* multiuser access and group membership(s)
@ 2021-04-13 19:13 L Walsh
2021-04-14 9:19 ` Aurélien Aptel
0 siblings, 1 reply; 2+ messages in thread
From: L Walsh @ 2021-04-13 19:13 UTC (permalink / raw)
To: linux-cifs
I tried the multiuser mount using domain-creds.
Surprises:
* Files owned by local accounts appeared to be owned
by 'root:root'.
* Files in well-known-groups, seemed to
resolve ok, but didn't recognize my domain login as
being in one of those groups.
* Files with group ownership of Administrators allowed access
regardless of permission bits (though I am in Administrators group).
-However, files owned (showing in UID) field AdministratorsGroup
showed up as being owned by 'root' from the linux machine and
didn't enable access (though some other rule might).
=== Interesting direction.
I have some disappointment in that the remote Windows machine doesn't
recognize membership in domain groups (or local groups) when
mount options use a domain account (and cifscreds contain a domain
account).
Ex.: (w/Bliss or BLISS being my local NT4-style domain
hosted on the linux box).
local group "lawgroup" on Win machine, contains
BLISS\Domain Admins
Bliss\law
BLISS\lawgroup
law (local account)
yet to 'Bliss/law' on linux, it appears to be
owned by 'root' and doesn't enable access.
Shouldn't the smb server on the win-machine be
able to enable access via domain group membership?
Maybe I just don't have it configured correctly...?
Also noting that unix extensions don't seem to be getting
negotiated. From mount, listed options are:
//Athenae/C/ on /athenae type cifs
(rw,nosuid,nodev,noexec,relatime,vers=2.1,cache=strict,username=law,
domain=BLISS,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.3.12,
file_mode=0755,dir_mode=0755,nocase,soft,resilienthandles,nounix,
setuids,serverino,mapchars,cifsacl,rsize=1048576,wsize=1048576,
bsize=1048576,echo_interval=60,max_credits=60000,actimeo=1,user)
Q: Is it possible to get the Win server to recognize group memberships?
I note that Privileges in the domain aren't acknowledged on
the win-file-system, though the win-user using a samba-mount
will have privs recognized.
Thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: multiuser access and group membership(s)
2021-04-13 19:13 multiuser access and group membership(s) L Walsh
@ 2021-04-14 9:19 ` Aurélien Aptel
0 siblings, 0 replies; 2+ messages in thread
From: Aurélien Aptel @ 2021-04-14 9:19 UTC (permalink / raw)
To: L Walsh, linux-cifs
Hi,
> Surprises:
>
> * Files owned by local accounts appeared to be owned
> by 'root:root'.
When cifs.ko fails to resolve sid<=>uid/gid mapping it defaults to
root:root.
> * Files in well-known-groups, seemed to
> resolve ok, but didn't recognize my domain login as
> being in one of those groups.
Make sure you have cifsacl along with multiuser. In my testing
(multiuser with kerberos) I can see domain accounts resolve fine. Not
sure about local accounts.
Keep in mind cifs.ko is delegating the work of resolving to winbind. So
I would suggest trying resolving the things that don't seem to work
directly with the wbinfo utility (see --sid-to-uid, --sid-to-fullname
etc). My guess is it won't work either but it could be easier to debug
from that end.
> * Files with group ownership of Administrators allowed access
> regardless of permission bits (though I am in Administrators group).
> -However, files owned (showing in UID) field AdministratorsGroup
> showed up as being owned by 'root' from the linux machine and
> didn't enable access (though some other rule might).
cifsacl mount option will also enable mapping mode bits to ACL but in a
best-effort manner as a 1:1 mapping is unfortunately impossible. It is
not very reliable and we also have no tests to check those mappings :(
I think Shyam worked on this recently, maybe he can comment.
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-14 9:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-13 19:13 multiuser access and group membership(s) L Walsh
2021-04-14 9:19 ` Aurélien Aptel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).