NFS shared directory permission (rhel6)

[夜神 岩男]

On 08/02/2011 01:09 AM, Mike Wright wrote:
> On 08/01/2011 07:41 AM, 夜神　岩男 wrote:
>> I have really been meaning to collect my notes about small/medium office
>> Kerberos/LDAP/NFSv4 setup and write a small series on how to do this
>> without giving up, settling for less (ie. logically unauthenticated
>> Samba or using just LDAP as if it were actually an authentication
>> service and a directory), or jumping off of a bridge.
>>
>> If you run into bad spots, keep asking. If I actually write a how-to
>> about this I'll send you a link. Beware that most of the how-tos out
>> there are pretty out of date, don't take SELinux into account or make
>> other assumptions that don't line up with RPM-based systems (or do
>> boneheaded things like say "Step 1, turn off SELinux").
>>
>
> Thanks for your efforts, Iwao.
>
> Sign me up, too. A link would be *great*.
>
> One of my biggest plaints is that much of the documentation out there
> lacks date and/or version info.
>
> Now that I've got Xen up and going and have more than a few virtual
> machines running it's becoming difficult/awkward to keep track of
> users/passwords, dealing with uid/gid being different for the same users
> on different machines, and especially nfs. Some vms will happily mount
> from one nfs server while others to the same server give me errors, all
> with the same version of the same o/s.

Great need plants great seed, doesn't it? (Whoa! That sort of sounds 
like old wisdom! English is fun!)

> (Unfortunately, in order to debug my setup I've resorted to "Step 1",
> which sometimes helps and other times not so much.)

I supposed Step 2 should always be set to "revert Step 1"!

I will put my notes together and make a series out of it -- looking 
around the web and in books this sort of thing really *doesn't* seem to 
be documented well and stumps a huge number of people who just give up 
and assume that good Linux setups are just too hard to bother with. This 
is because:

1. The cn=config style of OpenLDAP is undocumented and very confusing 
for newcomers

(Initial setup for the first time reliably produces feelings between 
simmering-rage-type frustration or the breaking-things-in-the-office 
point. Some things the OpenLDAP manual should have in it under 
configuration just aren't there, and it makes the manual *feel* 
inaccurate though it doesn't actually state anything that is wrong... 
which is worse, because it makes it believable *and* wrong instead of 
clearly, igorably wrong...)

2. Kerberos seems scary at first and though quite simple to understand 
after playing with it a bit, the documentation goes to such length to 
"make a hard subject easy" that the reader defaults to the assumption 
that it *is* hard -- which is not as true as it may feel.

(...and the part when you decide that you're actually going to switch 
authentication over is a little nerve-wracking so some admins just don't 
go through with it -- its like the first time you decided to actually 
turn SSH password authentication off on a really remote system, but 
multiplied by however many systems your servicing raised to the power of 
however much your contract is worth)

3. Our users have been trained to expect such shit tech from whatever 
contact they had with bad Windows administration in the past that we can 
get away with being lazy and not doing things correctly. ("Put it on the 
shared drive" comes to mind...)

(The Post-Windows Crutch -- where we continue to not let users 
experience seamless networking to the natural degree, where they don't 
even realize what terminal they are using because everything is the same 
from every station -- because its all the same system if things are 
working the way they were originally designed)

4. The interactions between the little team of necessary daemons is so 
scantily explained that most admins that get to the point of an actually 
complete configuration fail because unthought-of-yet-critical daemons 
aren't started. Two of the biggest culprits on Fedora are nscd and nslcd.

(The last sentence above is today's hint -- discovered after seeing what 
would happen if a working SL6 setup was pushed directly to a Fedora 14 
system. nscd, nslcd weren't even installed with the dependencies for the 
setup, and sssd was present in the system but no scripts that require it 
(like authconfig-tui) called "chkconfig sssd on" for some reason... Of 
course none of these problems produced remotely accurate error messages 
any place that the uninitiated would think to look (or at all)...)

5. CA and signed-certificate creation is a fun subject full of myth and 
wildly inaccurate or out of date tutorials (or tutorials specific to, 
say, FreeBSD or Darwin/OSX, but don't clearly state that). Its confusing 
and ill-treated enough that some people give up and just shell out money 
for them, even if the certification is strictly internal.

6. NFSv4 and OpenAFS are great tools, but suffer from a lack of accurate 
documentation in a similar way to the CA subject. Why is sort of beyond 
me, because they are both widely deployed, but only by people who either 
paid to learn the magical secrets (and after climbing the learning curve 
myself, I have to say this is probably a worthwhile option) or were 
burned about the time they understood everything and were too worn out 
thinking on the subject to post their notes (I think most of us can 
appreciate that feeling after certain experiences).

Blah blah blah. Yes, an in-depth tutorial is sorely needed (really this 
calls for another O'Reilly book in my opinion, but you'll have to settle 
for whatever I've got spare time for + outdated web resources and... 
man/info pages -- haha!).

-Iwao

PS: I've got to finish a magazine article that Akemi Yagi and I are 
writing for a Japanese journal out here (she's the main author, not me, 
but its hard doing English/Japanese, so this is more time consuming than 
usual for me) -- so this will have to wait just a little. I'll post to 
the list when I'm done, though, or at least send you folks a private 
notice. Not sure that it really applies to everyone here so much as to 
warrant plugging my tutorial on-list...