[linux-cifs-client] [RFC PATCH] CIFS posix acl permission checking

simo idra at samba.org
Fri Mar 12 05:58:03 MST 2010


On Fri, 2010-03-12 at 13:50 +0100, Volker Lendecke wrote:
> On Fri, Mar 12, 2010 at 07:35:42AM -0500, simo wrote:
> > > Ok, then we rule out batch machines where there are no user
> > > credentials. NFS does this fine. I know this is REALLY ugly,
> > > but I have customers who need this. If you have a good
> > > solution for that problem, I would really be happy to hear
> > > this. Something like constrained delegation in Kerberos to
> > > me sounds pretty much like the exact same hack in a
> > > different place.
> > 
> > The solution in those case is probably S4U2PROXY, or NFS.
> 
> The reason why my customer wants to get away from NFS is the
> 16 groups limit. Different question: Why is s4u2proxy more
> secure than allowing "su - <user>" over cifs?

Because you can control at the KDC level which tickets the server is
allowed to get. And without giving out user credentials or even root
credentials. And because this way you don't change the security model.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the linux-cifs-client mailing list