svn commit: r332559 - head/usr.sbin/mountd
Julian Elischer
julian at freebsd.org
Thu Apr 19 02:06:35 UTC 2018
On 19/4/18 5:15 am, Rick Macklem wrote:
> Julian Elischer wrote:
> [stuff snipped]
>> our issue is that we make a server that combines CIFS/SMB access (via
>> samba), credential setting from a company wide AD server (windows)
>> via winbindd (samba) via nsswitch.. and NFS.
>>
>> The problem is that when one looks up a user name from the AD server
>> One can get back a credential with a large number of groups, because
>> some companies use windows groups extensively. SO a sinel user may be
>> in a group for every project they are involved with and a method of
>> giving them access to files related to a project.
>> In this scenario a group manager may be given access to a lot of groups.
>>
>> A user looking at a file via NFS needs to be able to see what he needs
>> and still be blocked as per company policy.
>> I am investigating the new user-manager daemon may help but I don't
>> fully understand it yet.
>> I gather it maps an incoming request to a set of groups as defined on
>> the server rather than on the client, but I'm not sure yet how that
>> relates to mountd.
> I am happy to say I know nothing about AD, but I thought it included an
> LDAP service?
yes and this what is used when one uses ldap against an AD server.
(which seems to work)
> If there is a way to configure FreeBSD so that getgrouplist(3)
> gets this list of AD groups, then "nfsuserd -manage-gids" on the NFS server
> should do what you want. (It takes the "uid" from the AUTH_SYS RPC request
> header and then creates a list of groups for that "uid" via getgrouplist(3).
> It basically does a getpwuid() and then uses the pw_name as the first arg
> to getgrouplist(3).
> It ignores the list of groups in the RPC header and, therefore, is not limited
> to 16.)
yes that is what I was referring to in my previous email
getgrouplist(3) does the right thing as far as I know.
>
> If getgrouplist(3) can't see the set of AD groups, then something needs to be
> done to make that work.
>
> rick
>
>
More information about the svn-src-all
mailing list