file system permissions and the __USERS__ group [SOLVED]

[c4]

Hello!

could someone please enlighten me on the __USERS__ group?

szenario:
installed zentyal server
tested everything and works just fine (thank you developers for the masterpiece
took the harddisk with all my shared folders on it out of my old fileserver and put it into the zentyal machine
mounted the harddisk via fstab to /media. the entry looks like this:    /dev/sdb1 /media/2TB ext4 errors=remount-ro,usrquota,grpquota,acl  0 1
chowned everything to the admin user (the one you have to choose during installation): chown -R c4:users /media/2TB

is this the way to do it?
when i create a share in the web interface it always belongs to ebox:__USERS__
should i do the same and chown everything to ebox:__USERS__?
why is the __USERS__ group not listed in /etc/group? is there something special to it?

[christian]

why is the __USERS__ group not listed in /etc/group? is there something special to it?

Just because this group is an LDAP group  like most users are, or at least should be, LDAP users instead of entries in /etc/passwd 

[c4]

christian:
thanks for your reply.
im quite surprised. can files really belong to users that do not exist as linux users? wow didnt know that.
ldap was never my friend. im so happy that zentyal takes care of it and i dont need to know any of it.
so should i chown the files then to the ldap user:group which needs to access them?

maybe you can answer another question. i cant find how to edit ldap settings. the dc=hostname,dc=domain stuff. my domain has changed and it still uses the old domain. how can i get rid of it. i even tried to edit it manually ldap.conf. it always changes back.

[christian]

If LDAP is not your friend, I would (strongly  ) suggest you do not try to manually edit its content    Trust me 
LDAP DIT doesn't matter that much, meaning even if your domain changed, changing your LDAP content is not 100% mandatory.
This said, would you need or want, for whatever reason, change it, the easiest and safest way is to reinstall "users & groups" Zentyal component. Well, if you have a lot of users or shared files or mailboxes, this can be tricky too.

One aspect you may have to understand: since a while, Unix/Linux relies on NSS in order to determine where to find various services. The most current source for this is "file" but this also could be "NIS" or "LDAP" and stacking multiple sources is feasible, reason why you can have users in both LDAP and /etc/passwd/.

[c4]

christian:
thanks again, you helping me very much.
it works! I chowned everything to admin:__USERS__ and permissions work as expected.

One aspect you may have to understand: since a while, Unix/Linux relies on NSS in order to determine where to find various services. The most current source for this is "file" but this also could be "NIS" or "LDAP" and stacking multiple sources is feasible, reason why you can have users in both LDAP and /etc/passwd/.

ok, i must have missed something there. can you recommend something to read up on that topic?
believe it or not, im not new to linux, using it over ten years by now. came from gentoo, was happy for many years with ubuntu (until they came up with gnome3, brrr), now on debian sid happy again, xfce was the cure for me. im a programmer and have some knowledge on networks.

[christian]

I fully share that gnome3....   

My previous comment was related to you point about this:

im quite surprised. can files really belong to users that do not exist as linux users? wow didnt know that.

This is because with default installation, NSS is configured to use "files" and therefore "/etc/passwd" and "/etc/groups"
My comment aimed at explaining that thanks to NSS, LDAP (like some years ago NIS) can be seen as "part of Linux" and therefore accounts defined in LDAP are seen almost as "local accounts" (kind of). Does it clarify the matter?

Thus I will recommend  that you have a look at NSS concept. I don't know where because I know it already thus don't have any useful link available but I'm sure Google or whatever search engine can help.

One additional point I would like to highlight here because this is often confusing for some Unix/Linux admins and leads to wrong implementation when it comes to integrated LDAP in Unix/Linux landscape: NSS aims at defining where and how to access containers for various services. It doesn't handle authentication. This point is covered thanks to PAM. One totally wrong approach would be not to use PAM_LDAP while accounts are stored in LDAP but to attend to "read" password attribute in LDAP as if it was stored in /etc/shadow". Do not take me the wrong way: any other authentication mechanism could be used (kerberos, radius...) but do NOT "read" LDAP password attribute 

I hope this helps.

[thorsten]

Hi

... I hope you can help me on the following idea / problem:

I installed owncloud and it utilizes the Zentyal LDAP user Database as a backend for user management - this was quite simple and runs straight forward. Now, Owncloud allows to assign local directories to a specific user, but as Owncould is a web based php application it requires the correct user right to read local files. My first idea was to add the user www-data to the zentyal group "__USERS__" but this group is not present on the system.

Do you have any idea how to circumvent this?

THX & Best regards
Thorsten