Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

whoreallycares

25 Posts

421

April 14th, 2010 07:00

behaviour difference with GID / SID creds

Hi,

I'm running mutiprotocol env tests.

I've build two almost identical test cases. Only one identified difference that I'll detail later in this message.

One behaviour is different. I'd like to know if it's related to this already knowned difference, and possibly how to make them behave the same.

Two directories D1 and D2 on a FS mounted with SECURE access policy.

From Windows/CIFS side:

- D1 has no ACL inheritance

- only two ACLs on D1 (full access for both)

          - my windows account (to be able to operate)

          - an AD user group WG1

From Unix/NFS side:

- D1 owner is me, group is UG1. Unix bits are 770

My account is not a member of WG1/UG1

On the unix server where this FS is mounted, there are 2 local accounts: ULA1 and ULA2.

ULA1 primary unix group is UG1 (D1'owner group).

This account does not exist in LDAP nor AD. Same for the unix group.

So ULA1 can pass the D1 unix access control but not the Windows ACLs has they he's not a member of WG1.

Still following me ?

As there is no native mapping between UG1 and WG1, I faked it thru the /.etc/group file.

wg1:x:1234:   (where 1234 is UG1 gid)

I can verify with

.server_config server_2 -v "unixId2sid gid=1234"

that the SID mapped is WG1 SID.

I have an entry in the secmap that reflect the same information. Origin is "etc".

About the real life test: can local user ULA1 access the D1 directory ? YES

So all is working as expected.

Now let's have a look at D2 and local account ULA2.

All is the same, except that the ACL set on D2 is WG2, ULA2 group is UG2 etc..

The entry in the group file is

wg2:x:5678:   (where 5678 is UG2 gid)

etc...

The command

.server_config server_2 -v "unixId2sid gid=5678"

is also ok, and the secmap entry is present and ok too.

BUT ULA2 cannot access directory D2 !

Why ?

To me the only difference is that UG1 exists in LDAP while UG2 does not.

But it should not make no difference as nsswitch.conf entries are:

     passwd: files ldap

     group:    files ldap

Some DM parameters I've set:

param cifs acl.extacl=32
param cifs acl.extendExtraGid=1
param cifs acl.restrictedTakeOwnership=1
param cifs acl.takegroupship=1
param cifs acl.useUnixGid=1
param cifs resolver=1

param nfs NTcred.trace=7
param nfs NTcred.winDomain=mydomain

How to explain this behaviour difference ?

Is it possible to collect some debug information to understand what's hapenning ?

Thanks

Eric

No Responses!

Was this post helpful?

View All

No Events found!

Top