Problem related to ID_TYPE_BOTH -Need suggestion

Abhidnya S Joshi achirmul at in.ibm.com
Sat Jul 13 04:03:52 MDT 2013 

Hi list, 
I've encountered an architectural problem related to id mapping and acls 
and I would like to collect some ideas how to solve it.

Problem Description: 
Windows client connects to Samba4. Win client tries to add ACLs on file 
for some AD user. The ACL put is successful but the user gets set as 
group. 
I tried this with acl_xattr on ext4 and also with nfs4_acl + gpfs on gpfs. 
On both user gets set as group. idmap backend used is autorid which 
supports ID_TYPE_BOTH

Analysis: 
Samba logs with acl_xattr and ext4:

 print_canon_ace_list: file ace - return
  canon_ace index 0. Type = allow SID = 
S-1-5-21-4161253050-953922356-4292765330-513 gid 13000513 (VIRTUAL1\domain 
users) SMB_ACL_GROUP ace_flags = 0x0 perms r-x
  canon_ace index 1. Type = allow SID = 
S-1-5-21-4161253050-953922356-4292765330-1110 gid 13001110 
(VIRTUAL1\testuser1) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
  canon_ace index 2. Type = allow SID = 
S-1-5-21-4161253050-953922356-4292765330-500 uid 13000500 
(VIRTUAL1\administrator) SMB_ACL_USER_OBJ ace_flags = 0x10 perms rwx
  canon_ace index 3. Type = allow SID = 
S-1-5-21-4161253050-953922356-4292765330-500 gid 13000500 
(VIRTUAL1\administrator) SMB_ACL_GROUP ace_flags = 0x10 perms rwx
  canon_ace index 4. Type = allow SID = 
S-1-5-21-4161253050-953922356-4292765330-513 gid 13000513 (VIRTUAL1\domain 
users) SMB_ACL_GROUP_OBJ ace_flags = 0x10 perms r-x
  canon_ace index 5. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
ace_flags = 0x10 perms r-x
[2013/07/10 08:08:44.092872, 10, pid=1896592, effective(13000500, 
13000513), real(13000500, 0), class=acls] 
smbd/posix_acls.c:847(print_canon_ace_list)

Here testuser1 is user and set as group.
For GPFS, Samba log file shows success for sid_to_gid call before setting 
ACL via gpfs_putacl call. This sid_to_gid is called while filling up ACL 
structure via smbacl4_fill_ace4 (nfs4_acls.c). Here note that idmap 
backend used is autorid. Autorid supports ID_TYPE_BOTH. Thus sid_to_gid 
call succeeds and smbacl4_fill_ace4 sets gid. Thus GPFS understands this 
user as group. If autorid stops support for ID_TYPE_BOTH, things work fine 
where user gets recognized as user only. The problem here at least in case 
of nfs4_acls is the combination of sid_to_gid call first and support for 
ID_TYPE_BOTH by idmap backend. Any views on this?

Thanks and Regards
Abhidnya

More information about the samba-technical mailing list