On Mon, Mar 07, 2005 at 11:33:13AM -0500, David Collier-Brown wrote:
>> If so, should the limited set of groups
>>that Unix allows perhaps be used as a cache of the
>>recently-used groups? For example, if a
>>user attempts to open a file belonging to
>>group 17, and they only have 0-16 in their group
>>list, should samba toss out the least
>>recently used group, stick 17 in its
>>place and retry the open?

Volker Lendecke wrote:
> For each access denied from the kernel you would have to iterate
> through all groups that a user is in to retry,

Actually I'd expect to use the group of the file: assume
I'm uid=57957(davecb) gid=10(staff) groups=10(staff),100(pwrtl)
and for simplicity, the maximum number of groups I can have
is two (;-)).

I try to read /tmp/foo via samba, but the open fails with EACCES.
A stat of the file returns
-rw-r--r-- 1 n1sps n1sps 0 Mar 7 12:45 /tmp/foo

Samba looks in my long list of (AD) groups, finds n1sps, sees
it is NOT in my active groups list and substitutes it for pwrtl.

It then retries, and if it's a read request succeeds. If it's
a write request it gets EACCESS again, but this time I'm already
in the right group, so samba returns -1, errno=EACCESS.

> The only real way around this is a
> user-space implementation of NT acls, but then you lose the unix
> interoperability.

Hmmn, let me think about that for a sec...
> With Solaris you're stuck, sorry. That is just not usable in large AD
> environments.

Which means that only Linux can be used for large sites!
Which is cool for Linuxians, but a bummer for anyone using
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb@canada.sun.com | -- Mark Twain