cruid+multiuser mount options

[Steve French]

This is a really good question and I think they should be allowed
together.   looking at cifs_sb_tlink in some detail, and also thinking
about common scenarios and how to make them less confusing to the user
I think they need to be supported together (optionally).  As an
example:

Imagine a scenario in which two users access the same Linux client
machine, and the machine is joined to the domain (and they login via
sssd or winbind to Active Directory or equivalent).   These users
would want to be able access the server with the correct permissions
for the particular user they are running as at the moment in a
particular app, a particular process, on Linux.   So as an example:

ssh in to the client as kerberos admin_user at domain
su root
mount -t cifs //server/share /mnt -o
sec=krb5,mfsymlinks,noperm,mutliuser,cruid=admin_user
<any access to the mount as either root or the admin_user on the Linux
client gets the expected permissions of "admin_user at domain")

then in different session ssh in to the client as kerberos
some_non_admin_user at domain
<any access to the user from processes running as
"some_non_admin_user" gets the expected permissions because with
multiuser we automatically setup a session for him>

If we didn't support cruid and mutliuser together then the user would
have had to do an extra step, he would have to do a confusing kinit
before doing the mount (which was unneeded since he could specify
cruid on mount)



On Thu, Jan 16, 2020 at 11:57 AM Jacob Shivers <jshivers at redhat.com> wrote:
>
> When mounting a Kerberized SMB share with both cruid and multiuser,
> the multiuser mount option is negated. This is not documented as
> explicit behavior. The question is whether this intended behavior or
> if it is unexpected.
>
> Does anyone have any existing thoughts on this?
>


-- 
Thanks,

Steve