[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Sandeep Nashikkar snashikkar at commvault.com
Mon Sep 3 11:17:23 UTC 2018 

On Mon, 2018-09-03 at 02:18 PM IST Andrew Bartlett via samba-technical wrote:
> > On Mon, 2018-09-03 at 08:33 +0000, Sandeep Nashikkar via samba- technical wrote:
> > Hi Jeremy,
> > 
> > Can we move the patch for next review? Let me know if there are any 
> > more suggestions.
> > BTW, I have another fix for smbacl4_fill_ace4() in 
> > "source3/modules/nfs4_acls.c"
> > When we convert SID to uid/gid, we do not check if the type of SID is 
> > SID_NAME_DOM_GRP.
> > If the sid_to_uid as well as sid_to_gid return success, we end up 
> > wrongly setting SMB_ACE4_IDENTIFIER_GROUP in the SMB_ACE4PROP_T Please 
> > let me know if I need to submit separate patch for this fix or shall I 
> > update the same ACL plugin patch for that fix?
> 
> This is deleberate, to cope with SIDs that map to both a UID and GID (IDMAP_TYPE_BOTH), which in turn is trying to eventually support sidHistory entries 
> properly, as well as trusted domains and other things where telling if a SID is exactly a user or group is difficult/impossible.
>
> Andrew Bartlett

Hi Andrew,

The NFS ACL which gets converted without the fix has a "g" bit set for a domain user id indicating that it is group entity and the access control fails to work the way it is expected. So a particular domain user cannot be given allow/deny access with this plugin. 
Can you please suggest some other solution if checking SID type is not the way to go? Is Winbind mapping providing same uid/gid for a given SID is normal? If sid_to_gid fails for SID corresponding to domain user, this problem will not occur or else there needs to be some distinguishing factor. 


> > Thanks,
> > Sandeep
***************************Legal Disclaimer***************************
"This communication may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message by mistake,
please advise the sender by reply email and delete the message. Thank you."
**********************************************************************

More information about the samba-technical mailing list