3.2 Compatibility Issues for Trustee Rights on Linux

This section discusses the following issues for controlling access to files on Linux:

3.2.1 Enforcing Trustee Rights on Linux

File and directory access rights are enforced on Linux systems in different ways, depending on the following:

  • User identity, such as eDirectory users, Linux-enabled eDirectory users, and local-only users

  • Access method, such as NCP Server, other protocols, or core Linux utilities

  • File system access control, such as NSS file and directory attributes

See the following sections for an overview of these issues:

eDirectory Users

The following table describes how file system access rights are enforced on Linux systems for eDirectory users:

File System

Access via NCP Server for Linux

Access via Linux Protocols (such as NFS or Samba)

Access via Core Linux Utilities

NSS on Linux

NCP and NSS enforce access.

For security reasons, soft links are not supported by NCP Server. Soft links are not accessible from NCP clients; users cannot see or access them.

NCP and NSS enforce access.

eDirectory users must be Linux-enabled with Linux User Management.

NCP and NSS enforce access.

eDirectory users must be Linux-enabled with Linux User Management.

Linux services need to be enabled for pluggable authentication modules (PAM) when you configure Linux User Management.

NCP volumes on Linux POSIX file systems

NCP enforces access.

For security reasons, soft links are not supported by NCP Server. Soft links are not accessible from NCP clients; users cannot see or access them.

NCP enforces access.

eDirectory users must be Linux-enabled with Linux User Management.

NCP enforces access.

eDirectory users must be Linux-enabled with Linux User Management.

Linux services need to be enabled for pluggable authentication modules (PAM) when you configure Linux User Management.

Linux POSIX file systems

eDirectory users have no access to files via NCP.

Linux ACLs and POSIX permissions are used to enforce access.

Linux ACLs and POSIX permissions are used to enforce access.

Local-Only Users

The following table describes how file system access rights are enforced on Linux systems for locally defined users: based on the access method:

File System

NCP Server for Linux

Other Protocols (such as NFS or Samba)

Core Linux Utilities

NSS on Linux

Restricted to the root user.

Restricted to the root user.

Restricted to the root user.

NCP volumes on Linux POSIX

Restricted to the root user.

Restricted to the root user.

Restricted to the root user.

Linux POSIX file systems

Local users have no access to files via NCP.

Linux ACLs and POSIX permissions are used to enforce access.

Linux ACLs and POSIX permissions are used to enforce access.

Linux ACLs and POSIX permissions are used to enforce access.

Core Linux Utilities

Core Linux utilities are standard file services used to access files. They include:

  • Shell login

  • Samba server

  • File transfer protocol (ftp)

  • Secure shell (ssh)

  • Substitute user (su), which opens runs a shell as root (or superuser)

  • Remote shell (rsh)

  • Remote login (rlogin)

  • X display manager (xdm)

  • Small Footprint CIM Broker (SFCB)

IMPORTANT:To enable users of NSS volumes and NCP volumes to use the core Linux utilities, you must PAM-enable the utility with Linux User Management (LUM) and Linux-enable the users with LUM. For information, see OES 11 SP2: Novell Linux User Management Administration Guide.

3.2.2 Assigning Trustee Rights on Linux

The following table identifies the management tools to use to assign Novell trustee-based trustee rights on the NSS file system for Linux:

IMPORTANT:Only eDirectory users are eligible for file-system trustee rights.

Management Tool

NSS File System on Linux

NCP

NFS or Samba

Core Linux Utilities

NSS rights utility

Yes

Yes

Yes

Files and Folders plug-in to iManager

Yes

No

No

Novell NetStorage

Yes

Yes

Yes, for NetStorage with SSH support

Novell Client for Windows XP/2003, Vista, 7, and 8

Yes

Not applicable

Not applicable

Novell Client for Linux

Yes

Not applicable

Not applicable

The following table identifies the management tools to use to assign Novell trustee-based trustee rights on Linux POSIX file systems:

Management Tool

Linux POSIX File Systems

NCP

NFS or Samba

Core Linux Utilities

NSS rights utility

Yes

Not applicable

Not applicable

Files and Folders plug-in to iManager

Yes

No

No

Novell NetStorage

Not supported by NetStorage

Not applicable

Not applicable

Novell Client for Windows XP/2003, Vista, 7, and 8

Yes

Not applicable

Not applicable

Novell Client for Linux

Yes

Not applicable

Not applicable

3.2.3 Key Considerations

If you use core Linux utilities—with, or instead of, NCP Server for Linux—to control file access for eDirectory users on Linux:

  • Ensure that the core Linux utilities are PAM-enabled during Linux User Management (LUM) configuration.

  • eDirectory users must be Linux-enabled to use the core Linux utilities. A Linux-enabled user is defined as a local user and as an eDirectory user. (Linux-enabled is also referred to as LUM-enabled.)

Although NCP and NSS keep trustee rights information separately, the information is synchronized between them.