Date: Wed, 18 Apr 2018 21:15:36 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Julian Elischer <julian@freebsd.org>, Konstantin Belousov <kostikbel@gmail.com> Cc: Andriy Gapon <avg@FreeBSD.org>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r332559 - head/usr.sbin/mountd Message-ID: <YQBPR0101MB1042E8D110F8DBCE648767A7DDB60@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <ab24ee87-22f7-d40c-5807-d8a3ed996e54@freebsd.org> References: <YQBPR0101MB104243594E51285F229BC11FDDB00@YQBPR0101MB1042.CANPRD01.PROD.OUTLOOK.COM> <20180417123212.GM1774@kib.kiev.ua>, <ab24ee87-22f7-d40c-5807-d8a3ed996e54@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote: [stuff snipped] >our issue is that we make a server that combines CIFS/SMB access (via >samba), credential setting from a company wide AD server (windows) >via winbindd (samba) via nsswitch.. and NFS. > >The problem is that when one looks up a user name from the AD server >One can get back a credential with a large number of groups, because >some companies use windows groups extensively. SO a sinel user may be >in a group for every project they are involved with and a method of >giving them access to files related to a project. >In this scenario a group manager may be given access to a lot of groups. > >A user looking at a file via NFS needs to be able to see what he needs >and still be blocked as per company policy. >I am investigating the new user-manager daemon may help but I don't >fully understand it yet. >I gather it maps an incoming request to a set of groups as defined on >the server rather than on the client, but I'm not sure yet how that >relates to mountd. I am happy to say I know nothing about AD, but I thought it included an LDAP service? If there is a way to configure FreeBSD so that getgrouplist(3= ) gets this list of AD groups, then "nfsuserd -manage-gids" on the NFS server should do what you want. (It takes the "uid" from the AUTH_SYS RPC request header and then creates a list of groups for that "uid" via getgrouplist(3)= . It basically does a getpwuid() and then uses the pw_name as the first arg to getgrouplist(3). It ignores the list of groups in the RPC header and, therefore, is not limi= ted to 16.) =20 If getgrouplist(3) can't see the set of AD groups, then something needs to = be done to make that work. rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQBPR0101MB1042E8D110F8DBCE648767A7DDB60>