Files, ACL, security


getfacl file1                           # read permissions
setfacl -m u:andy:rw  file1             # -m = modify: give (a secondary user) named andy read/write access to file1
setfacl -m g:admin:rw file1             # g for secondary group, here a group named admin, get rw access
setfacl -x u:andy     file1             # -x = remove permissions

directory can have default acl set so that all files within it will inherit such acl automatically.  use "d" to specify it as default settings.  eg

setfacl -m d:g:admin:rw  dir1


So, not only DOS has attributes for files! Linux does too! It is another layer over what chmod provides! These attributes are supported starting from ext2.
getattr 	/path/to/file			# list file attributes
chattr  =i 	/path/to/file			# change, ie set, file attributes to immutable
sudo chattr -i 	/path/to/file			# only CAP_LINUX_IMMUTABLE user can remove the immutable flag!

        select the new attributes for the files: 
	append only (a), 
	compressed (c), 
	no dump (d), 
	extent format (e), 
	immutable (i), 
	data journalling (j), 
	secure deletion (s), 
	no tail-merging (t), 
	undeletable (u), 
	no atime updates (A),
       	synchronous directory updates (D), 
	synchronous updates (S), 
	top of directory hierarchy (T).

       	The following attributes are read-only, and may be listed by lsattr(1) but not modified by chattr: 
       	huge file (h),  
	compression error (E), 
	indexed directory (I), 
	compression raw access (X), 
	compressed dirty file (Z).


# cmd.mount.ref
# this file will contain all commands in relation to filesystem manipulations.
# eg mount, fsck, etc.

# some originally from cmd.admin.ref
# need to do some clean up and splitting...

amq			show currently automounted drv (from amd suit)
mount		show mouted partitions (root mount new ones too)

mount	-t nfs server:/path	/mnt/point		#linux
mount 	-F nfs server:/path	/mnt/point		#solaris

mount 	-o remount,suid 	/mnt/point		# "remount" a fs, so as to set new mount options
							# should be able to remount ro fs as rw


/etc/dfs/dfstab		Solaris, eg:

share -F nfs -o ro -d "tin-sun /mnt/cdrom" /mnt/cdrom
share -F nfs -o ro -d "tin-sun vold /cdrom" /cdrom/cdrom0
#share -F nfs -o ro -d "tin-sun vold /cdrom" /cdrom/sol_10_305_sparc      # don't work for OS cd
share -F nfs -o ro -d "tin-sun vold /cdrom s0" /cdrom/sol_10_305_sparc/s0 # need to export each slide separately
share -F nfs -o ro -d "tin-sun vold /cdrom s1" /cdrom/sol_10_305_sparc/s1 # as they are mounted separately.

solaris :
mount -F  servername:/exportName  /mount/point
	 in solaris
	cdrom 	: hsfs	/dev/rdsk/c0t6d0s0 /cdrom
	dos   	: pcfs

If not using vold to manage cdrom, add entry like this to the vfstab:
/dev/dsk/c0t6d0s0       -     /mnt/cdrom    hsfs    -       no      -

showmount -e 		: display the devices shared by a remote host that can be mounted

showmount -a			: list remote system that has mounted a export

solaris loopback fs, sample entry in vfstab, as per man page on mount:

	/export/test - /opt/test lofs - yes -

removable media management - vold

/etc/init.d/volmgt start|stop
in sol up to 9, vold is very buggy, and tend to cause problem, 
especially after hitting eject button on cdrom drive w/o using soft "eject cdrom"
if it goes bad, stop,start don't seems to help.  need reboot.
in sol 10, seems to be better, at least volmgt stop,start clear things up.

usb devices:
sol 10 handles usb dev mounting pretty good.
mounting them correctly and showing icon on desktop.
Files can be access in /rmdisk/...
- usb floppy drive from apple
- usb cd/dvd/burner from iomega
- usb memory storage (lexar jumpdrive)

usb devices are hot plug detected by kernel since solaris (8?).
usb hard drive should work since solaris 8.
see gmail ref for more info.
/dev/usb/... is driver, and sym link created into /dev/[r]dsk/
though somehow format did not see the disk.

other vold paths:
/vol/...  (/vol/dev/[r]dsk, /vol/dsk, ...)
some maybe used as raw path for floppy dd when vold is running.

linux :

mount -t vfat -o loop=/dev/loop0 /tmp/floppy.dd.img /mnt/loopbackmount
	: use loopback to mount a dd-ed image of a dos floppy, fully writable.

mount -t iso9660 -o loop,ro /tmp/cdrom.dd.img /mnt/loopbackmount
	: same as above, mounting imaged created from cdrom
	# NFS export cannot see loopback devices (at least in linux, solaris)
	# and loopback from a file based off NFS won't work either
	# Typically, supports only 8 loopback "devices" unless edit loop.c and recompile kernel

dd if=/dev/cdrom of=/tmp/cdrom.dd.img  : create dd image out of cdrom, using raw dev.

smbmount -V
mount -t smbfs -o username=tin,password=foobar //n2k/c$ /mnt/n2k/c$	(trying in rh7.1 jaba)
mount -t smbfs -o 'username=administrator,password=bar,workgroup=ntdom2' // /mnt/smbfs

fuser 	: which user holding up what file, useful when mounting, etc
fuser -cu	: -cu show user and resolved user name using a particular mount point

mount -t   ... 
	cdrom is iso9660

Making ext2 floppy
	fdisk /dev/fd0
		create primarty partition of type Linux (ext2)
	mke2fs /dev/fd0
	mount -t ext2 /dev/fd0 /mnt/floppy 
	or mount /mnt/floppy (auto determine fs type should work).

linux sample /etc/fstab:

/dev/hda1               /                       ext2    defaults        1 1
/dev/cdrom              /mnt/cdrom              iso9660 noauto,owner,ro 0 0
/dev/hda6               /var                    ext2    defaults        1 2
/dev/hda7               /work                   ext2    defaults        1 2
/dev/fd0                /mnt/floppy             auto    noauto,owner    0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/pts                devpts  gid=5,mode=620  0 0
/dev/hda5               swap                    swap    defaults        0 0
  # external mounts
//$         /mnt/tin-nt/c$          smbfs   noauto,username=tin 0 0         /mnt/test               nfs     noauto          1 1
#/tmp/diag.floppy.dd    /mnt/loopbackmount      vfat    user,exec,noauto,loop=/dev/loop0     
/tmp/diag.ext2.dd       /mnt/loopbackmount      ext2    user,exec,noauto,loop=/dev/loop0,ro
/img/rhel-3-cd1.iso     /mnt/rhel-3-cd1         iso9660 loop,ro		# cd iso img from rhn ftp

  #  mount option user will default to noexec
  #  sometime loopback mount will complain with strange message if image is not on a local fs

linux sample /etc/exports:
# Either use 
# (1) space delimit multiple machines of the same export dir
# each machine options must be given immediately, 
# colon (or comma) CANNOT be used to group multiple machines with same option as in Solaris 
# (2) each machine has its own line, with mount point repeated.
# Then run exportfs -a to export everything 
# (eg 1)
/mnt/usbdrv tin-sun(rw,no_root_squash,async) chong-sun(rw,no_root_squash,async) 
# (eg 2)
/export  tin-sun(rw,no_root_squash,sync)
/export  chong-sun(rw,no_root_squash,sync)
/export2 *,async)

# be very careful about NOT to have a space after hostname.
# tin-sun (rw) 
# would mean tin-sun has default option
# and all hosts (*) would have (rw) !!

# other export options
# eg
# all_squash means everyone will get remapped, in this case to UID=0, GID=0.  but could be mapped to other UID...

### smb.conf and related stuff

security = domain, 
then use
smbpasswd -j ntdom1 -r '' -UAdministrator%password

USB hard drive on linux.
Hot plug ok.
Tested on RH AS 3.0 (ges-dfm).
Typically made available as /dev/sda1.


doc found by peter, fwd by emily about basic of cifs file operation.

cifs		common internet file system
			used by windows, and also has stuff like network browsing,
			print services, authentication (NT).  aka smb
			Commonly a layer 7/6 (app/presentation) protocol, and usually 
			run over NTB.

smb			server message block

samba		unix open source implementation of some of cifs.

NTB			NetBIOS over TCP
NetBEUI		NetBIOS Enhanced User Interface (NetBios + precursor of CIFS)

SNIA	Storage Network Industry Association
		Coming up with CIFS 1.0 protocol w/ IETF.
		Subset of current M$ CIFS, try to document it better, 
		and maintain for future.

WINS	M$ refer this as the NetBIOS name server implementation.
		Same function of DNS, but implemented totally differently.
		Use lot of broadcast! 
		Run over NetBIOS (on top of whatever network protocol).

Linux fstab eg

/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
none                    /dev/shm                tmpfs   defaults        0 0
none                    /proc                   proc    defaults        0 0
none                    /sys                    sysfs   defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

/dev/emcpowerc          /mnt/emcpowerc          ext3    defaults        0 0
nfsserver:/unixhome       /nfshome              nfs    rw,soft,intr,tcp,rsize=32768,wsize=32768,vers=3,timeo=4,retrans=9 0 0	# cambridge eg
nfsserver:/unixhome       /nfshome              nfs bg,rw,hard,intr,udp,rsize=32768,wsize=32768,vers=3,timeo=4,retrans=9 0 0
agami01:/export/agami  /nfsbackup/agami         nfs    rw,nfsvers=3,rsize=32768,wsize=32768,tcp,intr,soft			# RHEL 4.5

/net/pollo/local/LINUX/SUSE/SUSE-10.0-CD-i386-GM-CD1.iso       /mnt/loopback/SUSE-10.0-CD-i386-GM-CD1   iso9660 loop,ro,noauto
/export/repo/iso/RHEL4-U5-i386-WS-disc1.iso     /mnt/loopback/RHEL4-U5-i386-WS-disc1    iso9660 loop,ro,noauto

Solaris vfstab eg

#device         device          mount           FS      fsck    mount   mount
#to mount       to fsck         point           type    pass    at boot options
fd      -       /dev/fd fd      -       no      -
/proc   -       /proc   proc    -       no      -
/dev/md/dsk/d10 /dev/md/rdsk/d10        /       ufs     1       no      logging
/dev/md/dsk/d20 -       	-       swap    -       no      logging
swap    -       /tmp    tmpfs   -       yes     -
nfsserver:/unixhome                          -  /nfshome    nfs 2 yes rw,vers=3,rsize=32768,wsize=32768,proto=tcp,intr,soft




samba 3 uses NT domain logins to serve account information, and
samba 4 is compatible with active directory.

samba 2 use smbpasswd. samba 3 use pdbedit (and no more smbpasswd?)

samba 2.x
smbpasswd -j  -r  -Uuser%password
run winbindd
then start samba.

nmblookup -U  -R 


samba 3.0 use  the "net" command:
net [method] [-d dbgLevelNum] join member -Uadministrator%password -S tileg-bdc1
	member = add host as member host (not as pdc/bdc)
	-S = target (window) server to use 
	[method] can be blank, it will auto detect
		 ads = XP  style
		 rpc = nt4 style
		 ads = win95 style ?

	-d 0-10	specify debug level info (spill to console), 0=none, 5=a lot, 10=unreadable.  Try 3. 

net testjoin
	check whether domain participation is still valid
	# no longer avail???

net help 
	show help


strace -o /tmp/output smbpasswd ...
to see what file it opens, has tendendy to open wrong smb.conf

wbinfo -u
list all doamin user

bin/testparm lib/smb.conf
	check that smb.conf is correct.

smbclient  // -W ntdom1 -Uadministrator%password
	ftp like client to connect to nt-style share

smbclient -L -N
	list shares available from the given server
 	-N = force no ask password


update 2004/06/23, for samba 3.0, in tileg/hybridauto

config procedure
create /usr/local/samba/lib/smb.conf file (see eg here for core elements).
bin/testparm lib/smb.conf

add member host in PDC via server manager.
net join -Uadmin -S PDC-server		# for security=server

sbin/smbd -D -s lib/smb.conf
	# parameters are really default, but just in case samba have its own mind.
sbin/smbd --version	
	# show version

If using security=user, then may need to use smbpasswd -a to add user 
Although it seems to authenticate via NIS if no smbpasswd entry.


quick and dirty config w/o domain fuss,
in smb.conf, set to use user level security mode (ie local list of samba user) :
   security = user

add users to smbpasswd file as (user must be recognized os level user):
smbpasswd -a USERNAME
change existing user password:
smbpasswd USERNAME 	

Samba 3 use pdbedit.

pdbedit -L -v 		# list samba users, verbose
			# samba local db stored in /var/lib/samba/private/private.tdb

location specified by smb.conf, typically /usr/local/samba/var

log.IP		= NetBIOS ip to name resolution log, per each client machine connecting to the server.
log.HOSTNAME	= smbd log for each connecting client after netbios name resolution.

log.nmbd	= nmbd server process/status log
log.smbd	= smbd server process/status log.  level determined by smb.conf



; Wcry-like exploit
; security fix as per
nt pipe support = no

# log level = 3 passdb:5 auth:10 winbind:2
# log level = 0 (default)
log level = 2

# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
   workgroup = TILEG	# NT4

# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the HOWTO Collection for details.
   #security = user		# user = local passwd/smbpasswd file
   security = server		# need to join machine to nt domain
   #security = domain		# probably never used this.

# whether to use encrypted password
#encrypt passwords = yes        # default = yes
#encrypt passwords = no

   load printers = yes
   log file = /usr/local/samba/var/log.%m

    password server = tileg-bdc1
	# this was needed as somehow my machine could not determin
	# who was PDC, probably no broadcast on this vlan.

   wins support = no
   wins server =
	# set it so that samba is not wins server, 
	# and have it use wins on BRIO-BDC1
	# otherwise, lot of browse by \\hostname will get bad
	# unresolvable hostname :(

   socket options = TCP_NODELAY
   dns proxy = no

#============================ Share Definitions ==============================
### custom settings here
   comment = test dir
   browsable = yes
   read only = no
   create mode = 755
   path = /export/tmp/test
   user = tho

#============================ Share Definitions ==============================
### this and other were smb.conf.default settings.
   comment = Home Directories
   browseable = no
   writable = yes

username mapping

in smb.conf, there is a clause like
        username map = /etc/samba/smbusers
which by default is
root=administrator admin
nobody=guest pcguest smbg
This file can be updated to map user whose login name differ between unix and windows.

SID to UID/GID mapping

the ID numbers is what the computer use. winbind has to provide unix UID/GID numbers. If a username is not resolvable to unix UID number, it will generate a number and use it. The number generated is in a range defined in smb.conf. This number is stored in "idmap" and there is a "net idmap" command to do dump and restore (edit is by hand edit this file and reimport?).
pdbedit is the samba user database. User of samba need to have account added here. The UID number assigned here may differ from what winbind (wbinfo) may return. OS calls such as getent and id would honor the UID# assigned in pdbedit (when winbind is used in nsswitch.conf).
Not sure what order of precedence wbinfo works on. It does "do the right thing" in that id would look at places where one can manipulate UID# using pdbedit (?)

pdbedit — manage the SAM database (Database of Samba Users)
        pdbedit entry can overwrite UID# winbindd returns
        getent passwd USERNAME  will return UID# specified in pdbedit (nsswitch.conf passwd use "files winbind")

pdbedit -L -w -d0       # -L = list all entries (ie a dump).
                        # -w = smbpasswd format
                        # -d0= debug level 0 (may still get warning messages in output)

pdbedit --modify

pdbedit -a sn           # add user sn.  user must exist as unix (passwd) or windows (AD) user.

pdbedit -x -u sn        # deleting a user that has a uid randomly assigned
                        # and readding it after it exist in passwd
                        # may set it to have the right UID#

wbinfo  # query winbind for info

wbinfo -u | wc          # list all --domain-users

wbinfo -n ateran                                        # --name-to-sid
wbinfo --user-sidinfo SID                               # return passwd-like string with UID# for a given SID
wbinfo -S S-1-5-21-1224182940-43089146-691797619-2275   # --sid-to-uid    eg: 781 
wbinfo -s S-1-5-21-1224182940-43089146-691797619-4805   # --sid-to-name
wbinfo --sid-to-fullname SID    			# conver to DOMAIN\username
wbinfo --user-sids SID          			# list group SID   a given SID belongs to
wbinfo --user-domgroups  SID    			# list domaingroup a given SID belongs to
wbinfo --sid-aliases S-1-5-21-1224182940-43089146-691797619-2275  # sid has aliases!!

wbinfo -i bofh          # login to uid#
wbinfo -r bofh          # get unix secondary gid for named user

wbinfo --uid-info 781   # return passwd-like string for given uid#

ref: samba doc on wbinfo


winbindd perform SID to UID# mapping. info stored in a db.
ref: NAME AND ID RESOLUTION section of winbindd samba doc
UID# are often generated for user w/o unix passwd entry. Thus, if have multiple machine running winbindd, would be good to setup cronjob to keep the winbid db in sync (idmap)
net cache flush
idmap does mapping between SID and UID#/GID#. When the file is dumped, it can be (carefully) edited and (re)-imported (by different hosts).
# syncing IDs between different winbind machines
net idmap dump    /var/lib/samba/winbindd_idmap.tdb > dumpfile.txt
net idmap restore /var/lib/samba/winbindd_idmap.tdb < dumpfile.txt

net idmap dump winbindd_idmap.tdb > /dev/null 2>&1 | ssh 'net idmap restore' > /dev/null 2>&1
ref: Samba3 :: Chapter 12. Remote and Local Management: The Net Command :: Managing IDMAP UID/SID Mappings (at the end)

wbinfo -m               # list --trusted-domains
wbinfo --own-domain     # what domain this smb server is on
wbinfo -p               # --ping winbindd to ensure connection still good
wbinfo -P               # --ping-dc       to ensure connection still good
wbinfo -t               # --check-secret  of workstation to AD still good
			# ie determine if secret used to join ntdomain is still good (security=server)

net cmd

To interact with AD, the DOS net commands are available.
net rpc info

the net idmap command operates locally and is covered in the UID to SID mapping section above

[Doc URL:]
(cc) Tin Ho. See main page for copyright info.