Ticket #1534 (assigned enhancement)

Opened 19 months ago

Last modified 3 months ago

[RFE] Integrate SSSD with CIFS client

Reported by: dpal Owned by: sbose
Priority: blocker Milestone: SSSD 1.12 beta
Component: SSSD Version: 1.8.4
Keywords: Cc: stefw, sgallagh
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: todo
Design link:
Feature Milestone:
Design review: no Fedora test page:
Chosen: Must Candidate to push out: no
Release Notes:

Description

Here is a mail thread on the subject:

Do you know, can sssd 1.5 be used with cifs client to mount Windows shares? AFAIU yes if the AD uses POSIX extensions otherwise one has to use SSSD 1.9 or winbind to do id mapping, correct? Or there is some close connection between cifs client and winbind and they talk to each other directly?

In general mounting Windows shares is a completely orthogonal business from resolving users. The only case when CIFS may need that is to manipulate ACLs. I CCed Jeff that may shed a light on whether we have any dependency on Winbind at the moment.

We have a couple of relatively recent additions to cifs-utils that link in libwbclient to do SID to uid/gid conversions:

/usr/bin/getcifsacl
/usr/bin/setcifsacl
/usr/sbin/cifs.idmap

What are you looking to do, specifically? Would it be possible to add a plugin interface here, so that e.g. sssd can provide a library which does the SID<->uid/gif mapping instead of winbind? And place the default winbind plugin provided by cifs-utils in a separate package so that the cifs-uitls package does not have any dependency to libwbclient?

Sure, I guess. I'm not sure I understand the point though -- what's the rationale for removing the dependency on winbind? sssd has a special provider for AD which offers similar functionality like pam_winbind/nss_winbind together with a running winbind. The goal for the next sssd release 1.10 is to reach feature parity with winbind with respect to PAM and NSS so that winbind does not need to run on a system with sssd. Especially sssd will to his own SID to uid/gid mapping. The scheme is based on autorid and can be made compatible with autorid (in the limits of autorid), but it would be quite an overhead if winbind must be run just to map the IDs for the cifs-utils.

Ok, I think that's basically going to mean rewriting these utils from scratch. They aren't very large, but most of the code deals with wbcDomainSid pointers internally. The code uses these functions currently, so we'd need to replace them with generic variants for this new API:

wbcStringToSid
wbcSidToUid
wbcLookupSid
wbcGetpwnam
wbcUidToSid

Change History

comment:1 Changed 19 months ago by dpal

  • Milestone changed from NEEDS_TRIAGE to SSSD 1.10 beta

comment:2 Changed 19 months ago by dpal

  • Red Hat Bugzilla set to todo

comment:3 Changed 19 months ago by dpal

comment:4 Changed 19 months ago by dpal

  • Priority changed from major to critical

comment:5 Changed 16 months ago by dpal

  • Design review unset
  • Chosen set to Must

comment:6 Changed 16 months ago by arubin

  • Priority changed from critical to blocker

comment:7 Changed 16 months ago by jlayton

Plugin architecture is now in place in cifs-utils and the upstream samba bug is now closed. The way should now be clear for someone to write an SSSD plugin for it.

Once fedora has merged the new package into the repos, you'll want to install the cifs-utils-devel package. That includes a single header file /usr/include/cifsidmap.h. That file contains a bunch of comments that outline the plugin API. Basically you'll want to make a plugin lib that implements those functions.

comment:8 Changed 16 months ago by sgallagh

  • Cc stefw, sgallagh added

comment:9 Changed 13 months ago by dpal

  • Milestone changed from SSSD 1.10 beta to SSSD 1.11 beta

comment:10 Changed 9 months ago by dpal

  • Milestone changed from SSSD 1.12 beta to Interim Bucket
  • Candidate to push out unset

comment:11 Changed 9 months ago by dpal

  • Milestone changed from Interim Bucket to SSSD 1.12 beta

comment:12 Changed 9 months ago by dpal

  • Type changed from defect to enhancement

comment:13 Changed 6 months ago by sbose

  • Status changed from new to assigned
  • Owner changed from somebody to sbose

comment:14 Changed 3 months ago by sbose

SID support for local POSIX UIDs and GID is still missing.

Note: See TracTickets for help on using tickets.