Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2024-12-27 09:59:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/slackbook/html/network-configuration-nfs.html
Patrick J Volkerding 75a4a592e5 Slackware 13.37 
Mon Apr 25 13:37:00 UTC 2011
Slackware 13.37 x86_64 stable is released!

Thanks to everyone who pitched in on this release: the Slackware team,
the folks producing upstream code, and linuxquestions.org for providing
a great forum for collaboration and testing.

The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a
dual-sided
32-bit/64-bit x86/x86_64 DVD.  Please consider supporting the Slackware
project by picking up a copy from store.slackware.com.  We're taking
pre-orders now, and offer a discount if you sign up for a subscription.

As always, thanks to the Slackware community for testing, suggestions,
and feedback.  :-)

Have fun!
2018-05-31 22:45:18 +02:00

308 lines
13 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Network File Systems</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
<link rel="UP" title="Network Configuration" href="network-configuration.html" />
<link rel="PREVIOUS" title="Wireless" href="network-configuration-wireless.html" />
<link rel="NEXT" title="X Configuration" href="x-window-system.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">Slackware Linux Essentials</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a
href="network-configuration-wireless.html" accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 5 Network Configuration</td>
<td width="10%" align="right" valign="bottom"><a href="x-window-system.html"
accesskey="N">Next</a></td>
</tr>
</table>
<hr align="LEFT" width="100%" />
</div>
<div class="SECT1">
<h1 class="SECT1"><a id="NETWORK-CONFIGURATION-NFS" name="NETWORK-CONFIGURATION-NFS">5.6
Network File Systems</a></h1>
<p>At this point, you should have a working TCP/IP connection to your network. You should
be able to ping other computers on your internal network and, if you have configured an
appropriate gateway, you should also be able to ping computers on the Internet itself. As
we know, the whole point in bringing a computer onto a network is to access information.
While some people might bring a computer up on a network just for the fun of it, most
people wish to be able to share files and printers. They wish to be able to access
documents on the Internet or play an online game. Having TCP/IP installed and functional
on your new Slackware system is a means to that end, but with just TCP/IP installed,
functionality will be very rudimentary. To share files, we will have to transfer them
back and forth using either FTP or SCP. We cannot browse files on our new Slackware
computer from the Network Neighborhood or My Network Places icons on Windows computers.
We'd like to be able to access files on other Unix machines seamlessly.</p>
<p>Ideally, we'd like to be able to use a <span class="emphasis"><i
class="EMPHASIS">network file system</i></span> to allow us transparent access to our
files on other computers. The programs that we use to interact with information stored on
our computers really do not need to know on what computer a given file is stored; they
just need to know that it exists and how to get to it. It is then the responsibility of
the operating system to manage access to that file through the available file systems and
network file systems. The two most commonly used network file systems are SMB (as
implemented by Samba) and NFS.</p>
<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-CONFIGURATION-NSF-SMB"
name="NETWORK-CONFIGURATION-NSF-SMB">5.6.1 SMB/Samba/CIFS</a></h2>
<p>SMB (for Server Message Block) is a descendant of the older NetBIOS protocol that was
initially used by IBM in their LAN Manager product. Microsoft has always been fairly
interested in NetBIOS and it's successors (NetBEUI, SMB and CIFS). The Samba project has
existed since 1991, when it was originally written to link an IBM PC running NetBIOS with
a Unix server. These days, SMB is the preferred method for sharing file and print
services over a network for virtually the entire civilized world because Windows supports
it.</p>
<p>Samba's configuration file is <tt class="FILENAME">/etc/samba/smb.conf</tt>; one of
the most well commented and documented configuration files you will find anywhere. Sample
shares have been setup for you to view and modify for your needs. If you need even
tighter control the man page for smb.conf is indispensable. Since Samba is documented so
well in the places I've mentioned above, we will not rewrite the documentation here. We
will, however, quickly cover the basics.</p>
<p><tt class="FILENAME">smb.conf</tt> is broken down into multiple sections: one section
per share, and a global section for setting options that are to be used everywhere. Some
options are only valid in the global section; some are only valid outside the global
section. Remember that the global section can be over-ridden by any other section. Refer
to the man pages for more information.</p>
<p>You will most likely wish to edit your <tt class="FILENAME">smb.conf</tt> file to
reflect the network settings in your LAN. I would suggest modifying the items listed
below:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
workgroup = MYGROUP
</pre>
</td>
</tr>
</table>
<p>Change the workgroup name to reflect the workgroup or domain name that you are using
locally.</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# server string is the equivalent of the NT Description field
server string = Samba Server
</pre>
</td>
</tr>
</table>
<p>This will be the name of your Slackware computer displayed in the Network Neighborhood
(or My Network Places) folder.</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# Security mode. Most people will want user level security. See
# security_level.txt for details. NOTE: To get the behaviour of
# Samba-1.9.18, you'll need to use "security = share".
security = user
</pre>
</td>
</tr>
</table>
<p>You'll almost certainly wish to implement user level security on your Slackware
system.</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba
# documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
</pre>
</td>
</tr>
</table>
<p>If encrypt passwords is not enabled, you will not be able to use Samba with NT4.0,
Win2k, WinXP, and Win2003. Earlier Windows operating systems did not require encryption
to share files.</p>
<p>SMB is an authenticated protocol, meaning you must supply a correct username and
password in order to use this service. We tell the samba server what usernames and
passwords are valid with the <tt class="COMMAND">smbpasswd</tt> command. <tt
class="COMMAND">smbpasswd</tt> takes a couple of common switches to tell it to either add
traditional users, or add machine users (SMB requires that you add the computers' NETBIOS
names as machine users, restricting what computers one can authenticate from).</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
Adding a user to the <tt class="FILENAME">/etc/samba/private/smbpasswd</tt> file.
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">smbpasswd -a user</kbd>
Adding a machine name to the /etc/samba/private/smbpasswd file.
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">smbpasswd -a -m machine</kbd>
</pre>
</td>
</tr>
</table>
<p>It's important to note that a given username or machine name must already exist in the
<tt class="FILENAME">/etc/passwd</tt> file. You can accomplish this simply with the <tt
class="COMMAND">adduser</tt> command. Note that when using the <tt
class="COMMAND">adduser</tt> command to add a machine name one must append a dollar sign
(&#8220;<var class="LITERAL">$</var>&#8221;) to the machine name. This should <span
class="emphasis"><i class="EMPHASIS">not</i></span> however, be done with <tt
class="COMMAND">smbpasswd</tt>. <tt class="COMMAND">smbpasswd</tt> appends the dollar
sign on its own. Failing to mangle the machine name this way with <tt
class="COMMAND">adduser</tt> will result in an error when adding the machine name to
samba.</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">adduser machine$</kbd>
</pre>
</td>
</tr>
</table>
</div>
<div class="SECT2">
<h2 class="SECT2"><a id="NETWORK-CONFIGURATION-NFS-NFS"
name="NETWORK-CONFIGURATION-NFS-NFS">5.6.2 Network File System (NFS)</a></h2>
<p>NFS (or Network File System) was originally written by Sun for their Solaris
implementation of Unix. While it is significantly easier to get up and running when
compared to SMB, it is also significantly less secure. The primary insecurity in NFS is
that it is easy to spoof user and group id's from one machine to another. NFS is an
unauthenticated protocol. Future versions of the NFS protocol are being devised that
enhance security, but these are not common at the time of this writing.</p>
<p>NFS configuration is governed by the <tt class="FILENAME">/etc/exports</tt> file. When
you load the default <tt class="FILENAME">/etc/exports</tt> file into an editor, you'll
see a blank file with a two line comment on top. We'll need to add a line to the exports
file for each directory that we wish to export, with a listing of client workstations
that will be allowed to access that file. For instance, if we wished to export directory
<tt class="FILENAME">/home/foo</tt> to workstation Bar, we would simply add the line:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
/home/foo Bar(rw)
</pre>
</td>
</tr>
</table>
<p>to our <tt class="FILENAME">/etc/exports</tt>. Below, you'll find the example from the
man page for the <tt class="FILENAME">exports</tt> file:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# sample /etc/exports file
/ master(rw) trusty(rw,no_root_squash)
/projects proj*.local.domain(rw)
/usr *.local.domain(ro) @trusted(rw)
/home/joe pc001(rw,all_squash,anonuid=150,anongid=100)
/pub (ro,insecure,all_squash)
</pre>
</td>
</tr>
</table>
<p>As you can see, there are various options available, but most should be fairly clear
from this example.</p>
<p>NFS works under the assumption that a given user on one machine in a network has the
same user ID on all machines across the network. When an attempt is made to read or write
from a NFS client to an NFS server, a UID is passed as part of the read/write request.
This UID is treated the same as if the read/write request originated on the local
machine. As you can see, if one could arbitrarily specify a given UID when accessing
resources on a remote system, Bad Things (tm) could and would happen. As a partial hedge
against this, each directory is mounted with the <var class="OPTION">root_squash</var>
option. This maps the UID for any user claiming to be root to a different UID, thus
preventing root access to the files or folders in the exported directory. <var
class="OPTION">root_squash</var> seems to be enabled by default as a security measure,
but the authors recommend specifying it anyway in your <tt
class="FILENAME">/etc/exports</tt> file.</p>
<p>You can also export a directory directly from the command line on the server by using
the <tt class="COMMAND">exportfs</tt> command as follows:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">exportfs -o rw,no_root_squash Bar:/home/foo</kbd>
</pre>
</td>
</tr>
</table>
<p>This line exports the <tt class="FILENAME">/home/foo</tt> directory to the computer
&#8220;<tt class="HOSTID">Bar</tt>&#8221; and grants <tt class="HOSTID">Bar</tt>
read/write access. Additionally, the NFS server will not invoke <var
class="OPTION">root_squash</var>, which means any user on Bar with a UID of
&#8220;0&#8221; (root's UID) will have the same privileges as root on the server. The
syntax does look strange (usually when a directory is specified in <var
class="LITERAL">computer:/directory/file</var> syntax, you are referring to a file in a
directory on a given computer).</p>
<p>You'll find more information on the man page for the exports file.</p>
</div>
</div>
<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="network-configuration-wireless.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="x-window-system.html"
accesskey="N">Next</a></td>
</tr>
<tr>
<td width="33%" align="left" valign="top">Wireless</td>
<td width="34%" align="center" valign="top"><a href="network-configuration.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">X Configuration</td>
</tr>
</table>
</div>
</body>
</html>
Reference in a new issue View git blame Copy permalink