multiuser access and group membership(s)

multiuser access and group membership(s)

[L Walsh]

I tried the multiuser mount using domain-creds.

Surprises:

* Files owned by local accounts appeared to be owned
by 'root:root'. 

* Files in well-known-groups, seemed to
resolve ok, but didn't recognize my domain login as
being in one of those groups.

* Files with group ownership of Administrators allowed access
  regardless of permission bits (though I am in Administrators group).
 -However, files owned (showing in UID) field AdministratorsGroup
  showed up as being owned by 'root' from the linux machine  and
  didn't enable access (though some other rule might).

=== Interesting direction.

I have some disappointment in that the remote Windows machine doesn't
recognize membership in domain groups (or local groups) when
mount options use a domain account (and cifscreds contain a domain
account).

Ex.: (w/Bliss or BLISS being my local NT4-style domain
hosted on the linux box).
local group "lawgroup" on Win machine, contains

BLISS\Domain Admins
Bliss\law
BLISS\lawgroup
law  (local account)

yet to 'Bliss/law' on linux, it appears to be
owned by 'root' and doesn't enable access.

Shouldn't the smb server on the win-machine be
able to enable access via domain group membership?
Maybe I just don't have it configured correctly...?

Also noting that unix extensions don't seem to be getting
negotiated.  From mount, listed options are:
//Athenae/C/ on /athenae type cifs 
(rw,nosuid,nodev,noexec,relatime,vers=2.1,cache=strict,username=law,
domain=BLISS,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.3.12,
file_mode=0755,dir_mode=0755,nocase,soft,resilienthandles,nounix,
setuids,serverino,mapchars,cifsacl,rsize=1048576,wsize=1048576,
bsize=1048576,echo_interval=60,max_credits=60000,actimeo=1,user)

Q: Is it possible to get the Win server to recognize group memberships?

I note that Privileges in the domain aren't acknowledged on
the win-file-system, though the win-user using a samba-mount
will have privs recognized.

Thanks!

Re: multiuser access and group membership(s)

[Aurélien Aptel]

Hi,

> Surprises:
>
> * Files owned by local accounts appeared to be owned
> by 'root:root'. 

When cifs.ko fails to resolve sid<=>uid/gid mapping it defaults to
root:root.

> * Files in well-known-groups, seemed to
> resolve ok, but didn't recognize my domain login as
> being in one of those groups.

Make sure you have cifsacl along with multiuser. In my testing
(multiuser with kerberos) I can see domain accounts resolve fine. Not
sure about local accounts. 

Keep in mind cifs.ko is delegating the work of resolving to winbind. So
I would suggest trying resolving the things that don't seem to work
directly with the wbinfo utility (see --sid-to-uid, --sid-to-fullname
etc). My guess is it won't work either but it could be easier to debug
from that end.

> * Files with group ownership of Administrators allowed access
>   regardless of permission bits (though I am in Administrators group).
>  -However, files owned (showing in UID) field AdministratorsGroup
>   showed up as being owned by 'root' from the linux machine  and
>   didn't enable access (though some other rule might).

cifsacl mount option will also enable mapping mode bits to ACL but in a
best-effort manner as a 1:1 mapping is unfortunately impossible. It is
not very reliable and we also have no tests to check those mappings :(

I think Shyam worked on this recently, maybe he can comment.

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)