Rafiu Fakunle wrote: > >> >> I did some more experimenting and looking at your apache config file >> and found some things odd things. >> >> First my share setup: >> /mnt/data/users/jschewe is what I'm trying to access. >> That share is set to be RO by the users group and RW by the NULL group >> The NULL group is set as primary group. >> The user "jschewe" has the primary group of "users" and no one is in >> the NULL group. >> >> I have this setup because I don't want everyone anyone to have write >> access to the home directories, so I've created this NULL group that >> no one is in. I could create a group per person, however that's a bit >> of a pain. Or is that the expected usage? >> >> Looking at the apache config it seems that to access the share >> "jschewe" the user needs to be both in the "NULL" group AND in the >> "users" group, even though using standard unix permissions only the >> "users" group is required. >> >> Is there a way to setup permissions through the UI for users rather >> than just groups? What I'd really like is for /mn/data/users/jschewe >> to be owned by "jschewe" and the group "NULL" and allow the group >> "users" RO access. I would like "jschewe" to only be in the group >> "users". I would like "jschewe" to be able to RW to >> /mnt/data/users/jschewe through all protocols, CIFS, NFS, WebDAV. Is >> it possible to do this just through the UI or do I need to go in >> through the console? Are there better suggestions for using openFiler >> for home directories? > > > OK, I played around with this for a bit to see whether what you're > advocating is possible specifically for WebDAV (all other protocols > already support home dirs with the current config parameters). > > Create your "users" subfolder, click the subfolder name then click > "Make Homes Folder" in the popup dialog. > > Select the export protocols for the individual networks that will be > accessing the share then submit the form. > > Next edit /etc/httpd/conf.d/openfiler-shares.conf and enter the > following parameters in the Directory context for the users share: > > AuthType Basic > AuthBasicAuthoritative off > AuthUserFile /dev/null > AuthPAM_Enabled on > AuthPAM_FallThrough on > AuthName Homes > Require valid-user > > Add a "*" after the path attribute of the Directory context: > > eg. > > <Directory "/mnt/data/users/*"> > > Restart httpd (service httpd restart) > > Log in to the share using an SMB client (this should automatically > create the user's home directory in /mnt/data/users) > > Disable world access to the user's home directory: > > setfacl -R -m o::---,default:o::--- /mnt/data/users/jschewe > > Connect via WebDAV. > > Try with a second user to verify that it's secure. > > > Let me know if this works for you. > > Won't that get stomped each time I change things in the UI though?
Also can I have multiple shares marked as home shares? I'm pretty sure not, so I ended doing this. 1) Create volume named data 2) Create volume gorup named lv_users 3) Create subdirectory users 4) Make users a share with PG admins and give the users group RO access 5) From the commandline create the directory in users for the specified user and make the directory be owned by the user's uid and set the gid to be NULL. This allows us to make sure that we can still use a umask that permits group write over NFS for our project directories, but doesn't allow others to write to our home directories. This works fine for NFS. I tried it with webdav and I can read my home directory, but can't seem to write. I do see the following errors in the httpd/ssl_error_log when I access it from my Mac using the finder and when trying to create directories, however the errors don't show up when accessing it via Firefox. [Mon Aug 18 14:21:48 2008] [error] [client 128.33.251.128] The locks could not be queried for verification against a possible "If:" header. [500, #0] [Mon Aug 18 14:21:48 2008] [error] [client 128.33.251.128] Could not open the lock database. [500, #400] [Mon Aug 18 14:21:48 2008] [error] [client 128.33.251.128] (2)No such file or directory: Could not open property database. [500, #1] [Mon Aug 18 14:21:58 2008] [error] [client 128.33.251.128] The locks could not be queried for verification against a possible "If:" header. [500, #0] [Mon Aug 18 14:21:58 2008] [error] [client 128.33.251.128] Could not open the lock database. [500, #400] [Mon Aug 18 14:21:58 2008] [error] [client 128.33.251.128] (2)No such file or directory: Could not open property database. [500, #1] -- Jon Schewe Research Scientist BBN Technologies 5775 Wayzata Blvd. Suite 630 St. Louis Park, MN 55416 952-545-5720 - Office 952-545-5727 - Fax www.bbn.com _______________________________________________ Openfiler-users mailing list [email protected] https://lists.openfiler.com/mailman/listinfo/openfiler-users
