NFS4permissions: Difference between revisions
mNo edit summary |
|||
| Line 1: | Line 1: | ||
== NFS v4 Permissions == | |||
In NFS4, file permissions are based on a text user/owner name. | In NFS4, file permissions are based on a text user/owner name. | ||
| Line 8: | Line 10: | ||
Thus the NFS4 server and client must have access to a common username database (LDAP etc). | Thus the NFS4 server and client must have access to a common username database (LDAP etc). | ||
== Configuring Solaris LDAP == | == Configuring Solaris LDAP ([[Melon]]) == | ||
The Solaris LDAP client is configured using the commands below. | The Solaris LDAP client is configured using the commands below. | ||
Revision as of 02:13, 11 August 2009
NFS v4 Permissions
In NFS4, file permissions are based on a text user/owner name.
The NFS4 server, converts the local file uid/gid numbers into names using the local password system. Files owned by root and those for which no name can be determined and given the owner "nobody" (configurable). The NFS server then adds a domain (configurable) so that the outgoing ownship is of the form "owner@domain".
The NFS4 client receives the files with ownership in the form "owner@domain" and must map that to uid/gid numbers to implement local unix permissions. The NFS4 client requests the mapping from the server using the rpc.idmapd service. Thus the NFS4 server and client must have access to a common username database (LDAP etc).
Configuring Solaris LDAP (Melon)
The Solaris LDAP client is configured using the commands below.
/usr/lib/ldap/idsconfig It is strongly recommended that you BACKUP the directory server before running idsconfig. . Hit Ctrl-C at any time before the final confirmation to exit. . Do you wish to continue with server setup (y/n/h)? [n] y Enter the JES Directory Server's hostname to setup: lychee.md.smms.uq.edu.au Enter the port number for iDS (h=help): [389] Enter the directory manager DN: [cn=Directory Manager] Enter passwd for cn=Directory Manager : Enter the domainname to be served (h=help): [md.smms.uq.edu.au] Enter LDAP Base DN (h=help): [dc=md,dc=smms,dc=uq,dc=edu,dc=au] Checking LDAP Base DN ... Validating LDAP Base DN and Suffix ... sasl/GSSAPI is not supported by this LDAP server Enter the profile name (h=help): [default] Are you sure you want to overwire profile cn=default? Please enter y or n. Are you sure you want to overwire profile cn=default? y Default server list (h=help): [152.98.195.188] Preferred server list (h=help): Choose desired search scope (one, sub, h=help): [one] The following are the supported credential levels: 1 anonymous 2 proxy 3 proxy anonymous 4 self 5 self proxy 6 self proxy anonymous Choose Credential level [h=help]: [1] 2 Choose Credential level [h=help]: [1] Do you want the clients to follow referrals (y/n/h)? [n] Do you want to modify the server timelimit value (y/n/h)? [n] Do you want to modify the server sizelimit value (y/n/h)? [n] Do you want to store passwords in "crypt" format (y/n/h)? [n] Do you want to setup a Service Authentication Methods (y/n/h)? [n] Client search time limit in seconds (h=help): [30] Profile Time To Live in seconds (h=help): [43200] Bind time limit in seconds (h=help): [10] Do you wish to setup Service Search Descriptors (y/n/h)? [n]
ldapclient manual \ -a domainName=md.smms.uq.edu.au \ -a authenticationMethod=simple -a credentialLevel=proxy \ -a defaultSearchBase='dc=md,dc=smms,dc=uq,dc=edu,dc=au' \ -a proxyDN=cn=proxyagent,ou=profile,dc=md,dc=smms,dc=uq,dc=edu,dc=au \ -a serviceSearchDescriptor='passwd:dc=md,dc=smms,dc=uq,dc=edu,dc=au?sub' \ -a serviceSearchDescriptor='group:ou=Groups,dc=md,dc=smms,dc=uq,dc=edu,dc=au?one' \ -a proxyPassword='############' 152.98.195.188
