Hello all,

Some of our users access eos through CIFS protocol thanks to a host running Samba. This host is trusted by the MGM as gateway (eos vid add gateway), so users authenticated through Samba are mapped to their identity when accessing eos. However, we realized that the secondary groups are not taken into account. They are correctly enabled when accessing with kerberos authentication.

Accessing with kerberos :

 Virtual Identity: uid=61928 (61928,99) gid=40507 (99,61895,65422,29431,41068,54068,43590,63804,40507,22605,50003,504,507) [authz:krb5] host=host1.domain geo-location=JRC

Accessing from gateway, the groups are missing :

Virtual Identity: uid=61928 (61928,99) gid=40507 (40507) [authz:sss] host=host2.domain geo-location=JRC

Does someone has such a similar case ? Do you know if there is a way to enabled all groups in this case?

Hi Franck,
we dont support access control evaluating multiple groups. So even if they show up, they are not the primary connected to the user name.

Hi Andreas,

When using kerberos authentication and many groups show up, we are happy with the way ACL work : if any of the group is granted access, the user has access.

But when accessing through CIFS, only one group shows up, so access control is different, and users get access denied. If there would be a way to load all system groups of a user inside his identity in eos like it is done with kerberos, it would be perfect.