linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Steve French <smfrench@gmail.com>
To: Jacob Shivers <jshivers@redhat.com>
Cc: CIFS <linux-cifs@vger.kernel.org>,
	samba-technical <samba-technical@lists.samba.org>
Subject: Re: cruid+multiuser mount options
Date: Fri, 17 Jan 2020 00:28:16 -0600	[thread overview]
Message-ID: <CAH2r5mvJZ07D1+UtGJP-r-V3E2x4mxYkgP5PO530Lew7jDeW2Q@mail.gmail.com> (raw)
In-Reply-To: <CALe0_75KJMBOMMAtSWNH=GkHv-vzvYQxOVuj8Eht6jfVfoYCcA@mail.gmail.com>

This is a really good question and I think they should be allowed
together.   looking at cifs_sb_tlink in some detail, and also thinking
about common scenarios and how to make them less confusing to the user
I think they need to be supported together (optionally).  As an
example:

Imagine a scenario in which two users access the same Linux client
machine, and the machine is joined to the domain (and they login via
sssd or winbind to Active Directory or equivalent).   These users
would want to be able access the server with the correct permissions
for the particular user they are running as at the moment in a
particular app, a particular process, on Linux.   So as an example:

ssh in to the client as kerberos admin_user@domain
su root
mount -t cifs //server/share /mnt -o
sec=krb5,mfsymlinks,noperm,mutliuser,cruid=admin_user
<any access to the mount as either root or the admin_user on the Linux
client gets the expected permissions of "admin_user@domain")

then in different session ssh in to the client as kerberos
some_non_admin_user@domain
<any access to the user from processes running as
"some_non_admin_user" gets the expected permissions because with
multiuser we automatically setup a session for him>

If we didn't support cruid and mutliuser together then the user would
have had to do an extra step, he would have to do a confusing kinit
before doing the mount (which was unneeded since he could specify
cruid on mount)



On Thu, Jan 16, 2020 at 11:57 AM Jacob Shivers <jshivers@redhat.com> wrote:
>
> When mounting a Kerberized SMB share with both cruid and multiuser,
> the multiuser mount option is negated. This is not documented as
> explicit behavior. The question is whether this intended behavior or
> if it is unexpected.
>
> Does anyone have any existing thoughts on this?
>


-- 
Thanks,

Steve

      parent reply	other threads:[~2020-01-17  6:28 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 17:56 cruid+multiuser mount options Jacob Shivers
2020-01-16 19:20 ` ronnie sahlberg
2020-01-17  6:28 ` Steve French [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAH2r5mvJZ07D1+UtGJP-r-V3E2x4mxYkgP5PO530Lew7jDeW2Q@mail.gmail.com \
    --to=smfrench@gmail.com \
    --cc=jshivers@redhat.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=samba-technical@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).