enterprise-ubuntu team mailing list archive

Thread
Date

Re: Questions: Rightsmanagement on shares - WIndows vs. Linux

To: boleslaw.tokarski@xxxxxxxxx, tjaalton@xxxxxxxxxx
From: Florian Bieber <florian.bieber@xxxxxxxx>
Date: Tue, 21 May 2013 15:42:57 +0200
Cc: "enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx" <enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <519278D2.1070309@tieto.com>

Hello Ballock,
Hello Timo,

thanks for you replies. I could convince my colleague that "windows is 5 
years ahaed in rights managment" is not true. But on the other hand, I 
learned from our discussion that
        NFSv3           is not secure
        NFSv4           needs a simple implementation, feasible to set up 
and used from linux and windows systems
        CIFS/SMB        file rights can not be changed with linux (tested 
on Netapp filer)
        AFS             seems not have enterprise support 

So I will wait until NFSv4 is fully integrated and usable out-of-the-box.

regards,
Florian

From:   Bolesław Tokarski <boleslaw.tokarski@xxxxxxxxx>
To:     <florian.bieber@xxxxxxxx>
Cc:     "enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx" 
<enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx>
Date:   14.05.2013 19:48
Subject:        Re: [Enterprise-ubuntu] Questions: Rightsmanagement on 
shares - WIndows vs. Linux

Hello,
good, that you took the challenge, because I hoped that there are linux 
solutions which can compete with Microsofts rights management. 

I am not a linux expert, but to compare what file/folder rights are 
possible on linux and windows I found for Linux: 
        - read, write and execute rights to a specific user, group and for 
all other 
        - with NFSv3 ACLs additional users can be configured to get 
"rwx"-rights, set with "setfacl" (which are listed as "+" if you do "ls 
-l") 
        - nfs4 can maybe have more possibilities, but as you also wrote, 
it is not used, because of incompatibility and complexity of available 
solutions 
You might have misunderstood me. I know of a couple of broken NFSv4 server 
code in NAS devices. If you have need for NFSv4, just make sure you either 
have an up-to-date Linux OS on the NFSv4 server or a well-implemented NAS 
device.

on Windonws NTFS we have the following 13 rights (
http://technet.microsoft.com/en-us/library/cc787794%28v=ws.10%29.aspx) 
        - Traverse Folder/Execute File, List Folder/Read Data, Read 
Attributes, Read Extended Attributes, Create Files/Write Data, Create 
Folders/Append Data, Write Attributes, Write Extended Attributes, Delete 
Subfolders and Files, Delete, Read Permissions, Change Permissions, Take 
Ownership, Synchronize

It's not about the amount of ACLs. How often did you need to use those 
special attributes like "Traverse Folder" or "Read Permissions"? If you 
are interested in all-cool ACL entries, have a look at Novell's filesystem 
and its network transport mechanism. It has 18 (!) rights. Note these were 
created already for NetWare 4, released in 1993. I'd say Windows is still 
behind that, so it seems they are behind like... 20 years. See: 
http://www.novell.com/documentation/oes/stor_filesys/?page=/documentation/oes/stor_filesys/data/bs3fkbm.html


Actually Novell did this right back then and even their NDS (now called 
eDirectory) released in 1993 was long before Microsoft decided to get 
there with their Active Directory, that only started shipping with Windows 
2000 server. I believe Microsoft's win in this market was only due to its 
workstation monopoly.
and most of them can be accomplished with rights on linux also, but for us 
functionalities like 
        - rights inheritance on different levels 
You have inheritance on POSIX ACLs. See the --default option to setfacl.
        - authentication on access (NFSv3 only checks IP/hostname, but 
e.g. no kerberos token)
Well, this basically crosses out NFSv3.
        - right to create or delete subfolder 
I don't think I get it. Create and remove your own/somebody else's 
subdirectory while not having read or  write access to the files in that 
directory? My gut feeling is that you need something to just let the owner 
modify his own file, something that's commonly used in /tmp directory with 
the +t flag.
What's your use case for that?
I could not found this in exiting (besides scripting) solutions for linux 
file shares and rights management. 
So in a Company with Windows and Linux Clients, an Active Directory, which 
linux-based file share rights management could do most access rights as a 
Windows NTFS system can?

First, you need a Kerberos setup to cope for the authentication part. You 
have Active Directory, so you are set with the server-side implementation. 
Thank God Microsoft decided to use standard LDAP+Kerberos for their AD. 
Oh, you will also need to have Unix attributes in AD for most of the 
filesystems.
Secondly, you need your Linux clients to talk Kerberos too. You need LDAP 
for NSS and Kerberos for authentication, see former discussions and SSSD. 
Unless you just have a couple of Linux clients, I would advice you to add 
some "Group policy"-like automation for Linux. We are using CFEngine with 
custom add-ons that reads AD data.

Thirdly, you need a Kerberos-aware network sharing filesystem. Your 
options are NFSv4, CIFS and AFS. NFSv4 is the most obvious Unix/Linux 
choice, although CIFS is Windows filesharing, if you host files on Linux, 
your Unix attributes should be pretty much correct. I haven't used AFS 
much, but this is an option too.

Cheers, Ballock

References

Questions: Rightsmanagement on shares - WIndows vs. Linux
From: Florian Bieber, 2013-05-08
Re: Questions: Rightsmanagement on shares - WIndows vs. Linux
From: Ballock Tokarski, 2013-05-08
Re: Questions: Rightsmanagement on shares - WIndows vs. Linux
From: Bolesław Tokarski, 2013-05-14