How to setup nfs share for users with write permissions
I found simple workaround at this article.
If we use a separate primary group for each user, we can use umask = 002. Then the group permissions will not be cut off by umask. And we can set permissions using setgid or acl.
But the proposed solution complicates management of users, namely the creation and deletion. Being LDAP administartor you need to create a primary group for all ldap users. Delete primary user's group, when when delete unnecessary user.
In addition, I would note that:
I have due to migration from zentyal on openldap uses the same core group (USERS) for all newly created users.
On the one hand, it simplifies the management of users, on the other hand did not solve the problem with a shared folder for them.
Related videos on Youtube
vskubriev
Updated on September 18, 2022Comments
-
vskubriev over 1 year
We used ubuntu linux on desktops with ldap authentication. Both on server and clients we have identical users and groups.
I've setup nfs server with public share, which should be available for all users with write permissions. E.g one user created file, other be able to remove this file by default.
I have the following requirements:
- I do not want to change default umask (0022) on clients machines.
- I do not want to use inotify for change permissions when files changed on server, because it slow down network access with a nfs share and works not stable.
How to reproduce:
I create initial folder with default acl's with following permissions for folder directory owned by group inoffice
$ setfacl -m default:g:inoffice:rwx directory/ $ setfacl -m g:inoffice:rwx directory/ $ getfacl directory/ # file: directory/ # owner: root # group: root user::rwx group::r-x group:inoffice:rwx mask::rwx other::r-x default:user::rwx default:group::r-x default:group:inoffice:rwx default:mask::rwx default:other::r-x
In theory: 1. This directory must be writeable for users in group inoffice. 2. All new files and dirs inherit
group:inoffice:rwx
permissionsSuppose we have two users(clients):
user1 with primary group __USERS__ and supplementary group inoffice user2 with primary group __USERS__ and supplementary group inoffice
Suppose user1 went into nfs folder directory on it's own machine and created folder named 'folder_user1'
getfacl folder_user1 # file: folder_user1 # owner: user1 # group: user1_group user::rwx group::r-x group:inoffice:rwx mask::rwx other::r-x default:user::rwx default:group::r-x default:group:inoffice:rwx default:mask::rwx default:other::r-x
Then user2 can delete this folder because of
default:group:inoffice:rwx
permissionsBut if user1 copy directory (instead of create) to directory. Resulting permissions will be:
$ getfacl folder_copied_by_user1 # file: folder_copied_by_user1 # owner: user1 # group: user1_group user::rwx group::r-x group:inoffice:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:group::r-x default:group:inoffice:rwx default:mask::rwx default:other::r-x
I know about difference in calls of method open when we copy and create files in linux. Also I know about umask, which is applied after create file operation.
I can't find a solution for share files on the network with nfs protocol in my case.
Help me to find workaround.