Very Computer

Is there a way to do this with NFS?  With some other protocol?
With SMB on a Linux workstation, the user must authenticate to
the file server in order to do the mount, even though root is required
to issue the mount command.  This is close to what we need.  Is there
anything similar available for Solaris?

--
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

HTH,
Carsten

--
| Carsten Schulz-Key   | Wilhelm-Schickard-Institut |   Technische Informatik |
| Universit?t Tbingen |                            | Sand 13, 72076 Tbingen |
| Tel +49 7071 29-78977| Fax +49 7071 29-5062       |                 Germany |
+----------------------+----------------------------+-------------------------+
| PGP Fingerprint:           D5 F2 F6 8C FA 98 62 AB  E9 1D 3D 63 68 4B F6 FC |

Quote:>We are looking for a way to share home directories from our file
>server in such a way that the user on a Solaris or Linux workstation
>must authenticate to the server in order to mount her home directory
>there.

  1. support for NIS+ on linux, which I know exists
  2. support for the "secure-nfs" extension on linux, which I'm not
     sure exists.

I believe this gets you the following:

1. only NIS+ registered machines will be able to mount the filesystem
2. only NIS+ regisred users will be able to write to their own home
  directory, depending on whether they did something stupid like
  chmod 0777 $HOME

Note that the "secure" part is only about access. it does no encryption of
the actual file data flowing across the network.

--
[Trim the no-bots from my address to reply to me by email!]
[ Do NOT email-CC me on posts. Pick one or the other.]

The word of the day is mispergitude

Quote:> We are looking for a way to share home directories from our file
> server in such a way that the user on a Solaris or Linux workstation
> must authenticate to the server in order to mount her home directory
> there.  Our current configuration has about a dozen home directory
> filesystems exported from our NFS fileserver, with several hundred
> home directories on each filesystem.  This means that the fileserver
> must trust root on the workstation, and that root does the mount after
> the user has authenticated locally.  This scheme is not secure if the
> user has root access on the workstation.

But as for a use authenticating before they can moutn their home directory:
what if I log in as rich, and then say ls ~fred, where fred hasn't logged
in yet?  From what I can tell, you don't want this to work, even though
it's a prefectly reasonable thing to want to do...

--
Rich Teer

NT tries to do almost everything UNIX does, but fails - miserably.

The use of Windoze cripples the mind; its use should, therefore, be
regarded as a criminal offence.  (With apologies to Edsger W. Dijkstra)

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net

run this command to see the files.

ls /etc/auto*

Quote:>I'm not sure I completely follow, but try using AUTH_DH; at least that way
>(if I understand things correctly), you can trust the client computer.
>An attacker would need root acces to your server to mess around with the
>keys.  Directories can be shared in a manner that says that client root
>users are untrusted, and therefor have no privilege - in fact, it's the
>default!

--
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

Quote:> What I'm hoping to do is to duplicate the way that a Windows 95/98
> workstation can mount user's home directories from our samba server,
> except that I'd like to use Solaris or Linux workstations instead.
> That way, we could provide central file services to people who have
> a Unix desktop computer, and who have root access to their computer.
> We can't do this with NFS unless we take away root access on the
> workstation and do all of the software installation ourselves.

        share -F nfs -o rw=client2:client2:etc,root=trusted_client -d "Home directories" /export/home

With this, the root user on the machine "trusted_client" will have
root privileges on the shared file system.

--
Rich Teer

NT tries to do almost everything UNIX does, but fails - miserably.

The use of Windoze cripples the mind; its use should, therefore, be
regarded as a criminal offence.  (With apologies to Edsger W. Dijkstra)

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net

Quote:>Are you saying that you want remote root users to be able to read/write
>(some of) your shared file systems?  If that's the case, you can share
>the file systems with an option that allows this, on a per host basis.

--
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-