Problem related to ID_TYPE_BOTH -Need suggestion

Stefan (metze) Metzmacher metze at samba.org
Mon Jul 15 07:15:52 MDT 2013 

Hi Abhidnya,

> I've encountered an architectural problem related to id mapping and acls 
> and I would like to collect some ideas how to solve it.
> 
> Problem Description: 
> Windows client connects to Samba4. Win client tries to add ACLs on file 
> for some AD user. The ACL put is successful but the user gets set as 
> group. 
> I tried this with acl_xattr on ext4 and also with nfs4_acl + gpfs on gpfs. 
> On both user gets set as group. idmap backend used is autorid which 
> supports ID_TYPE_BOTH
> 
> Analysis: 
> Samba logs with acl_xattr and ext4:
> 
>  print_canon_ace_list: file ace - return
>   canon_ace index 0. Type = allow SID = 
> S-1-5-21-4161253050-953922356-4292765330-513 gid 13000513 (VIRTUAL1\domain 
> users) SMB_ACL_GROUP ace_flags = 0x0 perms r-x
>   canon_ace index 1. Type = allow SID = 
> S-1-5-21-4161253050-953922356-4292765330-1110 gid 13001110 
> (VIRTUAL1\testuser1) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
>   canon_ace index 2. Type = allow SID = 
> S-1-5-21-4161253050-953922356-4292765330-500 uid 13000500 
> (VIRTUAL1\administrator) SMB_ACL_USER_OBJ ace_flags = 0x10 perms rwx
>   canon_ace index 3. Type = allow SID = 
> S-1-5-21-4161253050-953922356-4292765330-500 gid 13000500 
> (VIRTUAL1\administrator) SMB_ACL_GROUP ace_flags = 0x10 perms rwx
>   canon_ace index 4. Type = allow SID = 
> S-1-5-21-4161253050-953922356-4292765330-513 gid 13000513 (VIRTUAL1\domain 
> users) SMB_ACL_GROUP_OBJ ace_flags = 0x10 perms r-x
>   canon_ace index 5. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
> ace_flags = 0x10 perms r-x
> [2013/07/10 08:08:44.092872, 10, pid=1896592, effective(13000500, 
> 13000513), real(13000500, 0), class=acls] 
> smbd/posix_acls.c:847(print_canon_ace_list)
> 
> Here testuser1 is user and set as group.
> For GPFS, Samba log file shows success for sid_to_gid call before setting 
> ACL via gpfs_putacl call. This sid_to_gid is called while filling up ACL 
> structure via smbacl4_fill_ace4 (nfs4_acls.c). Here note that idmap 
> backend used is autorid. Autorid supports ID_TYPE_BOTH. Thus sid_to_gid 
> call succeeds and smbacl4_fill_ace4 sets gid. Thus GPFS understands this 
> user as group. If autorid stops support for ID_TYPE_BOTH, things work fine 
> where user gets recognized as user only. The problem here at least in case 
> of nfs4_acls is the combination of sid_to_gid call first and support for 
> ID_TYPE_BOTH by idmap backend. Any views on this?

This explains how it should work.
I don't see what your real problem is?

Note: with IDMAP_TYPE_BOTH smbd passes the gid values for the users
to the kernel as 'gid'.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130715/44975405/attachment.pgp>

More information about the samba-technical mailing list