so you better make sure that > >>> usernames and user IDs match on both sides of the connection. Correct... In a big LAN with a lot of client you must use some other things other than etc/passwd to maintain user access. It's hard to make on every client a passwd coherent. (NIS for examples or other). > Ambrogio: > > It is that I sayd. > > For first, mount command is available also at user level. > > While you *can* make things user-mountable, it doesn't also mean that > root mountable things will only be available to the root user. That > sort of behaviour depends on the mount. I would go as far as to say > that for things like NFS mounts, it's NOT typical to mount them as a > user, and it's NOT typical that users can't access root user mounted > mounts. This is one of the use. Another may be that you deliver some login script that mount NFS only after login. So user 500 mounts server:/home/tim in /home/tim and user 501 mounts server:/home/ambrogio in /home/ambrogio this can be at login level, and mount is made by user and not by root. > > The user level is threated everytime numerically. > > When you use ls -la and see a user insted of a number is only because ls > > make a conversion, but on ACL we ave numbers. > > ls -lan would show numerical mounts (n option does that). I know, but it was only to explain that all is based on number and not on word. > Typically, with NFS, user 500 has to be user 500 on both machines, and > so on. It doesn't matter if they use the same names on both sides, but > that helps to make things coherent. > > If I am user 500, username Tim on one box, and export /home to another, > I really also want to be user 500, on the second box. Then, I can > access my files on both PCs. And, that mount is handled by root. well, is for that that NFS is considered unsure. I can be on your lan with my PC in which user 500 is not TIM and mount your home. SURELY, Only if /etc/exports permits that. I read something about NFS v4 that is capable to use some more sure protocol (Kerberos I think). > All that's done with just two entries on each machine (NFS must be > running, already). > > Server's /etc/export file: > /home *.localdomain(rw,sync) > > This exports part of the file system to my LAN, the /home partition, and > each user within that file system's home directories get exported as-is > (Tim's files are Tim's elsewhere, johndoe's files are his elsewhere, and > so on). > > Client's /etc/fstab file: > server.localdomain:/home /mnt/server/home nfs auto,intr,noexec,nodev > > This mounts the export on a client machine. Root is doing the mount, > but because the individual directories are owned by other people, and > NFS understands ownership, ownership is maintained on both sides, so > long as you set up the client machines with the same user IDs on both > sides. Thinking like Microsoft does (and a lot of customer does), IT Admin think that exporting the entire home is more insecure that exporting single directory. So the exports is like that /home/user1 pc1.localdomain(rw,sync) /home/user2 pc2.localdomain(rw,sync) > I seem to recall reading that it is possible to map user IDs between > different systems using NFS (e.g. on server Tim is 500, but Tim is 632 > on a client, and 2349 on another client). But not seen anything > detailing how. option map_static=/...map_file in which you can specify mapping uid 0-99 - (no mapping for users) uid 100-150 1000 (add 1000 to users betwenn 100 and 150 the same for gid You can use also map_daemon or map_nis Bye Ambrogio
