On Fri, 2007-03-09 at 18:49 +0000, Anne Wilson wrote: > On Friday 09 March 2007, Craig White wrote: > > > > You really shouldn't be using samba/cifs sharing on your LAN since you > > have all Linux systems but you get away with it because you always run > > as root and it's clear that your methodology is to remove all security > > restrictions that are in your way. > > Now that statement really puzzles me. I run samba for the lan, not only > windows to linux to windows, but also linux to linux. I don't run as root, > and I use selinux. > > Would you like to amplify your statement? ---- sure - a smbfs/cifs mount pretty much discards the concept of posix users and doesn't understand Posix attributes, has no concept of the case in file names and finally doesn't permit executables. If I set up a Linux server and share the same directories via samba (to Windows systems), netatalk (to Macintosh systems) and NFS (to Linux & Macintosh systems), all users have native access to their native files in native formats. If I use LDAP and mount NFS as 'user', I can have multiple users accessing an NFS share with their native account information, native umasks, etc. Thus on my main server, users directories are shared in all forms, either as - a share in samba (mounted as sambaHomePath: \\srv1\homes /home/storage/users) - a share in netatalk (mounted as apple-user-homeDirectory: /Network/Servers/srv1.tobyhouse.com/NetUsers as /home/storage/users) - an automount for Posix users (homeDirectory: /home/storage/users) # ldapsearch -x -h localhost -D 'XXXXX,dc=tobyhouse,dc=com' -W \ '(uid=craig)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=craig) # requesting: ALL # # craig, People, tobyhouse.com dn: uid=craig,ou=People,dc=tobyhouse,dc=com sambaLMPassword: XXXX sambaNTPassword: XXXX shadowLastChange: 13450 sambaLogonScript: logon.bat sambaProfilePath: \\srv1\profiles\craig cn: Craig White uidNumber: 1000 sambaPrimaryGroupSID: S-1-5-21-XXXX-XXXX-XXXX-513 sambaAcctFlags: [U ] gecos: Craig White apple-user-homeDirectory: /Network/Servers/srv1.tobyhouse.com/NetUsers/craig mail: craig@xxxxxxxxxxxxx userPassword:: XXXX uid: craig sambaHomePath: \\srv1\homes\craig apple-user-homeurl:: PGhvbWVfZGlyPjx1cmw +YWZwOi8vc3J2MS50b2J5aG91c2UuY29tL05ld FVzZXJzPC91cmw+PHBhdGg+Y3JhaWc8L3BhdGg+PC9ob21lX2Rpcj4= homeDirectory: /home/storage/users/craig objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: sambaSamAccount objectClass: calEntry objectClass: apple-user description: cwhite@xxxxxxxxxxxxx description: c.white@xxxxxxxxxxxxx gidNumber: 100 sambaDomainName: TH givenName: Craig sambaSID: S-1-5-21-XXXX-XXXX-XXXX-3000 sambaHomeDrive: h: sn: White mailLocalAddress: craigwhite@xxxxxxxxxxxxx mailLocalAddress: c.white@xxxxxxxxxxxxx mailLocalAddress: cwhite@xxxxxxxxxxxxx calFBURL: https://srv1.tobyhouse.com/horde/kronolith/fb.php?c=craig loginShell: /bin/sh Thus a users home directory / files follow the user around regardless of whether he logs into a Macintosh, Windows or Linux system. Take a Linux system... touch 'my file.txt' touch 'My File.txt' do the same thing on Windows/samba mount In the final analysis though, if you don't find yourself bothered by the limitations that you are imposing upon yourself by using Windows network storage mounts then this doesn't matter. Perhaps that is a testament to the Samba team for providing enough functionality for users to abandon the native network methodologies or perhaps some Windows users are willing to accept less capabilities. NFS is brilliant. Samba brings along the baggage that accompanies Microsoft SMB. -- Craig White <craig@xxxxxxxxxxxxx>
