Re: Please support NSF squashing multiple groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 19 Aug 2011 19:45:34 -0400 "J. Bruce Fields" <bfields@xxxxxxxxxxxx>
wrote:

> On Sat, Aug 20, 2011 at 08:35:43AM +1000, paul.szabo@xxxxxxxxxxxxx wrote:
> > Dear Andy,
> > 
> > > Note that only AUTH_SYS sends GID and GID lists in the rpc_cred.
> > > RPCSEC_GSS with Kerberos only sends the krb5 principal to the server.
> > > The server looks up group membership via nsswitch - either /etc/groups
> > > ...
> > 
> > Can the server be set so as to ignore any AUTH_SYS sends, and accept
> > RPCSEC_GSS only?
> 
> Add something like sec=krb5:krb5i:krb5p to all your exports.
> 
> > > idmapd only deals with groups when a SETATTR arrives with ACE who's that
> > > are group names where it maps the groupname@domain to a gid, or a
> > > GETATTR ACL request where it maps gid->groupname@domain
> > 
> > Can the server be set so as to ignore any attempts from the client to
> > set group memberships, but always set its own from /etc/group?
> 
> Use kerberos, or run mountd with the --manage-gids option.
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I almost suggested this, but then realised that it doesn't help.

With AUTH_SYS the client sends a UID, a GID and a list of at most 16
auxiliary GIDs.

With --manage-gids, the server ignores the list of auxiliary GIDs and
generates a list locally based on the UID.
So the UID and primary GID from the server are still trusted.

So kerberos is really the only option to be able to filter uids and gids
under user-space control.

When I suggested looking at idmap I was actually imagining writing your own
plug-in that did whatever mapping and filtering you wanted.

I think I mentioned before that you would need to use kerberos and NFSv4 to
make use of this but in fact you just need kerberos.  It will work with
NFSv3, though with some limitations.
In particular:
  when the client issues a chown/chgrp request, the uid/gid is used directly
  - idmap does not have a chance to filter/translate it (in v4 it does).
  When the client issues a getattr, the uid/gid are passed through
  unchanged.  idmap does not get to translate it (in v4 it does).

The only mapping available with v3 is the authenticated username of the
entity which issued the request.  idmap gets to translate that into a uid and
gids however the plug-in tells it too.

NeilBrown


> 
> --b.

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux