cruid+multiuser mount options

cruid+multiuser mount options

[Jacob Shivers]

When mounting a Kerberized SMB share with both cruid and multiuser,
the multiuser mount option is negated. This is not documented as
explicit behavior. The question is whether this intended behavior or
if it is unexpected.

Does anyone have any existing thoughts on this?

Re: cruid+multiuser mount options

[ronnie sahlberg]

On Fri, Jan 17, 2020 at 3:57 AM Jacob Shivers <jshivers@redhat.com> wrote:
>
> When mounting a Kerberized SMB share with both cruid and multiuser,
> the multiuser mount option is negated. This is not documented as
> explicit behavior. The question is whether this intended behavior or
> if it is unexpected.
>
> Does anyone have any existing thoughts on this?

To me it does not make sense to allow cruid and multiuser at the same time.
I think we should
1, document they are mutually exclusive
2, check for this and fail the mount with a log message if both
options are used concurrently.

>

Re: cruid+multiuser mount options

[Steve French]

This is a really good question and I think they should be allowed
together.   looking at cifs_sb_tlink in some detail, and also thinking
about common scenarios and how to make them less confusing to the user
I think they need to be supported together (optionally).  As an
example:

Imagine a scenario in which two users access the same Linux client
machine, and the machine is joined to the domain (and they login via
sssd or winbind to Active Directory or equivalent).   These users
would want to be able access the server with the correct permissions
for the particular user they are running as at the moment in a
particular app, a particular process, on Linux.   So as an example:

ssh in to the client as kerberos admin_user@domain
su root
mount -t cifs //server/share /mnt -o
sec=krb5,mfsymlinks,noperm,mutliuser,cruid=admin_user
<any access to the mount as either root or the admin_user on the Linux
client gets the expected permissions of "admin_user@domain")

then in different session ssh in to the client as kerberos
some_non_admin_user@domain
<any access to the user from processes running as
"some_non_admin_user" gets the expected permissions because with
multiuser we automatically setup a session for him>

If we didn't support cruid and mutliuser together then the user would
have had to do an extra step, he would have to do a confusing kinit
before doing the mount (which was unneeded since he could specify
cruid on mount)



On Thu, Jan 16, 2020 at 11:57 AM Jacob Shivers <jshivers@redhat.com> wrote:
>
> When mounting a Kerberized SMB share with both cruid and multiuser,
> the multiuser mount option is negated. This is not documented as
> explicit behavior. The question is whether this intended behavior or
> if it is unexpected.
>
> Does anyone have any existing thoughts on this?
>


-- 
Thanks,

Steve