enterprise-ubuntu team mailing list archive

[Bolesław Tokarski <boleslaw.tokarski@xxxxxxxxx>]

Hello,

> good, that you took the challenge, because I hoped that there are 
> linux solutions which can compete with Microsofts rights management.
>
> I am not a linux expert, but to compare what file/folder rights are 
> possible on linux and windows I found for Linux:
>         - read, write and execute rights to a specific user, group and 
> for all other
>         - with NFSv3 ACLs additional users can be configured to get 
> "rwx"-rights, set with "setfacl" (which are listed as "+" if you do 
> "ls -l")
>         - nfs4 can maybe have more possibilities, but as you also 
> wrote, it is not used, because of incompatibility and complexity of 
> available solutions

You might have misunderstood me. I know of a couple of broken NFSv4 
server code in NAS devices. If you have need for NFSv4, just make sure 
you either have an up-to-date Linux OS on the NFSv4 server or a 
well-implemented NAS device.

> on Windonws NTFS we have the following 13 rights 
> (http://technet.microsoft.com/en-us/library/cc787794%28v=ws.10%29.aspx)
>         - Traverse Folder/Execute File, List Folder/Read Data, Read 
> Attributes, Read Extended Attributes, Create Files/Write Data, Create 
> Folders/Append Data, Write Attributes, Write Extended Attributes, 
> Delete Subfolders and Files, Delete, Read Permissions, Change 
> Permissions, Take Ownership, Synchronize

It's not about the amount of ACLs. How often did you need to use those 
special attributes like "Traverse Folder" or "Read Permissions"? If you 
are interested in all-cool ACL entries, have a look at Novell's 
filesystem and its network transport mechanism. It has 18 (!) rights. 
Note these were created already for NetWare 4, released in 1993. I'd say 
Windows is still behind that, so it seems they are behind like... 20 
years. See:
http://www.novell.com/documentation/oes/stor_filesys/?page=/documentation/oes/stor_filesys/data/bs3fkbm.html

Actually Novell did this right back then and even their NDS (now called 
eDirectory) released in 1993 was long before Microsoft decided to get 
there with their Active Directory, that only started shipping with 
Windows 2000 server. I believe Microsoft's win in this market was only 
due to its workstation monopoly.

> and most of them can be accomplished with rights on linux also, but 
> for us functionalities like
>         - rights inheritance on different levels

You have inheritance on POSIX ACLs. See the --default option to setfacl.

>         - authentication on access (NFSv3 only checks IP/hostname, but 
> e.g. no kerberos token)

Well, this basically crosses out NFSv3.

>         - right to create or delete subfolder

I don't think I get it. Create and remove your own/somebody else's 
subdirectory while not having read or  write access to the files in that 
directory? My gut feeling is that you need something to just let the 
owner modify his own file, something that's commonly used in /tmp 
directory with the +t flag.

What's your use case for that?

> I could not found this in exiting (besides scripting) solutions for 
> linux file shares and rights management.
> So in a Company with Windows and Linux Clients, an Active Directory, 
> which linux-based file share rights management could do most access 
> rights as a Windows NTFS system can?

First, you need a Kerberos setup to cope for the authentication part. 
You have Active Directory, so you are set with the server-side 
implementation. Thank God Microsoft decided to use standard 
LDAP+Kerberos for their AD. Oh, you will also need to have Unix 
attributes in AD for most of the filesystems.

Secondly, you need your Linux clients to talk Kerberos too. You need 
LDAP for NSS and Kerberos for authentication, see former discussions and 
SSSD. Unless you just have a couple of Linux clients, I would advice you 
to add some "Group policy"-like automation for Linux. We are using 
CFEngine with custom add-ons that reads AD data.

Thirdly, you need a Kerberos-aware network sharing filesystem. Your 
options are NFSv4, CIFS and AFS. NFSv4 is the most obvious Unix/Linux 
choice, although CIFS is Windows filesharing, if you host files on 
Linux, your Unix attributes should be pretty much correct. I haven't 
used AFS much, but this is an option too.

Cheers,
Ballock