(initial writeup of the SSSD CIFS plugin page) |
(Add tracker bug) |
||
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
<!-- Self Contained or System Wide Change Proposal? | <!-- Self Contained or System Wide Change Proposal? | ||
Use this guide to determine to which category your proposed change belongs to. | Use this guide to determine to which category your proposed change belongs to. | ||
Line 55: | Line 53: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=998544 #998544] | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
When working with files on a CIFS share, mapping between Windows SIDs and POSIX IDs might be required in some situations like modifying the ACLs. In recent versions, the cifs-util package | When working with files on a CIFS share, mapping between Windows SIDs and POSIX IDs might be required in some situations like modifying the ACLs. In recent versions, the cifs-util package | ||
introduced a plugin interface that allows different | introduced a plugin interface that allows different libraries to handle the ID mapping. Currently only Winbind provides such plugin (see file idmapwb.c in cifs-utils tree). The goal of this | ||
change is to provide a similar plugin using SSSD's ID mapping library so that the same method of ID mapping is used and Winbind is not required at all. The upstream design page that includes | change is to provide a similar plugin using SSSD's ID mapping library so that the same method of ID mapping is used and Winbind is not required at all. The upstream design page that includes | ||
deeper technical details can be found in the [http://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient SSSD Trac ]. The progress of the work can also be tracked in the | deeper technical details can be found in the [http://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient SSSD Trac ]. The progress of the work can also be tracked in the | ||
Line 67: | Line 65: | ||
== Benefit to Fedora == | == Benefit to Fedora == | ||
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?--> | <!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?--> | ||
Fedora already defaults to configuring the SSSD to access identity | |||
information from Windows servers via realmd and Enterprise Login | information from Windows servers via realmd and Enterprise Login | ||
support. Using the same software for ID mapping when accessing CIFS shares | support. Using the same software for ID mapping when accessing CIFS shares | ||
Line 76: | Line 74: | ||
<!-- What work do the developers have to accomplish to complete the change in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the developers have to accomplish to complete the change in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
The SSSD would provide a plugin for the cifs-utils package as described in the [http://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient upstream design page]. The cifs-utils package | The SSSD would provide a plugin for the cifs-utils package as described in the [http://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient upstream design page]. The cifs-utils package | ||
would then switch to using the SSSD plugin instead of the one provided by Winbind. The change on the cifs-utils side should amount to changing a | would then switch to using the SSSD plugin instead of the one provided by Winbind. The change on the cifs-utils side should amount to changing a symlink. | ||
* Proposal owners: | * Proposal owners: | ||
** SSSD needs to create a plugin that matches the interface used by cifs-utils. | ** SSSD needs to create a plugin that matches the interface used by cifs-utils. | ||
** This plugin would be packaged as a separate subpackage | |||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
** The cifs-utils package would switch to managing which ID mapping plugin it uses with the use of alternatives ([https://bugzilla.redhat.com/show_bug.cgi?id=984088 rhbz #984088]) | |||
* Release engineering: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Release engineering: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
** No mass rebuild would be required. | ** No mass rebuild would be required. | ||
Line 100: | Line 98: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
== How To Test == | == How To Test == | ||
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. | <!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. | ||
Line 118: | Line 115: | ||
==== Testing with getcifsacl ==== | ==== Testing with getcifsacl ==== | ||
If there is no plugin for the CIFS client utilities or the plugin cannot resolve the SIDs to names getcifsacl will only show the SID strings in the | If there is no plugin for the CIFS client utilities or the plugin cannot resolve the SIDs to names getcifsacl will only show the SID strings in the output (https://bugzilla.redhat.com/show_bug.cgi?id=984087 rhbz #984087): | ||
# getcifsacl /tmp/bla/Users/Administrator/Desktop/putty.exe | # getcifsacl /tmp/bla/Users/Administrator/Desktop/putty.exe | ||
Line 149: | Line 146: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
== User Experience == | == User Experience == | ||
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | <!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | ||
Line 164: | Line 159: | ||
== Contingency Plan == | == Contingency Plan == | ||
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | <!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | ||
* Contingency mechanism: revert the | * Contingency mechanism: revert the symlink change made to cifs-utils. | ||
<!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | <!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | ||
* Contingency deadline: N/A | * Contingency deadline: N/A | ||
Line 175: | Line 170: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
== Release Notes == | == Release Notes == | ||
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | <!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | ||
Line 184: | Line 177: | ||
--> | --> | ||
[[Category:ChangePageIncomplete]] | <!--[[Category:ChangePageIncomplete]]--> | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) --> | <!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) --> | ||
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete--> | <!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete--> | ||
[[Category:ChangeAcceptedF20]] | |||
<!-- Select proper category, default is Self Contained Change --> | <!-- Select proper category, default is Self Contained Change --> | ||
[[Category:SelfContainedChange]] | [[Category:SelfContainedChange]] | ||
<!-- [[Category:SystemWideChange]] --> | <!-- [[Category:SystemWideChange]] --> |
Latest revision as of 13:51, 19 August 2013
SSSD CIFS plugin
Summary
During the F20 development cycle, the SSSD will provide an ID-mapping plugin for cifs-utils so that Windows SIDs can be mapped onto POSIX IDs and/or names without requiring Winbind and using the same code as the SSSD uses for identity information.
Owner
- Name: Sumit Bose, Jakub Hrozek
- Email: sbose@redhat.com, jhrozek@redhat.com
- Release notes owner:
Current status
Detailed Description
When working with files on a CIFS share, mapping between Windows SIDs and POSIX IDs might be required in some situations like modifying the ACLs. In recent versions, the cifs-util package introduced a plugin interface that allows different libraries to handle the ID mapping. Currently only Winbind provides such plugin (see file idmapwb.c in cifs-utils tree). The goal of this change is to provide a similar plugin using SSSD's ID mapping library so that the same method of ID mapping is used and Winbind is not required at all. The upstream design page that includes deeper technical details can be found in the SSSD Trac . The progress of the work can also be tracked in the upstream ticket #1534.
Benefit to Fedora
Fedora already defaults to configuring the SSSD to access identity information from Windows servers via realmd and Enterprise Login support. Using the same software for ID mapping when accessing CIFS shares makes sense from both correctness point of view (the same method would be used to convert SID to ID or names) and reducing the dependency footprint.
Scope
The SSSD would provide a plugin for the cifs-utils package as described in the upstream design page. The cifs-utils package would then switch to using the SSSD plugin instead of the one provided by Winbind. The change on the cifs-utils side should amount to changing a symlink.
- Proposal owners:
- SSSD needs to create a plugin that matches the interface used by cifs-utils.
- This plugin would be packaged as a separate subpackage
- Other developers:
- The cifs-utils package would switch to managing which ID mapping plugin it uses with the use of alternatives (rhbz #984088)
- Release engineering:
- No mass rebuild would be required.
- The cifs-utils package would Require the new SSSD plugin and indirectly its dependencies which would be primarily the
libsss_idmap
library
- Policies and guidelines:
- No new policy guidelies
Upgrade/compatibility impact
- No existing functionality should be lost. Resolving SIDs to IDs and names should work as it used to.
How To Test
Testing with getcifsacl
If there is no plugin for the CIFS client utilities or the plugin cannot resolve the SIDs to names getcifsacl will only show the SID strings in the output (https://bugzilla.redhat.com/show_bug.cgi?id=984087 rhbz #984087):
# getcifsacl /tmp/bla/Users/Administrator/Desktop/putty.exe REVISION:0x1 CONTROL:0x8004 OWNER:S-1-5-32-544 GROUP:S-1-5-21-3090815309-2627318493-3395719201-513 ACL:S-1-5-18:ALLOWED/0x0/FULL ACL:S-1-5-32-544:ALLOWED/0x0/FULL ACL:S-1-5-21-3090815309-2627318493-3395719201-500:ALLOWED/0x0/FULL
With the plugin, the output would resolve the SIDs to human-readable names:
# getcifsacl /tmp/bla/Users/Administrator/Desktop/putty.exe REVISION:0x1 CONTROL:0x8004 OWNER:BUILTIN\Administrators GROUP:AD18\Domain Users ACL:S-1-5-18:ALLOWED/0x0/FULL ACL:BUILTIN\Administrators:ALLOWED/0x0/FULL ACL:AD18\Administrator:ALLOWED/0x0/FULL
Testing with cifsacl option to mount.cifs
If the cifsacl mount option is used the cifs kernel module will call cifs.idmap to translate the Windows SIDs into the corresponding UIDs/GIDs of the client system so that the ownership of the files in the mounted file system is not mapped to the user how mounted the file system, but corresponds to the owning user and group of the Windows domain.
User Experience
N/A (not a System Wide Change)
Dependencies
- cifs-utils would grow dependency of this new plugin
Contingency Plan
- Contingency mechanism: revert the symlink change made to cifs-utils.
- Contingency deadline: N/A
- Blocks release? No
Documentation
So far only the design page is available.