svn commit: r332559 - head/usr.sbin/mountd
Rick Macklem
rmacklem at uoguelph.ca
Wed Apr 18 21:15:38 UTC 2018
Julian Elischer wrote:
[stuff snipped]
>our issue is that we make a server that combines CIFS/SMB access (via
>samba), credential setting from a company wide AD server (windows)
>via winbindd (samba) via nsswitch.. and NFS.
>
>The problem is that when one looks up a user name from the AD server
>One can get back a credential with a large number of groups, because
>some companies use windows groups extensively. SO a sinel user may be
>in a group for every project they are involved with and a method of
>giving them access to files related to a project.
>In this scenario a group manager may be given access to a lot of groups.
>
>A user looking at a file via NFS needs to be able to see what he needs
>and still be blocked as per company policy.
>I am investigating the new user-manager daemon may help but I don't
>fully understand it yet.
>I gather it maps an incoming request to a set of groups as defined on
>the server rather than on the client, but I'm not sure yet how that
>relates to mountd.
I am happy to say I know nothing about AD, but I thought it included an
LDAP service? If there is a way to configure FreeBSD so that getgrouplist(3)
gets this list of AD groups, then "nfsuserd -manage-gids" on the NFS server
should do what you want. (It takes the "uid" from the AUTH_SYS RPC request
header and then creates a list of groups for that "uid" via getgrouplist(3).
It basically does a getpwuid() and then uses the pw_name as the first arg
to getgrouplist(3).
It ignores the list of groups in the RPC header and, therefore, is not limited
to 16.)
If getgrouplist(3) can't see the set of AD groups, then something needs to be
done to make that work.
rick
More information about the svn-src-all
mailing list