Problem related to ID_TYPE_BOTH -Need suggestion

[Abhidnya S Joshi]

Hi Stefan,

I think that still wont solve issue during NFS access. Also even though 
Samba works fine with a user being treated as group while putting ACLs, 
with this every user will always be treated as group. I think this looks 
little odd.

Thanks and Regards
Abhidnya





From:   "Stefan (metze) Metzmacher" <metze at samba.org>
To:     Abhidnya S Joshi/India/IBM at IBMIN, 
Cc:     samba-technical at samba.org
Date:   07/18/2013 05:51 PM
Subject:        Re: Problem related to ID_TYPE_BOTH  -Need suggestion



Hi Abhidnya,

> With this change, where user is getting set as group, file access 
through 
> Samba works fine. But If we want to export same share with NFS then it 
> gives access denied for user testuser1 (This I tried on GPFS). This is 
> because while evaluating access, GPFS gets no ACE with user testuser1 
and 
> its neither part of group testuser1 (as it was set by Samba). Also when 
I 
> try to access file locally on GPFS as testuser1, it gets access denied. 
> The ACLs on file in GPFS look like
> 
> group:VIRTUAL1\administrator:rwxc:allow
>  (X)READ/LIST (X)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL 
> (X)READ_ATTR  (X)READ_NAMED
>  (-)DELETE    (-)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL 
> (X)WRITE_ATTR (X)WRITE_NAMED
> 
> group:VIRTUAL1\testuser1:rwxc:allow
>  (X)READ/LIST (X)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL 
> (X)READ_ATTR  (X)READ_NAMED
>  (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL 
> (X)WRITE_ATTR (X)WRITE_NAMED
> 
> Thus I think ID_TYPE_BOTH support + sid_to_gid() call first will cause 
> problem with multi protocol environment.

I guess we need to fix pam_winbind or nss_winbind, so that the user gets
the correct
unix token also on the command line or via nss.

metze

[attachment "signature.asc" deleted by Abhidnya S Joshi/India/IBM]