cifs/smbfs Machine Account

[User3204]

I use this Automatic backup to a Windows share |*CensorNet which allows me to connect to a SAMBA share on boot.

Basically:

Code:

//adserver/Public /mnt/win smbfs defaults,user,auto,username=joe,password=password123 0 0

in the fstab file.

The trouble is, you're not supposed to use smbfs and smbclient anymore, dunno why, but Ubuntu tells me off.

[apeo]

@Geoff: Interesting.. messed around, created a Windows Server 2008 R2 NFS server and it looks like I can create an NFS share to allow only a specified host to connect. Then granting Everyone access in ntfs acl to grant access to unmapped unix users because I dont want to configure user mapping. Still not really using machine account as a means to authenticate but its close as im going to get to it i guess...?

[Geoff]

Yeah that'll do. Just watch out for issues with the permission and user/group ownership translation when writing files back to the NFS share.

[apeo]

Right, I'll do a few tests and see how the permissions translate. BTW what are the security implications if i enable root access? It says Not Recommended in brackets. I know that when unmapped users access the nfs share it maps to Anonymous but if you enable root access, it maps root to Administrator. Can I assume that its only the nfs share that root has access to and nothing else i.e. there's no way for root to access any other part of of the computer or even the network as Administrator? Can I also assume that if the nfs share is on a DC then root will map to AD Administrator? so what are the issues with this?

[Geoff]

The default for NFS (at least on Linux) is for root to be mapped to guest. That way nothing bad happens when you mount an NFS share from a server you do not entirely trust or do not know where all its files came from. If you don't care about security then yes, allow root access.

[apeo]

The default for NFS (at least on Linux) is for root to be mapped to guest. That way nothing bad happens when you mount an NFS share from a server you do not entirely trust or do not know where all its files came from. If you don't care about security then yes, allow root access.

It seems that with Windows NFS, root gets mapped to Administrator and if you dont allow root access, then it does exactly that (stop root access). Sorry for all the questions, can I just clarify what would be the Security issue with enabling root? I assume its something to do with the fact that it gets mapped to Administrator but if it only has access to the nfs share only then I dont see how thats different from granting Everyone full permissions to the folder.

[Geoff]

Assume Bob and John both use the same NFS server for a shared project. Assume their client machines both mount the same NFS share with root access intacted. Now assume there is some script or program contained within this NFS share that needs root access to do its job. Bob alters this script/program and introduces an error that causes it to corrupt filesystem data. Bob doesn't test this change but John does. Bob just hosed Johns machine via NFS. The system administrator investigates and also runs the program without the protection of a chroot jail. Bob just broke the server too.