Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would like to be able to have /home mapped to a different location on network rather then on local disk. I have setup my share on the server that I want items to be stored to and have created the credential file that allows me connection to the server. I can mount the share successfully but I need to be able to have the ownership of the /homes to be the usernames rather then root. Here are my configuration files below.
You can see where the /data share is. This is where I want to have the /home moved to but when I go to do a directory listing for the data that is there this is what I get.
Above you can see that the user's folder for user central is owned by root rather then central, thus that user cannot use their home folder. If I do a chown -R central.central /data/central I get the following.
Code:
chown -R central.central /data/central/
chown: changing ownership of `/data/central/.bash_profile': Operation not permitted
chown: changing ownership of `/data/central/': Operation not permitted
If I change the fstab to incude uid= and gid= then it is the same result as above just with control by a different credentials. Please let me know if this makes any sense.
Basically I want all the data and user folders to be on a SAN. Since I don't have direct access to SAN with Linux system (i.e. No HBA device) I need to have data be stored on SAN using a shared folder on the SAN and then having a map to this folder via SMBFS. There will be no local home folders on the local system. The systems that are attached to SAN is a Server 2003 windows system.
The only thing the profile and users that will have this setup are the ones that are using SFTP. This server is basically an SFTP Server to the outside world. I don't even want to brother with SFTP for windows.. Easier just to setup linux to do the SFTP portion... Unless there is a way to create "virtual" sftp users that way the users don't require a local account on the system. I am not moving the /home dir to the remote smb only the /home folder of certain user accounts. Currently there are local user accounts on the system and if someone needs to transfer data to us, they use the sftp account and they are locked into the home dir of that account.
Quote:
Originally Posted by Stéphane Ascoët
I'm not sure that sharing /home via SMB is a good idea. POSIX systems need to use POSIX fs for important usage.
Who said anythign about POSIX FS? I don't understand what you mean. I had this setup like the way I am trying to explain at one time but then things got messed up and had to move account to local system.
Last edited by richinsc; 03-12-2008 at 11:47 AM.
Reason: Who said quote
Does anyone have any solutions. All I want to do is have data that would normally be stored under user home folder be stored elsewhere over an SMB file share. I don't want to have any data reside on linux system it's self. This is a company server not my personal server. If it were mine I would have set it up in a rack with a 3.0TB File system with a RAID 5 Configuration. I could create symbolic links yes, but I would prefer if at all possible to prevent from doing this. The only issue that is causing my problem is that the uid=username,gid=users takes over ownership of all file and folders rather then letting my specify.
Can't anyone help me I have gotten it to work where I can now access the files after changing chmod to 777. But I need to be able to have the /home be mounted on a remote server. The server in question is a Windows box (Job's decision not mine), but I want all the /home directories on linux box to stored on the share that is served from windows box. I don't want any local /home directories on the linux box it's self. Any help would be greatly appreciated.
If there are any moderators reading this, if you feel that thread would get better exposure elsewhere please move appropriately.
Location: Fleury-les-Aubrais, 120 km south of Paris
Distribution: Devuan, Debian, Mandrake, Freeduc (the one I used to work on), Slackware, MacOS X
Posts: 251
Rep:
Quote:
Originally Posted by richinsc
Can't anyone help me I have gotten it to work where I can now access the files after changing chmod to 777. But I need to be able to have the /home be mounted on a remote server. The server in question is a Windows box
I've already told you that it isn't possible, since window$ isn't POSIX compliant(probably the last OS in this case, but since bosses still find it to be a good OS, why sould m$ change their habits?). Install a POSIX OS in a virtual machine in the server.
I don't know for sure, but you may have better luck using the CIFS filesystem if the service is on a Linux server.
However, it would be better to mount user directories on NFS shares.
I mounted a CIFS share on my laptop, of the home director of my laptop, and was able to change permissions and even use setfacl. Make sure that the server where the actual users home directories are located have a Linux Filesystem with the ownership and permissions the same as you would on the Server where the mount points are located. The users need to have the same uid's on both computers.
I don't expect this to work at all if it isn't between two Samba machines. However the SAN may be running Linux or may support CIFS.
Beginning to think that it would be a better option just to setup a ftp server and wrap in in SSL or setup an actual sftp server with virtual users so that no account actually exist on server. This server is only being used for SFTP but all logins are done through ssh rather than an vsftp daemon or other. What do you think? Think I would be better suited to install daemon and have virtual accounts, then I could store home folders anywhere.. I would think I would be able to anyway.
Do get a better understanding of what I am going though read the following post - /Home storage over network.
My current question is, which is a better way to do secure ftp. Wrap ftp in ssl certificate or install anactual secure ftp daemon? Bascially I use the server in question as a secure ftp server. But I don't want any data to actually be stored on the ftp server it's self. Instead I only want it to seem like it is being stored there when it is really being stored else where. The other thing is, currently I have actual ssh user accounts created on the system, would it be better to make the virtual?
Just trying to make this as easy as possible and obscure to the end user logging in to ftp server. Any help or suggestions are greatly appreciated.
After doing some reading on my own I have determined that it would be best for me to change up my configuration and use a vsftp daemon to do what I want rather then trying to make it so hard to by using system accounts residing on server.
richinsc,
I am bit confused as to what you are trying to accomplish, i have a few questions:
1. You are trying to have 2 boxes, one being "visible FTP server" and other one being "Actual FTP server"?
2. What Security issues are you concerned about?
3. Are these boxes going to located inside or outside a firewall (If one inside and one outside are you going to want to create a Tunnel?)?
4. How do you want users to authenticate to the FTP server?
From there i think i can direct you in the right direction.
Okay, I have an ftp server that is setup behind a firewall with NAT. On that server I have several shell accounts. Currently all data is stored on the ftp server. I have to meet federal requirements for this server and as such this server is only a temporary until I have a server that is an actual server that i can install Debian on. Currently the server in question is a desktop computer acting as a server. My requirments that I have to meet are rooted in redundancy. Currently all this data is stored on on HDD with no raid what so ever. I want the data to be stored on a server that does have access to our SAN.
That being said, I am trying to figure out the best way to have data transfered to the server and have all the transmission of that data be encrypted. Then rather then having the data stored locally on server, I want to have all data stored on SAN that is connected to a windows box via samba mount. When a use logs into to upload data, the data will be stored on the SAN via a Samba without the user knowing and thinking that they are just uploading data to a regular secure ftp server. All the data and passwords must be encrypted at all times. So please let me know if this gives you a better idea of my situation.
Edit: And by federal guidelines I mean I work for the Government and *bleep* needs to be secure.
Last edited by richinsc; 03-14-2008 at 11:41 AM.
Reason: Federal Guidelines
After reading CESA-2008-002 I am somewhat concerned in using ssl with vsftp, especially since it says and I quote.
]
Quote:
Originally Posted by VSFTPD Homepage
I've even been quite lazy with vsftpd in this area; only in the recent v2.0.6 release did I implement client cert support. Again, no-one (users or FTP clients) seem to really care, and I'm good at being lazy given half an excuse vsftpd 2.0.6 offers independent options to insist the client sends a cert, and to validate the cert is valid and signed by a recognized authority.
He also says:
Quote:
Originally Posted by VSFTPD Homepage
It is worth noting that both FTP clients and FTP servers are to blame. Perhaps no-one cares. Certainly, not many people are using FTP over SSL
And I highly doubt this, who wouldn't want to encrypt their data transfers. So which is the best way to encrypt data if one wants to use an ftp server.
Server2 is going to be bound to domain, and have mounted smb share from Server1 with automount support. This way all this activity can be monitored, logged, and secure.
Server2 will have mounted smb share set as ftp home directory, inside will have folders for all ftp users or ftp directories.
Each login will be chrooted into their desired directory.
Anon access will be disable for everything.
SSL will be enable and SSL logins for FTP to Server2 only.
Server 2 will be setup with iptables and only allow FTP and SSH connections.
SSH connections will be denied for Root login, only specified users can log in.
Optional - fail2ban, to block and ban IP addresses that meet X security criteria ( eg. excessive failed logins)
Server2 will log all activity including file transfer, logins, etc..
This setup should allow you to have full control and users will not be aware that they are actually uploading files to Server1.
P.S Make sure you have logrotate, to rotate all logs.
Optional-> Use Logwatch to send you an email daily with a report about what is going on.
I hope this example suits your needs, please let me know if you have any questions.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.