From Fedora Project Wiki
(initial writeup of the SSSD CIFS plugin page)
 
(fix typos)
Line 60: Line 60:
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
When working with files on a CIFS share, mapping between Windows SIDs and POSIX IDs might be required in some situations like modifying the ACLs. In recent versions, the cifs-util package
When working with files on a CIFS share, mapping between Windows SIDs and POSIX IDs might be required in some situations like modifying the ACLs. In recent versions, the cifs-util package
introduced a plugin interface that allows different packages to handle the ID mapping. Currently only Winbind provides such plugin (see file idmapwb.c in cifs-utils tree). The goal of this
introduced a plugin interface that allows different libraries to handle the ID mapping. Currently only Winbind provides such plugin (see file idmapwb.c in cifs-utils tree). The goal of this
change is to provide a similar plugin using SSSD's ID mapping library so that the same method of ID mapping is used and Winbind is not required at all. The upstream design page that includes
change is to provide a similar plugin using SSSD's ID mapping library so that the same method of ID mapping is used and Winbind is not required at all. The upstream design page that includes
deeper technical details can be found in the [http://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient SSSD Trac ]. The progress of the work can also be tracked in the
deeper technical details can be found in the [http://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient SSSD Trac ]. The progress of the work can also be tracked in the
Line 67: Line 67:
== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
The SSSD already defaults to configuring the SSSD to access identity
Fedora already defaults to configuring the SSSD to access identity
information from Windows servers via realmd and Enterprise Login
information from Windows servers via realmd and Enterprise Login
support. Using the same software for ID mapping when accessing CIFS shares
support. Using the same software for ID mapping when accessing CIFS shares
Line 79: Line 79:


* Proposal owners:
* Proposal owners:
** SSSD needs to create a plugin that matches the interface used by cifs-utils. See the [http://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient upstream design page] for more details.
** SSSD needs to create a plugin that matches the interface used by cifs-utils.
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** The cifs-utils package would switch the default ID mapping plugin by pointing the `--with-idmap-plugin` configure-time switch to the new plugin provided by the SSSD.
** The cifs-utils package would switch the default ID mapping plugin by pointing the <code>--with-idmap-plugin</code> configure-time switch to the new plugin provided by the SSSD.
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


Line 149: Line 149:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== User Experience ==
== User Experience ==
Line 175: Line 174:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== Release Notes ==
== Release Notes ==

Revision as of 10:00, 12 July 2013

Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.


SSSD CIFS plugin

Summary

During the F20 development cycle, the SSSD will provide an ID-mapping plugin for cifs-utils so that Windows SIDs can be mapped onto POSIX IDs and/or names without requiring Winbind and using the same code as the SSSD uses for identity information.

Owner

Current status

  • Targeted release: Fedora 20
  • Last updated: 2013-07-12
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

When working with files on a CIFS share, mapping between Windows SIDs and POSIX IDs might be required in some situations like modifying the ACLs. In recent versions, the cifs-util package introduced a plugin interface that allows different libraries to handle the ID mapping. Currently only Winbind provides such plugin (see file idmapwb.c in cifs-utils tree). The goal of this change is to provide a similar plugin using SSSD's ID mapping library so that the same method of ID mapping is used and Winbind is not required at all. The upstream design page that includes deeper technical details can be found in the SSSD Trac . The progress of the work can also be tracked in the upstream ticket #1534.

Benefit to Fedora

Fedora already defaults to configuring the SSSD to access identity information from Windows servers via realmd and Enterprise Login support. Using the same software for ID mapping when accessing CIFS shares makes sense from both correctness point of view (the same method would be used to convert SID to ID or names) and reducing the dependency footprint.

Scope

The SSSD would provide a plugin for the cifs-utils package as described in the upstream design page. The cifs-utils package would then switch to using the SSSD plugin instead of the one provided by Winbind. The change on the cifs-utils side should amount to changing a configure-time option.

  • Proposal owners:
    • SSSD needs to create a plugin that matches the interface used by cifs-utils.
  • Other developers:
    • The cifs-utils package would switch the default ID mapping plugin by pointing the --with-idmap-plugin configure-time switch to the new plugin provided by the SSSD.
  • Release engineering:
    • No mass rebuild would be required.
    • The cifs-utils package would Require the new SSSD plugin and indirectly its dependencies which would be primarily the libsss_idmap library
  • Policies and guidelines:
    • No new policy guidelies

Upgrade/compatibility impact

  • No existing functionality should be lost. Resolving SIDs to IDs and names should work as it used to.


How To Test

Testing with getcifsacl

If there is no plugin for the CIFS client utilities or the plugin cannot resolve the SIDs to names getcifsacl will only show the SID strings in the outout:

# getcifsacl /tmp/bla/Users/Administrator/Desktop/putty.exe 
REVISION:0x1
CONTROL:0x8004
OWNER:S-1-5-32-544
GROUP:S-1-5-21-3090815309-2627318493-3395719201-513
ACL:S-1-5-18:ALLOWED/0x0/FULL
ACL:S-1-5-32-544:ALLOWED/0x0/FULL
ACL:S-1-5-21-3090815309-2627318493-3395719201-500:ALLOWED/0x0/FULL

With the plugin, the output would resolve the SIDs to human-readable names:

# getcifsacl /tmp/bla/Users/Administrator/Desktop/putty.exe 
REVISION:0x1
CONTROL:0x8004
OWNER:BUILTIN\Administrators
GROUP:AD18\Domain Users
ACL:S-1-5-18:ALLOWED/0x0/FULL
ACL:BUILTIN\Administrators:ALLOWED/0x0/FULL
ACL:AD18\Administrator:ALLOWED/0x0/FULL

Testing with cifsacl option to mount.cifs

If the cifsacl mount option is used the cifs kernel module will call cifs.idmap to translate the Windows SIDs into the corresponding UIDs/GIDs of the client system so that the ownership of the files in the mounted file system is not mapped to the user how mounted the file system, but corresponds to the owning user and group of the Windows domain.


User Experience

N/A (not a System Wide Change)

Dependencies

  • cifs-utils would grow dependency of this new plugin

Contingency Plan

  • Contingency mechanism: revert the configure change made to cifs-utils.
  • Contingency deadline: N/A
  • Blocks release? No

Documentation

So far only the design page is available.


Release Notes