[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Andrew Bartlett abartlet at samba.org
Fri Sep 7 05:31:54 UTC 2018

On Fri, 2018-09-07 at 05:27 +0000, Sandeep Nashikkar wrote:
> On Mon, Sept 3, 2018 at 4:47 PM IST Sandeep Nashikkar via samba-technical wrote:
> > > On Mon, 2018-09-03 at 02:18 PM IST Andrew Bartlett via samba-technical wrote:
> > > > On Mon, 2018-09-03 at 08:33 +0000, Sandeep Nashikkar via samba- technical wrote:
> > > > Hi Jeremy,
> > > > 
> > > > Can we move the patch for next review? Let me know if there are any 
> > > > more suggestions.
> > > > BTW, I have another fix for smbacl4_fill_ace4() in 
> > > > "source3/modules/nfs4_acls.c"
> > > > When we convert SID to uid/gid, we do not check if the type of SID 
> > > > is SID_NAME_DOM_GRP.
> > > > If the sid_to_uid as well as sid_to_gid return success, we end up 
> > > > wrongly setting SMB_ACE4_IDENTIFIER_GROUP in the SMB_ACE4PROP_T 
> > > > Please let me know if I need to submit separate patch for this fix 
> > > > or shall I update the same ACL plugin patch for that fix?
> > > 
> > > This is deleberate, to cope with SIDs that map to both a UID and GID 
> > > (IDMAP_TYPE_BOTH), which in turn is trying to eventually support sidHistory entries properly, as well > > as trusted domains and other things where telling if a SID is exactly a user or group is difficult/impossible.
> > > 
> > > Andrew Bartlett
> > Hi Andrew,
> > 
> > The NFS ACL which gets converted without the fix has a "g" bit set for a domain user id indicating that it > is group entity and the access control fails to work the way it is expected. So a particular domain user cannot be given allow/deny access with this plugin. 
> > Can you please suggest some other solution if checking SID type is not the way to go? Is Winbind mapping providing same uid/gid for a given SID is normal? If sid_to_gid fails for SID corresponding to domain user, this problem will not occur or else there needs to be some distinguishing factor. 
> @Andrew
> Please guide if we can find any other way to distinguish between
> group SID and individual user SID to get the access control right
> with NFS4 ACL plugin. Without this, the plugin is not practically
> usable in AD environment. Can we tweak winbind configuration to
> return different uid and gid?

You need to assume that a SID can be both a user and a group, if
winbind says so.  In that case the user component 'owns' the file (if
it is the owner) and the gid is given group rights. 

This also happens in particular for domain admins, which often owns
files but is of course a group, for group policy in sysvol.

As folks would like to put GPOs on ZFS with NFSv4 ACLs, we need this to
work right. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba-technical mailing list