From owner-svn-src-all@freebsd.org Thu Apr 19 02:06:34 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA1B1F989B7; Thu, 19 Apr 2018 02:06:34 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 37C0C7EB79; Thu, 19 Apr 2018 02:06:33 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (220-253-154-11.dyn.iinet.net.au [220.253.154.11]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w3J26RAq034335 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 18 Apr 2018 19:06:30 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: svn commit: r332559 - head/usr.sbin/mountd To: Rick Macklem , Konstantin Belousov Cc: Andriy Gapon , "src-committers@freebsd.org" , "svn-src-all@freebsd.org" , "svn-src-head@freebsd.org" References: <20180417123212.GM1774@kib.kiev.ua> From: Julian Elischer Message-ID: Date: Thu, 19 Apr 2018 10:06:22 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Apr 2018 02:06:35 -0000 On 19/4/18 5:15 am, Rick Macklem wrote: > Julian Elischer wrote: > [stuff snipped] >> our issue is that we make a server that combines CIFS/SMB access (via >> samba), credential setting from a company wide AD server (windows) >> via winbindd (samba) via nsswitch.. and NFS. >> >> The problem is that when one looks up a user name from the AD server >> One can get back a credential with a large number of groups, because >> some companies use windows groups extensively. SO a sinel user may be >> in a group for every project they are involved with and a method of >> giving them access to files related to a project. >> In this scenario a group manager may be given access to a lot of groups. >> >> A user looking at a file via NFS needs to be able to see what he needs >> and still be blocked as per company policy. >> I am investigating the new user-manager daemon may help but I don't >> fully understand it yet. >> I gather it maps an incoming request to a set of groups as defined on >> the server rather than on the client, but I'm not sure yet how that >> relates to mountd. > I am happy to say I know nothing about AD, but I thought it included an > LDAP service? yes and this what is used when  one uses ldap against an AD server. (which seems to work) > If there is a way to configure FreeBSD so that getgrouplist(3) > gets this list of AD groups, then "nfsuserd -manage-gids" on the NFS server > should do what you want. (It takes the "uid" from the AUTH_SYS RPC request > header and then creates a list of groups for that "uid" via getgrouplist(3). > It basically does a getpwuid() and then uses the pw_name as the first arg > to getgrouplist(3). > It ignores the list of groups in the RPC header and, therefore, is not limited > to 16.) yes that is what I was referring to in my previous email getgrouplist(3) does the right thing as far as I know. > > If getgrouplist(3) can't see the set of AD groups, then something needs to be > done to make that work. > > rick > >