On 19/4/18 5:15 am, Rick Macklem wrote:
Julian Elischer wrote:
[stuff snipped]
our issue is that we make a server that combines CIFS/SMB access (via
samba), credential setting from a company wide AD server (windows)
via winbindd (samba) via nsswitch.. and NFS.
The problem is that when one looks up a user name from the AD server
One can get back a credential with a large number of groups, because
some companies use windows groups extensively. SO a sinel user may be
in a group for every project they are involved with and a method of
giving them access to files related to a project.
In this scenario a group manager may be given access to a lot of groups.
A user looking at a file via NFS needs to be able to see what he needs
and still be blocked as per company policy.
I am investigating the new user-manager daemon may help but I don't
fully understand it yet.
I gather it maps an incoming request to a set of groups as defined on
the server rather than on the client, but I'm not sure yet how that
relates to mountd.
I am happy to say I know nothing about AD, but I thought it included an
LDAP service?
yes and this what is used when one uses ldap against an AD server.
(which seems to work)
If there is a way to configure FreeBSD so that getgrouplist(3)
gets this list of AD groups, then "nfsuserd -manage-gids" on the NFS server
should do what you want. (It takes the "uid" from the AUTH_SYS RPC request
header and then creates a list of groups for that "uid" via getgrouplist(3).
It basically does a getpwuid() and then uses the pw_name as the first arg
to getgrouplist(3).
It ignores the list of groups in the RPC header and, therefore, is not limited
to 16.)
yes that is what I was referring to in my previous email
getgrouplist(3) does the right thing as far as I know.
If getgrouplist(3) can't see the set of AD groups, then something needs to be
done to make that work.
rick
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
