[aklug] Re: group environment configuration?

From: James Zuelow <James_Zuelow@ci.juneau.ak.us>
Date: Thu Mar 11 2010 - 13:09:37 AKST

> -----Original Message-----
> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]=20
> On Behalf Of Marc Grober
> Sent: Thursday, 11 March, 2010 12:15
> To: aklug@aklug.org
> Subject: [aklug] Re: group environment configuration?
>=20
> We are mixing several issues up....
> For those who may not know, all *ix provide the ability to=20
> create groups and=20
> populate same with users. Unfortunately, this is pretty=20
> crude and typically=20
> amounts to population of one flat file (while there are lots=20
> of web resources on=20
> this, here's a simple one:=20
> http://www.cyberciti.biz/faq/understanding-etcgroup-file/)
> Some unix also provide extended acl tools (acl being the=20
> acronym for access=20
> control list). See e.g.=20
> http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
>=20

Ouch. Fedora Core 2 was a LONG time ago.

> *ix typically do not provide much in the way of GUI tools to=20
> manage group access=20
> to resources comparable to MMC and MS-Active Directory. There=20
> are lots of reason=20
> to explain this, but they are really only german here in=20
> that this is an area=20
> that has been getting more attention as Windows users look at=20
> linux admin tools.=20

Maybe I'm missing the point of what you guys are trying to accomplish. I d=
on't know how to pop up a dialog based on group membership in Windows eithe=
r. But I do use nested group membership to control access to Linux file sy=
stems, Apache web content, our Squid server...

On the local level, as far as file system access goes I can't see anything =
I can do on a Windows server that I can't do in KDE as far as ACLs go.

1) Make sure your file system is mounted with ACL support, and if they're n=
ot installed by default install the acl tools (apt-get install acl).

2) Find file or directory in KDE (Konqueror for 3.5, Dolphin for 4.x)

3) Right click, choose properties, choose permissions, click on advanced pe=
rmissions.

4) Add groups/individuals to your heart's content. (Whether or not you see =
LDAP/AD users and groups here in the GUI would depend on your nsswitch.conf=
 and in the case of Samba whether or not you have winbind enum users/winbin=
d enum groups turned on.)

You can go back and check the acls with getfacl and see the results match t=
he GUI.

The only thing different from Windows is that when you click on the securit=
y tab in Windows Explorer you're in the same place as KDE's advanced tab. =
Clicking on the advanced tab in Windows brings up a myriad of settings that=
 I have rarely ever needed to delve into. I would guess that 95% of Window=
s sysadmins never use the advanced tab unless they're following instruction=
s from Technet (myself included).

We're a small shop so we don't have any of the commercial central file syst=
em management tools. We just use the native Microsoft tools and rdp to a s=
erver and change the security settings for a folder (or rarely a specific f=
ile). Occasionally we'll script something to make wholesale changes, but r=
eally that would be just as simple on a Linux system.

Windows users and groups being managed in AD is nice, and "Linux" doesn't r=
eally have an ubiqtuous project to handle that sort of thing. You need to =
go looking for what you want instead of getting it in the default install. =
=20

There are some interesting projects out there -- the old Novell NDS server =
is now reincarnated as 389 Directory Server, complete with multi-master rep=
lication and all sorts of other sexy bells and whistles. I don't have a l=
ot of experience with LDAP since we're a Windows shop so I tend to have my =
Linux servers integrated into AD with Samba. So I haven't used LDAP in pro=
duction The tools I've looked at seem to work well for playing around, but=
 managing a couple hundred users and groups is something I find hard to mod=
el.

James=
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Mar 11 13:09:50 2010

This archive was generated by hypermail 2.1.8 : Thu Mar 11 2010 - 13:09:50 AKST