Julian Elischer wrote: [stuff snipped] >our issue is that we make a server that combines CIFS/SMB access (via >samba), credential setting from a company wide AD server (windows) >via winbindd (samba) via nsswitch.. and NFS. > >The problem is that when one looks up a user name from the AD server >One can get back a credential with a large number of groups, because >some companies use windows groups extensively. SO a sinel user may be >in a group for every project they are involved with and a method of >giving them access to files related to a project. >In this scenario a group manager may be given access to a lot of groups. > >A user looking at a file via NFS needs to be able to see what he needs >and still be blocked as per company policy. >I am investigating the new user-manager daemon may help but I don't >fully understand it yet. >I gather it maps an incoming request to a set of groups as defined on >the server rather than on the client, but I'm not sure yet how that >relates to mountd.
I am happy to say I know nothing about AD, but I thought it included an LDAP service? If there is a way to configure FreeBSD so that getgrouplist(3) gets this list of AD groups, then "nfsuserd -manage-gids" on the NFS server should do what you want. (It takes the "uid" from the AUTH_SYS RPC request header and then creates a list of groups for that "uid" via getgrouplist(3). It basically does a getpwuid() and then uses the pw_name as the first arg to getgrouplist(3). It ignores the list of groups in the RPC header and, therefore, is not limited to 16.) If getgrouplist(3) can't see the set of AD groups, then something needs to be done to make that work. rick _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
