#1534 [RFE] Integrate SSSD with CIFS client

Created 5 years ago by dpal
Modified 10 months ago

Here is a mail thread on the subject:

Do you know, can sssd 1.5 be used with cifs client to mount Windows shares?
AFAIU yes if the AD uses POSIX extensions otherwise one has to use SSSD 1.9 or winbind to do id mapping, correct?
Or there is some close connection between cifs client and winbind and they talk to each other directly?

In general mounting Windows shares is a completely orthogonal business
from resolving users. The only case when CIFS may need that is to manipulate ACLs. I CCed Jeff that may shed a light on whether we have any dependency on Winbind at the moment.

We have a couple of relatively recent additions to cifs-utils that link in libwbclient to do SID to uid/gid conversions:

/usr/bin/getcifsacl
/usr/bin/setcifsacl
/usr/sbin/cifs.idmap

What are you looking to do, specifically?
Would it be possible to add a plugin interface here, so that e.g. sssd
can provide a library which does the SID<->uid/gif mapping instead of
winbind? And place the default winbind plugin provided by cifs-utils in
a separate package so that the cifs-uitls package does not have any
dependency to libwbclient?

Sure, I guess. I'm not sure I understand the point though -- what's the
rationale for removing the dependency on winbind?
sssd has a special provider for AD which offers similar functionality
like pam_winbind/nss_winbind together with a running winbind. The goal
for the next sssd release 1.10 is to reach feature parity with winbind
with respect to PAM and NSS so that winbind does not need to run on a
system with sssd. Especially sssd will to his own SID to uid/gid
mapping. The scheme is based on autorid and can be made compatible with
autorid (in the limits of autorid), but it would be quite an overhead if
winbind must be run just to map the IDs for the cifs-utils.

Ok, I think that's basically going to mean rewriting these utils from
scratch. They aren't very large, but most of the code deals with
wbcDomainSid pointers internally. The code uses these functions
currently, so we'd need to replace them with generic variants for this
new API:

wbcStringToSid
wbcSidToUid
wbcLookupSid
wbcGetpwnam
wbcUidToSid

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta

Fields changed

rhbz: => todo

Fields changed

priority: major => critical

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Must

Fields changed

priority: critical => blocker

Plugin architecture is now in place in cifs-utils and the upstream samba bug is now closed. The way should now be clear for someone to write an SSSD plugin for it.

Once fedora has merged the new package into the repos, you'll want to install the cifs-utils-devel package. That includes a single header file /usr/include/cifsidmap.h. That file contains a bunch of comments that outline the plugin API. Basically you'll want to make a plugin lib that implements those functions.

Fields changed

cc: => stefw, sgallagh

Fields changed

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Fields changed

changelog: =>
milestone: SSSD 1.12 beta => Interim Bucket
review: => 0

Fields changed

milestone: Interim Bucket => SSSD 1.12 beta

Fields changed

type: defect => enhancement

Fields changed

owner: somebody => sbose
status: new => assigned

SID support for local POSIX UIDs and GID is still missing.

Please rescope if something is missing or close if everything will be done in Samba. Thanks!

milestone: SSSD 1.12 beta => NEEDS_TRIAGE

Main part of the work is already done and available in SSSD-1.12-beta.

Commits:
- af4ffe1
- a25a3e5

A missing minor aspect is tracked by a new ticket https://fedorahosted.org/sssd/ticket/2353 .

milestone: NEEDS_TRIAGE => SSSD 1.12 beta
resolution: => fixed
status: assigned => closed

Fields changed

changelog: => With version 5.9 of cifs-utils a plugin interface was introduced to allow services other than winbind to handle the mapping of POSIX UIDs and SIDs. SSSD provides a plugin to allow the cifs-utils to ask SSSD to map the ID. With this plugin an SSSD client can access a CIFS share with the same functionality as a client running Winbind.
design: => https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient

10 months ago

Metadata Update from @dpal:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12 beta

Login to comment on this ticket.

enhancement

SSSD

1.8.4

Must

0

0

https://bugzilla.redhat.com/show_bug.cgi?id=922081

0

0

With version 5.9 of cifs-utils a plugin interface was introduced to allow services other than winbind to handle the mapping of POSIX UIDs and SIDs. SSSD provides a plugin to allow the cifs-utils to ask SSSD to map the ID. With this plugin an SSSD client can access a CIFS share with the same functionality as a client running Winbind.

https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient

stefw, sgallagh

cancel