Files, ACL, security
getfacl file1 # read permissions
setfacl -m u:andy:rw file1 # -m = modify: give (a secondary user) named andy read/write access to file1
setfacl -m g:admin:rw file1 # g for secondary group, here a group named admin, get rw access
setfacl -x u:andy file1 # -x = remove permissions
directory can have default acl set so that all files within it will inherit such acl automatically. use "d" to specify it as default settings. eg
setfacl -m d:g:admin:rw dir1
So, not only DOS has attributes for files! Linux does too! It is another layer over what chmod provides!
These attributes are supported starting from ext2.
getattr /path/to/file # list file attributes
chattr =i /path/to/file # change, ie set, file attributes to immutable
sudo chattr -i /path/to/file # only CAP_LINUX_IMMUTABLE user can remove the immutable flag!
select the new attributes for the files:
append only (a),
no dump (d),
extent format (e),
data journalling (j),
secure deletion (s),
no tail-merging (t),
no atime updates (A),
synchronous directory updates (D),
synchronous updates (S),
top of directory hierarchy (T).
The following attributes are read-only, and may be listed by lsattr(1) but not modified by chattr:
huge file (h),
compression error (E),
indexed directory (I),
compression raw access (X),
compressed dirty file (Z).
# this file will contain all commands in relation to filesystem manipulations.
# eg mount, fsck, etc.
# some originally from cmd.admin.ref
# need to do some clean up and splitting...
amq show currently automounted drv (from amd suit)
mount show mouted partitions (root mount new ones too)
mount -t nfs server:/path /mnt/point #linux
mount -F nfs server:/path /mnt/point #solaris
mount -o remount,suid /mnt/point # "remount" a fs, so as to set new mount options
# should be able to remount ro fs as rw
/etc/dfs/dfstab Solaris, eg:
share -F nfs -o ro -d "tin-sun /mnt/cdrom" /mnt/cdrom
share -F nfs -o ro -d "tin-sun vold /cdrom" /cdrom/cdrom0
#share -F nfs -o ro -d "tin-sun vold /cdrom" /cdrom/sol_10_305_sparc # don't work for OS cd
share -F nfs -o ro -d "tin-sun vold /cdrom s0" /cdrom/sol_10_305_sparc/s0 # need to export each slide separately
share -F nfs -o ro -d "tin-sun vold /cdrom s1" /cdrom/sol_10_305_sparc/s1 # as they are mounted separately.
mount -F servername:/exportName /mount/point
cdrom : hsfs /dev/rdsk/c0t6d0s0 /cdrom
dos : pcfs
If not using vold to manage cdrom, add entry like this to the vfstab:
/dev/dsk/c0t6d0s0 - /mnt/cdrom hsfs - no -
showmount -e : display the devices shared by a remote host that can be mounted
showmount -a : list remote system that has mounted a export
solaris loopback fs, sample entry in vfstab, as per man page on mount:
/export/test - /opt/test lofs - yes -
removable media management - vold
in sol up to 9, vold is very buggy, and tend to cause problem,
especially after hitting eject button on cdrom drive w/o using soft "eject cdrom"
if it goes bad, stop,start don't seems to help. need reboot.
in sol 10, seems to be better, at least volmgt stop,start clear things up.
sol 10 handles usb dev mounting pretty good.
mounting them correctly and showing icon on desktop.
Files can be access in /rmdisk/...
- usb floppy drive from apple
- usb cd/dvd/burner from iomega
- usb memory storage (lexar jumpdrive)
usb devices are hot plug detected by kernel since solaris (8?).
usb hard drive should work since solaris 8.
see gmail ref for more info.
/dev/usb/... is driver, and sym link created into /dev/[r]dsk/
though somehow format did not see the disk.
other vold paths:
/vol/... (/vol/dev/[r]dsk, /vol/dsk, ...)
some maybe used as raw path for floppy dd when vold is running.
mount -t vfat -o loop=/dev/loop0 /tmp/floppy.dd.img /mnt/loopbackmount
: use loopback to mount a dd-ed image of a dos floppy, fully writable.
mount -t iso9660 -o loop,ro /tmp/cdrom.dd.img /mnt/loopbackmount
: same as above, mounting imaged created from cdrom
# NFS export cannot see loopback devices (at least in linux, solaris)
# and loopback from a file based off NFS won't work either
# Typically, supports only 8 loopback "devices" unless edit loop.c and recompile kernel
dd if=/dev/cdrom of=/tmp/cdrom.dd.img : create dd image out of cdrom, using raw dev.
mount -t smbfs -o username=tin,password=foobar //n2k/c$ /mnt/n2k/c$ (trying in rh7.1 jaba)
mount -t smbfs -o 'username=administrator,password=bar,workgroup=ntdom2' //10.0.71.231/cifs /mnt/smbfs
fuser : which user holding up what file, useful when mounting, etc
fuser -cu : -cu show user and resolved user name using a particular mount point
mount -t ...
cdrom is iso9660
Making ext2 floppy
create primarty partition of type Linux (ext2)
mount -t ext2 /dev/fd0 /mnt/floppy
or mount /mnt/floppy (auto determine fs type should work).
linux sample /etc/fstab:
/dev/hda1 / ext2 defaults 1 1
/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
/dev/hda6 /var ext2 defaults 1 2
/dev/hda7 /work ext2 defaults 1 2
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/hda5 swap swap defaults 0 0
# external mounts
//10.0.1.245/c$ /mnt/tin-nt/c$ smbfs noauto,username=tin 0 0
192.168.71.30:/ /mnt/test nfs noauto 1 1
#/tmp/diag.floppy.dd /mnt/loopbackmount vfat user,exec,noauto,loop=/dev/loop0
/tmp/diag.ext2.dd /mnt/loopbackmount ext2 user,exec,noauto,loop=/dev/loop0,ro
/img/rhel-3-cd1.iso /mnt/rhel-3-cd1 iso9660 loop,ro # cd iso img from rhn ftp
# mount option user will default to noexec
# sometime loopback mount will complain with strange message if image is not on a local fs
linux sample /etc/exports:
# Either use
# (1) space delimit multiple machines of the same export dir
# each machine options must be given immediately,
# colon (or comma) CANNOT be used to group multiple machines with same option as in Solaris
# (2) each machine has its own line, with mount point repeated.
# Then run exportfs -a to export everything
# (eg 1)
/mnt/usbdrv tin-sun(rw,no_root_squash,async) chong-sun(rw,no_root_squash,async)
# (eg 2)
# be very careful about NOT to have a space after hostname.
# tin-sun (rw)
# would mean tin-sun has default option
# and all hosts (*) would have (rw) !!
# other export options
# all_squash means everyone will get remapped, in this case to UID=0, GID=0. but could be mapped to other UID...
### smb.conf and related stuff
security = domain,
smbpasswd -j ntdom1 -r '10.0.72.15' -UAdministrator%password
USB hard drive on linux.
Hot plug ok.
Tested on RH AS 3.0 (ges-dfm).
Typically made available as /dev/sda1.
doc found by peter, fwd by emily about basic of cifs file operation.
cifs common internet file system
used by windows, and also has stuff like network browsing,
print services, authentication (NT). aka smb
Commonly a layer 7/6 (app/presentation) protocol, and usually
run over NTB.
smb server message block
samba unix open source implementation of some of cifs.
NTB NetBIOS over TCP
NetBEUI NetBIOS Enhanced User Interface (NetBios + precursor of CIFS)
SNIA Storage Network Industry Association
Coming up with CIFS 1.0 protocol w/ IETF.
Subset of current M$ CIFS, try to document it better,
and maintain for future.
WINS M$ refer this as the NetBIOS name server implementation.
Same function of DNS, but implemented totally differently.
Use lot of broadcast!
Run over NetBIOS (on top of whatever network protocol).
Linux fstab eg
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
/dev/VolGroup00/LogVol01 swap swap defaults 0 0
/dev/emcpowerc /mnt/emcpowerc ext3 defaults 0 0
nfsserver:/unixhome /nfshome nfs rw,soft,intr,tcp,rsize=32768,wsize=32768,vers=3,timeo=4,retrans=9 0 0 # cambridge eg
nfsserver:/unixhome /nfshome nfs bg,rw,hard,intr,udp,rsize=32768,wsize=32768,vers=3,timeo=4,retrans=9 0 0
agami01:/export/agami /nfsbackup/agami nfs rw,nfsvers=3,rsize=32768,wsize=32768,tcp,intr,soft # RHEL 4.5
/net/pollo/local/LINUX/SUSE/SUSE-10.0-CD-i386-GM-CD1.iso /mnt/loopback/SUSE-10.0-CD-i386-GM-CD1 iso9660 loop,ro,noauto
/export/repo/iso/RHEL4-U5-i386-WS-disc1.iso /mnt/loopback/RHEL4-U5-i386-WS-disc1 iso9660 loop,ro,noauto
Solaris vfstab eg
#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
fd - /dev/fd fd - no -
/proc - /proc proc - no -
/dev/md/dsk/d10 /dev/md/rdsk/d10 / ufs 1 no logging
/dev/md/dsk/d20 - - swap - no logging
swap - /tmp tmpfs - yes -
nfsserver:/unixhome - /nfshome nfs 2 yes rw,vers=3,rsize=32768,wsize=32768,proto=tcp,intr,soft
Sync write persistence
Distributed file locking
* Stateful (!) personality
- Not same kind of statefulness as CIFS
- session is at app layer, not TCP layer.
- locks state are in controller memory, not persistent. Client can re-check on lock and ensure no disruption during HA event.
* UDP no longer supported
* GSS-API: Generic Security Services API (RPCSEC_GSS)
- LIPPKEY - Low Infrastructure Public Key Mechanism
- Simple PUblic Key Mechanism (SPKM-3)
* Kerberos 5
- Symetric key
- Encrypted tickets and sesions keys from KDC
- Unix use MIT
- Windows use 2008R2 AD
- Support for Kerberos attribute is REQUIRED on client and server,
but run time can opt to leave this blank;
whence Kerberos is not a must to have NFSv4 client talkign to NFSv4 server.
* ACL is much closer and interoperable with CIFS
- based on NTFS model
- array of ACE (Access Control Entries)
- support allowed and denied permissions, flags
- UID/GID are string based (eg user@domain) instead of 32-bit integers used in NFSv3. (!!)
+ vserver nfs show -vserver nas1 -fields v4-numeric-ids :
make netapp respond with numeric UID for client that cannot understand string,
this would generally make things easier (eg for transition period) [TR-4072 page 46]
- NFSv4 ACL, no support for POSIX ACL (migration from 3rd party must manually set NFSv4 ACL)
- nfs4_setfacl -e
* At least on netapp OnTap 9.x
- traditional bits permisisons seems to be kept in parallel to NFSv4 ACL on the file object
- chmod in NFSv3 by default will change NFSv4 ACL, unless such trigger is set not to happen
* Pseudo FS (in dedicated namespace)
- entry point at /
- junction path
* Client need /etc/idmapd.conf
- if not set, use `domainname`
- TR-4067: Clustered Data ONTAP NFS Implementation and Best Practice Guide(2017.07). Page 81 discuss about NFSv4.1 and numeric id (instead of default string-based id)
- TR-4073 (2017) - NFSv4.x LDAP, etc security mappings.
- TR-3580: NetApp NFSv4 Best Practices Guide(2016.02)
[cache] - covers more details and background of NFSv3 vs NFSv4, ACL, etc.
- Can operate without a Domain/Kerberos server. set NEED_SVCGSSD=no, and NFSv4 can rely on client side authentication as in NFSv3, albeit this isn't all that secure.
- Use with Kerberos (MIT or Heimdal) + KDC (Key Distribution Center) provides much better security.
- NFS exports works differently. On the server side, it has a root export where everything else falls under.
- Typically default to proto=tcp,port=2049
- /etc/idmapd.cfg, nfsidmap, map user with different UID b/w NFSv4 server and client.
- http://www.enterprisenetworkingplanet.com/netos/article.php/3644471/Implement-NFSv4-Domains-and-Authentication.htm (from 2006!):
- NFSv4 introduce concept of Domain. Many would rely on DNS domain for client and server to match. Solaris allow for setting an explicit NFS domain.
- In addition to UID/GID needing to batch b/w client and server, Domain must match as well.
- Could use DNS RR or TXT record to specify domain.
- Eisler's NFS blog describe how to use Active Directory with NFSv4. From 2005! Long solved problem, how many use it?
samba 3 uses NT domain logins to serve account information, and
samba 4 is compatible with active directory.
samba 2 use smbpasswd. samba 3 use pdbedit (and no more smbpasswd?)
smbpasswd -j -r -Uuser%password
then start samba.
nmblookup -U -R
samba 3.0 use the "net" command:
net [method] [-d dbgLevelNum] join member -Uadministrator%password -S tileg-bdc1
member = add host as member host (not as pdc/bdc)
-S = target (window) server to use
[method] can be blank, it will auto detect
ads = XP style
rpc = nt4 style
ads = win95 style ?
-d 0-10 specify debug level info (spill to console), 0=none, 5=a lot, 10=unreadable. Try 3.
check whether domain participation is still valid
# no longer avail???
strace -o /tmp/output smbpasswd ...
to see what file it opens, has tendendy to open wrong smb.conf
list all doamin user
check that smb.conf is correct.
smbclient //10.0.71.231/cifs -W ntdom1 -Uadministrator%password
ftp like client to connect to nt-style share
smbclient -L 10.0.71.231 -N
list shares available from the given server
-N = force no ask password
update 2004/06/23, for samba 3.0, in tileg/hybridauto
create /usr/local/samba/lib/smb.conf file (see eg here for core elements).
add member host in PDC via server manager.
net join -Uadmin -S PDC-server # for security=server
sbin/smbd -D -s lib/smb.conf
# parameters are really default, but just in case samba have its own mind.
# show version
If using security=user, then may need to use smbpasswd -a to add user
Although it seems to authenticate via NIS if no smbpasswd entry.
quick and dirty config w/o domain fuss,
in smb.conf, set to use user level security mode (ie local list of samba user) :
security = user
add users to smbpasswd file as (user must be recognized os level user):
smbpasswd -a USERNAME
change existing user password:
Samba 3 use pdbedit.
pdbedit -L -v # list samba users, verbose
# samba local db stored in /var/lib/samba/private/private.tdb
location specified by smb.conf, typically /usr/local/samba/var
log.IP = NetBIOS ip to name resolution log, per each client machine connecting to the server.
log.HOSTNAME = smbd log for each connecting client after netbios name resolution.
log.nmbd = nmbd server process/status log
log.smbd = smbd server process/status log. level determined by smb.conf
; Wcry-like exploit
; security fix as per http://thehackernews.com/2017/05/samba-rce-exploit.html?m=1
nt pipe support = no
# log level = 3 passdb:5 auth:10 winbind:2
# log level = 0 (default)
log level = 2
# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
workgroup = TILEG # NT4
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the HOWTO Collection for details.
#security = user # user = local passwd/smbpasswd file
security = server # need to join machine to nt domain
#security = domain # probably never used this.
# whether to use encrypted password
#encrypt passwords = yes # default = yes
#encrypt passwords = no
load printers = yes
log file = /usr/local/samba/var/log.%m
password server = tileg-bdc1
# this was needed as somehow my machine could not determin
# who was PDC, probably no broadcast on this vlan.
wins support = no
wins server = 10.215.2.21
# set it so that samba is not wins server,
# and have it use wins on BRIO-BDC1
# otherwise, lot of browse by \\hostname will get bad
# unresolvable hostname :(
socket options = TCP_NODELAY
dns proxy = no
#============================ Share Definitions ==============================
### custom settings here
comment = test dir
browsable = yes
read only = no
create mode = 755
path = /export/tmp/test
user = tho
#============================ Share Definitions ==============================
### this and other were smb.conf.default settings.
comment = Home Directories
browseable = no
writable = yes
in smb.conf, there is a clause like
username map = /etc/samba/smbusers
which by default is
nobody=guest pcguest smbg
This file can be updated to map user whose login name differ between unix and windows.
SID to UID/GID mapping
the ID numbers is what the computer use.
winbind has to provide unix UID/GID numbers. If a username is not resolvable to unix UID number, it will generate a number and use it.
The number generated is in a range defined in smb.conf.
This number is stored in "idmap" and there is a "net idmap" command to do dump and restore (edit is by hand edit this file and reimport?).
pdbedit is the samba user database. User of samba need to have account added here.
The UID number assigned here may differ from what winbind (wbinfo) may return.
OS calls such as getent and id would honor the UID# assigned in pdbedit (when winbind is used in nsswitch.conf).
Not sure what order of precedence wbinfo works on.
It does "do the right thing" in that id would look at places where one can manipulate UID# using pdbedit (?)
pdbedit — manage the SAM database (Database of Samba Users)
pdbedit entry can overwrite UID# winbindd returns
getent passwd USERNAME will return UID# specified in pdbedit (nsswitch.conf passwd use "files winbind")
pdbedit -L -w -d0 # -L = list all entries (ie a dump).
# -w = smbpasswd format
# -d0= debug level 0 (may still get warning messages in output)
pdbedit -a sn # add user sn. user must exist as unix (passwd) or windows (AD) user.
pdbedit -x -u sn # deleting a user that has a uid randomly assigned
# and readding it after it exist in passwd
# may set it to have the right UID#
wbinfo # query winbind for info
wbinfo -u | wc # list all --domain-users
wbinfo -n ateran # --name-to-sid
wbinfo --user-sidinfo SID # return passwd-like string with UID# for a given SID
wbinfo -S S-1-5-21-1224182940-43089146-691797619-2275 # --sid-to-uid eg: 781
wbinfo -s S-1-5-21-1224182940-43089146-691797619-4805 # --sid-to-name
wbinfo --sid-to-fullname SID # conver to DOMAIN\username
wbinfo --user-sids SID # list group SID a given SID belongs to
wbinfo --user-domgroups SID # list domaingroup a given SID belongs to
wbinfo --sid-aliases S-1-5-21-1224182940-43089146-691797619-2275 # sid has aliases!!
wbinfo -i bofh # login to uid#
wbinfo -r bofh # get unix secondary gid for named user
wbinfo --uid-info 781 # return passwd-like string for given uid#
samba doc on wbinfo
winbindd perform SID to UID# mapping.
info stored in a db.
NAME AND ID RESOLUTION section of winbindd samba doc
UID# are often generated for user w/o unix passwd entry. Thus, if have multiple machine running winbindd, would be good to
setup cronjob to keep the winbid db in sync (idmap)
net cache flush
idmap does mapping between SID and UID#/GID#.
When the file is dumped, it can be (carefully) edited and (re)-imported (by different hosts).
# syncing IDs between different winbind machines
net idmap dump /var/lib/samba/winbindd_idmap.tdb > dumpfile.txt
net idmap restore /var/lib/samba/winbindd_idmap.tdb < dumpfile.txt
net idmap dump winbindd_idmap.tdb > /dev/null 2>&1 | ssh slave.samba.net 'net idmap restore' > /dev/null 2>&1
Samba3 :: Chapter 12. Remote and Local Management: The Net Command :: Managing IDMAP UID/SID Mappings (at the end)
wbinfo -m # list --trusted-domains
wbinfo --own-domain # what domain this smb server is on
wbinfo -p # --ping winbindd to ensure connection still good
wbinfo -P # --ping-dc to ensure connection still good
wbinfo -t # --check-secret of workstation to AD still good
# ie determine if secret used to join ntdomain is still good (security=server)
To interact with AD, the DOS net commands are available.
net rpc info
the net idmap command operates locally and is covered in the UID to SID mapping section above