ldap, nfs4 shares and permissions

[biyover]

hi...

I have set up my Zentyal box to share home folders (for "fat clients"). I have also setup some users/groups in the LDAP module. I've got the clients authenticating with the server thru LDAP and their home folders mounting as expected (I'm not mounting per user, I just mount /home).

All ok up to here.

Since this setup is for use in a school, I need some permissions on the home folders so as to permit-deny "looking" into others home folders.

I know you can set this through chown and chmod, but... When I check the folders permissions they ALL belong to the "__USERS__" group!!! I understand that this is because they are LDAP users, but this is no good for me. I need to be able to control who sees what.

Apparently Zentyal manages LDPA users and regular users (system users) separately, so im kind of stuck at the moment. I tried looking for a tool that will let me modify the LDAP directory (ldapmodify?) but I'm not aware of how to use it yet.

I't could also be that I'm using nfs4 without kerberos. I have been reading that nfs4 does not play well with ldap. Should I revert to nfs3? Should I dump LDAP and go with NIS instead? It does not seem very difficult to set up and would guarantee right permission on the clients as well as fitting in nicely with standard permission tools.

Does anyone know of a fix/workaround/alternative? Is anyone on this same setup?

EDIT: I forgot to mention, the folders permissions belong to the "__USERS__" group on the server, not just when they show up on the clients.

[biyover]

I have seem to have moved forward a little.

Using an external editor for ldap, I have changed the primary group for a couple of users and chown their home folders to the same group. It shows up on the shares. I haven't tested actual permissions yet, but it should work.

Now... 1st, Why on earth do the folders get set this way? and 2nd, How would I go about changing the users/folders that I already have setup (not many, but still...)? I'm guessing a script, but thats a bit out of my range at the moment. Not only would it have to set the new primary group in the ldap file, but change the owner of the home folder!!!

[biyover]

Anyone have any info on the "__Users__" group thing?

Ohh... and I see that if I drop LDAP for NIS, I will loose funtionality in other modules, most significant is http proxy (squid) :-(

[ichat]

biyover

im sorry to have to ask this but did you even read the menual,

just a few 'things' about zentyal...

it  uses ldap for its user management,  changing to NIS would be going away from zentyal and use ubuntu  instead,  maybe with webmin for example...  -
mind you:   zentyal is NOT a software tool, but a software solution consisting of  a set of tools,   its not like webmin where you can mix it with just about anything  and have to make it work yourself alfter.

zentyal uses acl's  for controlling acces to  shares,   did you try to change permissions (even from the gui) as i had no problem with samba (yes i use samba with linux clients since  nfs is not (yet) supported with zentyal)

other than that you could also just mount a user's home directory rather than the entire /home

also if you check the roadmap for zentyal 3 you'l notice it will support kerberos, so all the work spend now may be obsolete in a few months from now.. 

[biyover]

Yes, I have read the manual extensively, iChat, and I'm very well aware of how (the idea, that is, not the implementation) Zentyal manages users.

If you read my initial post, I am using my Zentyal install to serve "fat clients", so, unless you know of a way to use a Samba share as root, then I would be most gratefull for the info.

As I have yet to find anyone with this setup, I have been using the usuall nfs-root-nfs-boot method. Not to mention that all of the server clients are linux machines, so why would I go with Samba?

As a side note, I haven't seen anything in the documentation about ALL the users being part of the "__Users__" group. I think I get the idea to group most non-local (from the server point of view) users like this and append them to other specific groups. It's just that it does not seem to mix well with nfs shares.

Also, I understand the principal function of zentyal, but as a community offering/effort, I believe that every zentyal user is free to try an adapt their install to their circumstances. If I get it to work how I like and need, then great. If not, I will keep trying or setup something myself.

[christian]

As Zentyal component, LDAP is primarily used to manage Zentyal users, meaning users accessing Zentyal services (like HTTP proxy, mail...)
Second point worth to be added here: I suppose because of the large Microsoft deployment all over the world, Zentyal targets a bit more such clients (when client OS matters, i.e. Samba to replace Windows domain, Zarafa to emulate Exchange).

Effort toward "full Linux" world are maybe seen with lower priority (well, this is my own personal opinion  )

So what? Does it mean you have to give up No
If I understand well what you try to achieve, this can be done with NSS_LDAP and PAM_LDAP enabled client side.
PAM_LDAP, I believe you did it already because you already authenticate against Zentyal LDAP server.
NSS_LDAP is the right way to go instead of NIS 
You have to configure, client side, NSS so that users and groups are read from LDAP.

What Zentyal web interface will not provide (but you found it to manually modify LDAP content already) is capability to customize LDAP entries.
Another aspect that may not be obvious is the RFC2307(non bis) implementation.  Easy NSS_LDAP implementation assumes that groups are containing members (made of DN) while current Zentyal implementation is based of memberuid 

This to said (trying to make this post not too long and boring) that PAM and NSS LDAP is the right way to go, this is feasible but not out-of-the-box if you target state of the art (RFC2307bis) design.

[biyover]

Great! Although I think that I had this running already, but I'm having difficulties tracking error messages. Thanks for the info anyway.

At the moment I have switched to nfs v3 (I didn't find any great advantage in v4, if you don't consider authentication, which at the moment I don't need. One great disadvantage of v3 though, is that if you have a good firewall setup, you must pin down ALL the related services, ie. lockd, portmap, etc. A bit tricky finding out how to do, I might add).

The authentication part seems to be working ok (no apparent errors yet), and the nfs mounts too.

I'm in a bit of a mess at the moment, there are several issues going on at the moment. Some might be related, others not, so I'm trying to isolate and go one at a time.

[christian]

Well, authentication works well because this is not LDAP dependent, if I can say so    I mean that once PAM_LDAP is enabled. then authenticating against LDAP works.
NSS is a bit trickier because it really depends on schema LDAP side.

[mgiammarco]

Anyone have any info on the "__Users__" group thing?

Ohh... and I see that if I drop LDAP for NIS, I will loose funtionality in other modules, most significant is http proxy (squid) :-(

You are looking at unix permissions. And in this case the are not useful because to support samba zentyal must use "extended acl" that are supported by ext4 filesystem. But you can modify them only with getfacl and setfacl.