On Mon, 12 Jan 2015 09:46:37 +0100
John Obaterspok <john.obaters...@gmail.com> wrote:

> 2015-01-11 16:33 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
> 
> > On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote:
> > > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi
> > > <gianluca.cec...@gmail.com>:
> > >
> > > > To get the whole root environment you have to run
> > > > su - root
> > > > did you try with it?
> > > >
> > >
> > > ahh... that works fine Gianluca!
> > >
> > > Final question, if I have a file on the share like:
> > >      [john@ipaserver mountpoint]$ ll test.txt
> > >      -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt
> > >
> > > Should I be able to access it if I aquire an admin ticket?
> > > Currently I
> > get
> > > Permission denied
> > >
> > > [john@ipaserver mountpoint]$ id
> > > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john)
> > > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > >
> > > [john@ipaserver mountpoint]$ getfacl test.txt
> > > # file: test.txt
> > > # owner: root
> > > # group: admins
> > > user::rwx
> > > group::r--
> > > other::---
> > >
> > > [john@ipaserver mountpoint]$ id admin
> > > uid=1434400000(admin) gid=1434400000(admins)
> > > groups=1434400000(admins)
> > >
> > > [john@ipaserver mountpoint]$ klist
> > > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf
> > > Default principal: ad...@my.lan
> > >
> > > Valid starting       Expires              Service principal
> > > 2015-01-11 10:43:52  2015-01-12 10:43:50  krbtgt/my....@my.lan
> > >
> > > [john@ipaserver mountpoint]$ cat test.txt
> > > cat: test.txt: Permission denied
> >
> > Looks like your account needs to be in the 'admins' group in order
> > to access the file.
> >
> > Acquiring the admin ticket doesn't switch the user ID nor add you
> > to the group..
> >
> >
> I thought the krb5 mount option would allow ticked based access to the
> file.
> Is the purpose of the krb5 mount option just used during mounting of
> the share? Otherwise I see no difference compared to not using krb5
> mount option!?

You need to pass the 'multiuser' option at mount time for that, the
default for cifs.ko is still to just use the mount credentials.

See mount.cifs manpage, search for 'multiuser'

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to