sambaXP 2021: Access control and ID mapping on the Linux SMB client

Описание: sambaXP 2021 talk by Shyam Prasad (Microsoft) on „Access control and ID mapping on the Linux SMB client“.

The SMB protocol was designed long after Unix was created, and as a result supported concepts like globally unique identities and rich ACLs that are in Windows, but not in Linux. User identity and access control are very relevant to the Linux SMB3 client, as it acts as a bridge between the world of Windows-like-filesystems (including the cloud) and the world of Linux filesystems, and has the hard task of translating security information from the more complex Samba and Windows world, to the simpler Linux/POSIX model.

There are three key problems:

1. Id-mapping: Who the user is? And how does it map to the user that the server understands?
2. Authentication: Can the user prove his/her identity?
3. Access control: What permissions does the user have for this file?

This talk discusses and demonstrates the different ways that the Linux client can be configured to map POSIX permissions (mode bits) to ACLs, and the implications of using these configurations. It discusses the different authentication choices, especially how to leverage Samba’s winbind for easy to use and highly secure Kerberos authentication and key refresh. In addition it discusses how to integrate with Samba’s winbind to map user identities (from the local Linux client’s UIDs to globally unique SIDs) and the various alternatives like “idsfromsid”. Recent improvements in cifs-utils for managing ACLs and auditing information remotely are also discussed, which can make managing Samba server easier in some cases.

Slides: https://sambaxp.org/fileadmin/user_up...

Visit the conference website at https://sambaxp.org