[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Jeremy Allison jra at samba.org
Tue Sep 11 22:07:22 UTC 2018

On Fri, Sep 07, 2018 at 05:27:17AM +0000, Sandeep Nashikkar wrote:
> On Mon, Sept 3, 2018 at 4:47 PM IST Sandeep Nashikkar via samba-technical wrote:
> > > On Mon, 2018-09-03 at 02:18 PM IST Andrew Bartlett via samba-technical wrote:
> > > > On Mon, 2018-09-03 at 08:33 +0000, Sandeep Nashikkar via samba- technical wrote:
> > > > Hi Jeremy,
> > > > 
> > > > Can we move the patch for next review? Let me know if there are any 
> > > > more suggestions.
> > > > BTW, I have another fix for smbacl4_fill_ace4() in 
> > > > "source3/modules/nfs4_acls.c"
> > > > When we convert SID to uid/gid, we do not check if the type of SID 
> > > > is SID_NAME_DOM_GRP.
> > > > If the sid_to_uid as well as sid_to_gid return success, we end up 
> > > > wrongly setting SMB_ACE4_IDENTIFIER_GROUP in the SMB_ACE4PROP_T 
> > > > Please let me know if I need to submit separate patch for this fix 
> > > > or shall I update the same ACL plugin patch for that fix?
> > > 
> > > This is deleberate, to cope with SIDs that map to both a UID and GID 
> > > (IDMAP_TYPE_BOTH), which in turn is trying to eventually support sidHistory entries properly, as well > > as trusted domains and other things where telling if a SID is exactly a user or group is difficult/impossible.
> > >
> > > Andrew Bartlett
> > Hi Andrew,
> > 
> > The NFS ACL which gets converted without the fix has a "g" bit set for a domain user id indicating that it > is group entity and the access control fails to work the way it is expected. So a particular domain user cannot be given allow/deny access with this plugin. 
> > Can you please suggest some other solution if checking SID type is not the way to go? Is Winbind mapping providing same uid/gid for a given SID is normal? If sid_to_gid fails for SID corresponding to domain user, this problem will not occur or else there needs to be some distinguishing factor. 
> @Andrew
> Please guide if we can find any other way to distinguish between group SID and individual user SID to get the access control right with NFS4 ACL plugin. Without this, the plugin is not practically usable in AD environment. Can we tweak winbind configuration to return different uid and gid?
> @Jeremy and other reviewers, 
> Can we please move the last submitted patch if there are no further comments. Are we waiting for another reviewer? Can we please expedite a little?

This is blocked on Ralph's time at the moment.

I'm meeting him up at Redmond next week for
the Interop event, so I'll bug him face-to-face
there :-).

More information about the samba-technical mailing list