summaryrefslogtreecommitdiffstats
path: root/misc/slackbook/html/network-configuration-nfs.html
blob: ca6138d8d0fdfc738bc7e577c6f84d3eef58054d (about) (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Network File Systems</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
<link rel="UP" title="Network Configuration" href="network-configuration.html" />
<link rel="PREVIOUS" title="Wireless" href="network-configuration-wireless.html" />
<link rel="NEXT" title="X Configuration" href="x-window-system.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">Slackware Linux Essentials</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a
href="network-configuration-wireless.html" accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 5 Network Configuration</td>
<td width="10%" align="right" valign="bottom"><a href="x-window-system.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="NETWORK-CONFIGURATION-NFS" name="NETWORK-CONFIGURATION-NFS">5.6
Network File Systems</a></h1>

<p>At this point, you should have a working TCP/IP connection to your network. You should
be able to ping other computers on your internal network and, if you have configured an
appropriate gateway, you should also be able to ping computers on the Internet itself. As
we know, the whole point in bringing a computer onto a network is to access information.
While some people might bring a computer up on a network just for the fun of it, most
people wish to be able to share files and printers. They wish to be able to access
documents on the Internet or play an online game. Having TCP/IP installed and functional
on your new Slackware system is a means to that end, but with just TCP/IP installed,
functionality will be very rudimentary. To share files, we will have to transfer them
back and forth using either FTP or SCP. We cannot browse files on our new Slackware
computer from the Network Neighborhood or My Network Places icons on Windows computers.
We'd like to be able to access files on other Unix machines seamlessly.</p>

<p>Ideally, we'd like to be able to use a <span class="emphasis"><i
class="EMPHASIS">network file system</i></span> to allow us transparent access to our
files on other computers. The programs that we use to interact with information stored on
our computers really do not need to know on what computer a given file is stored; they
just need to know that it exists and how to get to it. It is then the responsibility of
the operating system to manage access to that file through the available file systems and
network file systems. The two most commonly used network file systems are SMB (as
implemented by Samba) and NFS.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-CONFIGURATION-NSF-SMB"
name="NETWORK-CONFIGURATION-NSF-SMB">5.6.1 SMB/Samba/CIFS</a></h2>

<p>SMB (for Server Message Block) is a descendant of the older NetBIOS protocol that was
initially used by IBM in their LAN Manager product. Microsoft has always been fairly
interested in NetBIOS and it's successors (NetBEUI, SMB and CIFS). The Samba project has
existed since 1991, when it was originally written to link an IBM PC running NetBIOS with
a Unix server. These days, SMB is the preferred method for sharing file and print
services over a network for virtually the entire civilized world because Windows supports
it.</p>

<p>Samba's configuration file is <tt class="FILENAME">/etc/samba/smb.conf</tt>; one of
the most well commented and documented configuration files you will find anywhere. Sample
shares have been setup for you to view and modify for your needs. If you need even
tighter control the man page for smb.conf is indispensable. Since Samba is documented so
well in the places I've mentioned above, we will not rewrite the documentation here. We
will, however, quickly cover the basics.</p>

<p><tt class="FILENAME">smb.conf</tt> is broken down into multiple sections: one section
per share, and a global section for setting options that are to be used everywhere. Some
options are only valid in the global section; some are only valid outside the global
section. Remember that the global section can be over-ridden by any other section. Refer
to the man pages for more information.</p>

<p>You will most likely wish to edit your <tt class="FILENAME">smb.conf</tt> file to
reflect the network settings in your LAN. I would suggest modifying the items listed
below:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
workgroup = MYGROUP
</pre>
</td>
</tr>
</table>

<p>Change the workgroup name to reflect the workgroup or domain name that you are using
locally.</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# server string is the equivalent of the NT Description field
server string = Samba Server
</pre>
</td>
</tr>
</table>

<p>This will be the name of your Slackware computer displayed in the Network Neighborhood
(or My Network Places) folder.</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# Security mode. Most people will want user level security. See
# security_level.txt for details. NOTE: To get the behaviour of
# Samba-1.9.18, you'll need to use "security = share".
security = user
</pre>
</td>
</tr>
</table>

<p>You'll almost certainly wish to implement user level security on your Slackware
system.</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba
# documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
</pre>
</td>
</tr>
</table>

<p>If encrypt passwords is not enabled, you will not be able to use Samba with NT4.0,
Win2k, WinXP, and Win2003. Earlier Windows operating systems did not require encryption
to share files.</p>

<p>SMB is an authenticated protocol, meaning you must supply a correct username and
password in order to use this service. We tell the samba server what usernames and
passwords are valid with the <tt class="COMMAND">smbpasswd</tt> command. <tt
class="COMMAND">smbpasswd</tt> takes a couple of common switches to tell it to either add
traditional users, or add machine users (SMB requires that you add the computers' NETBIOS
names as machine users, restricting what computers one can authenticate from).</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
Adding a user to the <tt class="FILENAME">/etc/samba/private/smbpasswd</tt> file.
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">smbpasswd -a user</kbd>
Adding a machine name to the /etc/samba/private/smbpasswd file.
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">smbpasswd -a -m machine</kbd>
</pre>
</td>
</tr>
</table>

<p>It's important to note that a given username or machine name must already exist in the
<tt class="FILENAME">/etc/passwd</tt> file. You can accomplish this simply with the <tt
class="COMMAND">adduser</tt> command. Note that when using the <tt
class="COMMAND">adduser</tt> command to add a machine name one must append a dollar sign
(&#8220;<var class="LITERAL">$</var>&#8221;) to the machine name. This should <span
class="emphasis"><i class="EMPHASIS">not</i></span> however, be done with <tt
class="COMMAND">smbpasswd</tt>. <tt class="COMMAND">smbpasswd</tt> appends the dollar
sign on its own. Failing to mangle the machine name this way with <tt
class="COMMAND">adduser</tt> will result in an error when adding the machine name to
samba.</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">adduser machine$</kbd>
</pre>
</td>
</tr>
</table>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-CONFIGURATION-NFS-NFS"
name="NETWORK-CONFIGURATION-NFS-NFS">5.6.2 Network File System (NFS)</a></h2>

<p>NFS (or Network File System) was originally written by Sun for their Solaris
implementation of Unix. While it is significantly easier to get up and running when
compared to SMB, it is also significantly less secure. The primary insecurity in NFS is
that it is easy to spoof user and group id's from one machine to another. NFS is an
unauthenticated protocol. Future versions of the NFS protocol are being devised that
enhance security, but these are not common at the time of this writing.</p>

<p>NFS configuration is governed by the <tt class="FILENAME">/etc/exports</tt> file. When
you load the default <tt class="FILENAME">/etc/exports</tt> file into an editor, you'll
see a blank file with a two line comment on top. We'll need to add a line to the exports
file for each directory that we wish to export, with a listing of client workstations
that will be allowed to access that file. For instance, if we wished to export directory
<tt class="FILENAME">/home/foo</tt> to workstation Bar, we would simply add the line:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
/home/foo Bar(rw)
</pre>
</td>
</tr>
</table>

<p>to our <tt class="FILENAME">/etc/exports</tt>. Below, you'll find the example from the
man page for the <tt class="FILENAME">exports</tt> file:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# sample /etc/exports file
/               master(rw) trusty(rw,no_root_squash)
/projects       proj*.local.domain(rw)
/usr            *.local.domain(ro) @trusted(rw)
/home/joe       pc001(rw,all_squash,anonuid=150,anongid=100)
/pub            (ro,insecure,all_squash)
</pre>
</td>
</tr>
</table>

<p>As you can see, there are various options available, but most should be fairly clear
from this example.</p>

<p>NFS works under the assumption that a given user on one machine in a network has the
same user ID on all machines across the network. When an attempt is made to read or write
from a NFS client to an NFS server, a UID is passed as part of the read/write request.
This UID is treated the same as if the read/write request originated on the local
machine. As you can see, if one could arbitrarily specify a given UID when accessing
resources on a remote system, Bad Things (tm) could and would happen. As a partial hedge
against this, each directory is mounted with the <var class="OPTION">root_squash</var>
option. This maps the UID for any user claiming to be root to a different UID, thus
preventing root access to the files or folders in the exported directory. <var
class="OPTION">root_squash</var> seems to be enabled by default as a security measure,
but the authors recommend specifying it anyway in your <tt
class="FILENAME">/etc/exports</tt> file.</p>

<p>You can also export a directory directly from the command line on the server by using
the <tt class="COMMAND">exportfs</tt> command as follows:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">exportfs -o rw,no_root_squash Bar:/home/foo</kbd>
</pre>
</td>
</tr>
</table>

<p>This line exports the <tt class="FILENAME">/home/foo</tt> directory to the computer
&#8220;<tt class="HOSTID">Bar</tt>&#8221; and grants <tt class="HOSTID">Bar</tt>
read/write access. Additionally, the NFS server will not invoke <var
class="OPTION">root_squash</var>, which means any user on Bar with a UID of
&#8220;0&#8221; (root's UID) will have the same privileges as root on the server. The
syntax does look strange (usually when a directory is specified in <var
class="LITERAL">computer:/directory/file</var> syntax, you are referring to a file in a
directory on a given computer).</p>

<p>You'll find more information on the man page for the exports file.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="network-configuration-wireless.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="x-window-system.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Wireless</td>
<td width="34%" align="center" valign="top"><a href="network-configuration.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">X Configuration</td>
</tr>
</table>
</div>
</body>
</html>