0

I've just started working for a small company that has a globally shared folder run from an Ubuntu file server (Raid 5, etc) shared by Samba.
The workstations (Centos) are all fstab setup to mount this samba share in their root file system -> /Data/.

The client fstab configs :

//10.1.1.3/DATA01 /DATA01 cifs  username=username,password=password 0 0

The samba configuration for the share :

[DATA01]
path = /DATA01
writeable = yes

Before I started the boss had decided he'd had enough of unix permissions and user mismatch "problems", so every workstation and server has the same user and group name (the current project name) - we'll call this project. He'd also made sure that the User UID on every machine was identical - i'm not sure how important this is at a practical level.

So in short, a ls -l /Data results in items that are chowned by project : project.

This is what I've just walked into. My job here is to administer all of this, but i'll add i'm a windows programmer by experience so my Linux sysadmin knowledge is more theoretical than practical (I took the job to learn their industry as i'm attempting a career pivot).

So the setup works to an extent, as Bob and Mary can add/edit files etc under /Data and no "you do not have permission" errors happen, which I believe was the Boss' main boggle. So it seems weird to me as security is totally out the window, but it practically works.

But this makes me terrified of when project finishes and project2 starts. This is 3 months away and i'm not sure how to handle this. I know he'll say "just chown -R project2:project2 /Data, reimage all machines to have that user, and move on", but i'm sure there's a better solution.

So i'm wondering from this setup how can I have unique users manage /Data without causing "you do not have permission" errors?

Additionally I'm wondering is there a kind of linux equivalent of "Active Directory" that can be setup to administrate users and groups (for projects) in the company? I've no idea how this problem is usually managed in the linux world.

And anything else I should consider?

Sorry if this is Linux 101 stuff but i'm not sure how it's typically managed and practically pulled off.

Spiffeah
  • 101
  • 2

1 Answers1

0

As it happens, the latest release of Samba can indeed provide a full Active Directory domain controller service, however it seems to me that your boss just doesn't want to deal with any account type restrictions, so this probably isn't going to work well.

It would be useful to see the stanza in the current Samba config that defines the /Data share, and the mount options on the client systems, to understand how it's working for you now.

EDIT: From the info provided, it looks like all the remote users get mapped to the user on the server, It means that anyone can trash all the data there (accidentally or otherwise), and it most certainly isn't the best approach -- but it has the virtue of being brutally simple.

In terms of "best practice", first of all put the credentials for the mount in a file that's only readable by root, then specify it in the mount as credentials=filename.

Also, if you can arrange to have the server and the clients having the same uid and gids for the users, using the setuid option will ensure that files show up properly owned by their creators on the share, and you can apply standard unix group permissions to who can modify what file.

Uditha Desilva
  • 141
  • 5
  • Added the samba and fstab configs. – Spiffeah Jan 28 '16 at 01:15
  • Looks like all the remote users get mapped to the user on the server, It means that anyone can trash all the data there (accidentally or otherwise), and it most certainly isn't the best approach -- but it has the virtue of being brutally simple. – Uditha Desilva Feb 11 '16 at 20:32