LDAP, SMB/NFS and AutoFS

Hello guys,
I've got following issue and I think that someone could have been facing it in the past.
SETUP:
I've got few workstations (Ubuntu/BSD/OSX/...) and a server that runs LDAP.
We'd like to configure all of it in a way, that if a user logs in using workstation, he will have his $HOME mounted from the server.
I've tried NFS + AutoFS tandem but since all users have root access to all of the workstations using:
# su - user1
gives access to the files of a user1 by any other user.
QUESTION:
There is an idea to install Samba and integrating it with LDAP and mounting $HOME directories using - for example - pam-mount.
There is a drawback though - SMB does not allow using special files resulting with not being able to use KDE/GNOME (and probably other WM's).
Another idea is to use Samba only for authentication purposes, but I don't know if that's possible at all.
Anyone of you guys had faced that problem? If so, how did he managed to make it to work?
Thanks in advance for your reply.

On the server running NFS, you could play with the squash parameters in /etc/exports (see man exports).
There's a parameter "root_squash" which will map all requests from uid/gid 0 (root user) to the guest account. Another parameter is "all_squash", which will map the requests of EVERY USER to the guest account. You then can use the "anonuid" and "anongid" to specify which guest account stuff should be squashed to. Look at the following example:
/etc/exports:
/home workstation1(rw,subtree_check,sync,all_squash,anonuid=1001,anongid=1001) workstation2(rw,subtree_check,sync,all_squash,anonuid=1002,anongid=1002) workstation3(rw,subtree_check,sync,all_squash,anonuid=1003,anongid=1003)
Assume that workstation1, workstation2 and workstation3 are your clients, you could use the client's IP-addresses instead if you wish. I assume that your server has a /home directory, with in it 3 user folders: dave, gerald and roy. The owners and groups of those user folders are respectively dave for /home/dave, gerald for /home/gerald and roy for /home/roy. Assume that those users exist in the passwd file on your server, user dave with uid 1001, user gerald with uid 1002 and user roy with uid 1003.
With the /etc/exports example from above, you make sure that workstation 1 with user dave can mount /home, where all requests are processed as if they were from the user with uid 1001 and gid 1001, what would be the user dave. The same for the users gerald on workstation 2 and roy on workstation 3.
There's one downside: you have to specify each client you want to be able to mount /home in /etc/exports and specify the uid and gid to which the requests from that client should be mapped to.
Last edited by jealma (2009-02-25 20:30:44)

Similar Messages

  • NFS and  LDAP on different servers: Problems with location of home director

    Dear Apple Experts.
    We are using LDAP server for user authentification
    and NFS server for home directories.
    Both are decictaed servers on differnt machines.
    on the NFS server there are directories
    /home/urpi
    for staff's home directories
    and
    /home/students
    for student's home directories
    both are mounted to the Mac minis in
    /Users directory
    so
    /Users/urpi
    contains home directories for staff
    /Users/students
    contains home directories for students
    Authentification works well andpermission are set as needed
    but OS X shows missing home directories for LDAP authentificated users
    and terminal shows missing home directory
    for me it is
    /home/urpi/fodrek
    I was tried to mount NFS to /home, but it is not allowed
    Would I ask if there is any setting to add directories, where home directories are placed,please?
    I look forward hearing form you.
    Yours faithfully
    Peter Fodrek

    So none of these machines are Snow Leopard servers?
    What exactly do you mean when you say you tried to mount the NFS share to home? Can you copy and paste the command and error?
    It sounds as though you don't actually have the NFS shares mounted. Assuming this is so, you might want to investigate how the automount command works so that your MacMinis mount the NFS shares on boot.
    If your NFS/LDAP server is an OS X 10.6 server, set the shares to be automounted as user/group directories. Make sure your LDAP server is providing correct information on the home directory location. If it is local, I think the home directories need to be in /Users. If your mounts are indeed working but you cannot login, you might consider making links from /Users to /home/urpi or /home/students on an account-by-account basis (could be done with a quick shell script).

  • While playing games like NFS and CounterStrike my macbook pro it does connects to the hotspot by any device either a Windows laptop, but doesn't show or connect to the server (LAN) created by windows player.Or neither connects to the server that i created

    While playing games like NFS and CounterStrike my macbook pro it does connects to the hotspot by any device either a Windows laptop, but doesn't show or connect to the server (LAN) created by windows player. Or, any other devices doesn't  connects to the LAN server that i created in the Game.     
    Could any one help me please.

    Please do not post more than about 50 lines of console logs or output from an Application crash at a time. No one can make it through those.
    If you had a kernel panic, those are Full of good information and should be posted in their entirety. They are stored, and can be read back and posted using this article:
    How to log a kernel panic

  • Incorrect file sizes shown in Finder over NFS and permissions issues

    Hi there
    This is a problem that existed for me in Leopard and has not been resolved in Snow Leopard.
    I have an XSan with a Leopard server sharing over NFS and AFP. When I connect from a Leopard or Snow Leopard client over NFS the file sizes in Finder are incorrectly displayed. My Tiger clients work perfectly.
    Also, although it says I have read write access to the files over NFS I cannot save over an existing file when I make changes to it, I instead have to create a new version of it and remove the old one.
    Check the link to show a grab of one of the folders in question, the upper window is what the NFS shows me, the lower AFP. If you Get Info on the files over either connection the byte count is identical.
    http://www.the-9000.com/images/finder_anomaly.tiff
    Any info would be greatly appreciated.

    This is a problem that existed for me in Leopard and has not been resolved in Snow Leopard.
    Have you filed a bug report with Apple?
    http://developer.apple.com/bugreporter/
    If not, there's less of a chance they'll know about it and help fix it for you.
    Do things look OK from the command line in Terminal?
    It would probably be useful to use a tool like Wireshark to check out what each protocol is sending over the wire. That could at least narrow it down to being a client or server issue.
    Thanks
    --macko

  • Ldap test tool and auth failing after upgrade to 11gR2

    Hi All,
    We have recently upgraded our apex database from 10.2.0.3.0 to 11.2.0.2.0 using apex 3.2. We have been able to confirm that all apex applications work as expected apart from the apex ldap utility. The tool returns "Authentication failed!" even though the ldap server port and DN string have not changed from previously. We can confirm that ldap bind works as well as using the sql directly through the database.
    Has anyone come accross any problems with something similar?
    Thanks in advance,
    Brett

    Got it resolved. Since we are using a custom LDAP application we had to run the script not only for the DB account APEX_030200 but also the DB Account that is associated with the workspace containing the custom application or package.

  • Using Dynamic Groups in Ldap for Accounts and Roles

    Does anyone currently use dynamic groups in LDAP for accounts and roles? I have set up a dynamic group in ldap (we are using OID Oracle internet Directory 10.1.2.0) , ldapsearch returns the correct list of unique names, but the account does not appear on my profile page when I log in to UCM (10.1.3). I cannot find any documentation so I'm asking myself if it is supported .....

    Thanks tim ... will check, but Oracle are saying :
    Oracle Universal Content Management - Version: 7.5.1
    Information in this document applies to any platform.
    Product: Content Server
    Version: 6.0
    Goal
    Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
    Solution
    The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
    to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
    Billy, you may well be right, just got a cashflow problem over here !

  • LDAP Direct Mode And DNS

    Hello.
    I was looking for this in the docs and I can�t found something.
    If I have a server with IMS 5.2 with LDAP Direct Mode and this is called host.domain.com and I have another machine with another mail system, called for example host2.domain.com, but I have in my DNS server a MX register for host2 with priority 5(high) and a MX register for host with priority 10(low), If I send a message using host.domain.com like my SMTP server to [email protected], IMS first ask to DNS server for MX and prorities and send it to host.domain.com or It looks in their system for the user and send it locally?
    I wanna have some users from @domain.com in one machine (another mail system) and another users from @domain.com in the other machine (iMS 5.2).
    There is no a user with accounts in two machines (for example user1 is in host and user2 is in host2, user1 never will be in host2).
    Thanks.

    When a message arrives at the MTA, an ldap query is made to see if:
    1. The domain is local.
    2. The user is local.
    If both are true, the message is delivered locally.
    If the domain is local, and the user is found in LDAP, but the user's "mailhost" is external, then the mail is forwarded to the system at "mailhost" for delivery.

  • SMB Drag and Drop in Win 98

    We are setting up iFS to enable SMB drag-and-drop to upload multiple files in Windows 98 environment. Windows 98 does not take IP address when mapping the network drive, it takes computer name only. How do you resolve this issue?

    Yes it does.
    Open an MS-DOS prompt and enter:
    'net use /?'
    You should be able to map a drive using an IP address like this:
    net use d: \\ip\resource
    d: = any drive available (not in use) drive letter
    ip = IP-addresse or name of server holding resource
    resource = name of resource.
    If you have admin rights to the server in question you may use c$ (meaning C: on the server). There is such builtin admin-share names for all local drives on the server.
    If you don't have admin rights to the server

  • Fault Tolerance of NFS and iSCSI

    Hello,
    I'm currently designing a new datacenter core environment. In this case there are also nexus 5548 with FEXs involved. On this fex's there are some servers which speak NFS and iSCSI.
    While changing the core component there will be a disruption between the servers.
    What ks the maximim timeout a NFS or iSCSI protocoll can handle while changing the components. Maybe there will be disruption for a maximimum of 1 sekond.
    Regards
    Udo
    Sent from Cisco Technical Support iPad App

    JDW1:  In case you haven't received the ISO document yet, the relevent section of the cited ISO 11898-2:2003 you want to look at is section 7.6 "Bus failure management", and specifically Table 12 - "Bus failure detection" and Figure 19 - "Possible failures of bus lines".

  • LDAP-Server configuration and using

    Hi,
    can anyone tel me how it function with the LDAP-Server in the Adobe LiveCycle Es?
    What i have to do? and how can i get user data from the logged user via LDAP?
    Thank

    LiveCycle ES has an administrative console you can get at http://localhost:8080/adminui. You can log in with administrator/password.
    Under the Settings section, you can go to User Management and then Domain Management.
    In there you can define a new Enteprise Domain and create a new Authorization and Directory for that new domain.
    In the Authorization, you can select LDAP. Under the Directory, you'll be taken through a wizard that will help you configure the LDAP connection to get the list of users and groups.
    Then go back to Domain Management and select "Synch Now". You can set that synchronization to occur periodically.
    Once you can connect to the LDAP server properly and get the list of users, you should be able to log to the different interfaces using users from the LDAP system.
    You might need to give them LiveCyle roles to access some of the interfaces like adminui, workspace, etc. You can add roles under Settings/User Mangement/Role Management
    Jasmin

  • SMB Shares and aliases break

    Hi
    I have installed SnowLeopard. We have have several machines running 10.5 (leopard). The have access to a windows server for some filesharing. There are aliases (created with the macs) on the server for easy access via smb.
    However it turns out that SnowLeopard thinks the aliases are unix files. If I create an alias with snow leopard then original leopard (10.5) does not recognize it as an alias. It would appear that the two leopard versions treat aliases differently, at least over networks.

    Snow Leopard is apparently having issues with SMB shares and login reliability. Seems to require a fresh login/restart as an example otherwise.

  • How do you turn on NFS and RPC error logging?

    I'm trying ot find NFS and RPC errors. Di I need to turn error logging on for those calls? Where would/should they show up?

    This is what I use;
    log4j.logger.com.businessobjects = DEBUG, stdoutAppender
    log4j.logger.com.businessobjects12 = DEBUG, stdoutAppender
    log4j.logger.com.crystalreports = DEBUG, stdoutAppender
    log4j.logger.com.crystaldecisions12 = DEBUG,  stdoutAppender
    log4j.logger.com.crystaldecisions = DEBUG,  stdoutAppender
    You will of course need to adjust to the log4j appender you have declared
    Steve

  • How to use DS 5.2 to create LDAP user ID and password to Login to Sun ONE I

    Hi all,
    I have just install Sun One Web server 6.1, Sun One Directory 5.2 and Sun One Instant Messaging 6.1 together on Win2K advance server. And I have successful launch Sun� ONE Instant Messenger.
    But I can not know, how to create LDAP user ID and password to Login to Sun ONE Instant Messenger???
    Could anyone help me to solve this problem?
    I'm looking forward to receive your reply soon.
    Thanks

    Hi Tuo,
    I think you better ask this in the forum where the ACS experts are, since this does not seem to be a problem on the ASA side.
    hth
    Herbert

  • LDAPSYNC Reconn Job: LDAP User Create and Update Reconciliation

    OIM 11.1.1.5.4 (BP4) libOVD, trusted data source oid 11.1.1.5.0
    I have the reconn job working " LDAP User Create and Update FULL Reconciliation"
    But the incremental job not working "LDAP User Create and Update Reconciliation"
    No errors found in the oim server logs
    the msg found with the indication of the execution of the job.
    Has anyone been successful with the job "LDAP User Create and Update Reconciliation"
    [2012-10-21T08:09:03.922-04:00] [oim_server1] [NOTIFICATION] [IAM-1020005] [oracle.iam.scheduler.impl.quartz] [tid: OIMQuartzScheduler_Worker-2] [userId: oiminternal] [ecid: 0000Je3Cacy3n3WjLxuHOA1GWyFa000002,0] [APP: oim#11.1.1.3.0] Job Listener, Job was executed QuartzJobListener.jobWasExecuted Description null FullName DEFAULT.LDAP User Create and Update Reconciliation Name LDAP User Create and Update Reconciliation
    TIA
    gadba

    has any one had that worked, for the incremental job of ldapsync recon ?

  • NFS and ISCSI using ip hash load balance policy

    As i know all these days that the best practice for iscsi is to use single nic and one standby with " route based port id" ButI have seen in a client placethat NFS and iscsi are configured to use"route based ip hash" and multiple nic and it has been working all these days. i can not see that iscsi does multi path there.I was told by the sys admin that it is ok to use that since the both protocol are configured in same storage and it does not make sense to separate it ,his explanation that if we want separate policy then use separate storage that is one for nfs and other for iscsi, i do not buy that, i might be wrong.He pointed his link below saying that you can use ip hash.http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalI....Is it ok to use " route based ip hash for iscsi as on the link?
    This topic first appeared in the Spiceworks Community

    When you create your uplink port profile you simply use the auto channel command in your config:
    channel-group auto mode on
    This will create a static etherchannel when two or more ports are added to the uplink port profile from the same host.  Assuming your upstream switch config is still set to "mode on" for the etherchannel config, there's nothing to change.
    Regards,
    Robert

Maybe you are looking for

  • ITunes will not open full screen mode in Mavericks

    Hello, Ever since a recent upgrade to Mavericks, iTunes will not open in full screen. When I click the full screen expander in the controls or in View>Enter Full Screen iTunes flashes the library and then back to the movie playing and makes the "funk

  • Lost much of audio and then the timeline

    Working on my second three hour DVD in a set of three. I was very nearly completed with the PP portion with maybe 10 minutes work left when I decided to cash in my chips and head to bed. When I came in this morning, started PP and loaded my project a

  • I have not recoeved any invoices since March 2013. Why?

    The payments are proceeded every month but I don't have any of my invoicse from march 2013. It is strange  , becouse this hapened after someone last year hacked Adobe payment system. I do Recieve e-mail from the system that adobe has recieved my paym

  • In house Repair confusion

    CAn someone give some Inhouse Repair Process. Any help will be appreciated.

  • Virtual Host on WebLogic Server 5.1

    I need to configure my weblogic server 5.1 on windows 2000 server to make a virtual host address. How I can do it ???? Thanks a lot for any help. Bye