Problem related to ID_TYPE_BOTH -Need suggestion
Abhidnya S Joshi
achirmul at in.ibm.com
Fri Jul 19 02:18:22 MDT 2013
Hi Stefan,
I think that still wont solve issue during NFS access. Also even though
Samba works fine with a user being treated as group while putting ACLs,
with this every user will always be treated as group. I think this looks
little odd.
Thanks and Regards
Abhidnya
From: "Stefan (metze) Metzmacher" <metze at samba.org>
To: Abhidnya S Joshi/India/IBM at IBMIN,
Cc: samba-technical at samba.org
Date: 07/18/2013 05:51 PM
Subject: Re: Problem related to ID_TYPE_BOTH -Need suggestion
Hi Abhidnya,
> With this change, where user is getting set as group, file access
through
> Samba works fine. But If we want to export same share with NFS then it
> gives access denied for user testuser1 (This I tried on GPFS). This is
> because while evaluating access, GPFS gets no ACE with user testuser1
and
> its neither part of group testuser1 (as it was set by Samba). Also when
I
> try to access file locally on GPFS as testuser1, it gets access denied.
> The ACLs on file in GPFS look like
>
> group:VIRTUAL1\administrator:rwxc:allow
> (X)READ/LIST (X)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL
> (X)READ_ATTR (X)READ_NAMED
> (-)DELETE (-)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL
> (X)WRITE_ATTR (X)WRITE_NAMED
>
> group:VIRTUAL1\testuser1:rwxc:allow
> (X)READ/LIST (X)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL
> (X)READ_ATTR (X)READ_NAMED
> (X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL
> (X)WRITE_ATTR (X)WRITE_NAMED
>
> Thus I think ID_TYPE_BOTH support + sid_to_gid() call first will cause
> problem with multi protocol environment.
I guess we need to fix pam_winbind or nss_winbind, so that the user gets
the correct
unix token also on the command line or via nss.
metze
[attachment "signature.asc" deleted by Abhidnya S Joshi/India/IBM]
More information about the samba-technical
mailing list