Here's the setup: server : NFS server machine (fb 8 stable amd64 ) client : NFS client machine (as above) server and client are both sharing the same permission database through ldap: Both have in /etc/nsswitch.conf ... group: files ldap ... passwd: files ldap This issue isn't related to ldap, however. I get the same result if I manually add groups to /etc/group file (read on) Let's suppose I have user "giulio" configured in my system. giulio is also part (-G) of groups: group1, group2, group3, ... , group10 server is exporting the directory /path/to/root (on zfs) the directory /path/to/root/dir/etc/subdir1 has permission 770 and group ownership "group3" I login as user "giulio" on server I can enter "subdir1" directory, since I'm member of group "group3" I then login as user "giulio" on client, and I can do the same (as expected). When groups are more than a few, however, I get this strange behavior: let's suppose the directory: /path/to/root/dir/etc/subdir2 has permission 770 and group ownership "group10" What happens is that I can access "subdir2" on the server machine when I login as "giulio", but when I try to access that same dir on the client machine I get: $ cd /path/to/root/dir/etc (ok) $ cd subdir2 subdir2/: Permission denied. if I issue this command on the client: $ id I get : uid=1000 (giulio), gid=1000 (giuliogroup), groups=group1(1001), group2(1002), group3(1003),...,group10(1010) So there shouldn't really be any reason for me not to be able to access that dir... Any idea?
On Thu, 15 Apr 2010, Giulio Ferro wrote:> Here's the setup: > server : NFS server machine (fb 8 stable amd64 ) > client : NFS client machine (as above) > > server and client are both sharing the same permission database through ldap: > > Both have in /etc/nsswitch.conf > ... > group: files ldap > ... > passwd: files ldap > > This issue isn't related to ldap, however. I get the same result if I > manually add > groups to /etc/group file (read on) > > Let's suppose I have user "giulio" configured in my system. > giulio is also part (-G) of groups: > group1, group2, group3, ... , group10 > > server is exporting the directory > /path/to/root (on zfs) > > the directory > /path/to/root/dir/etc/subdir1 > has permission 770 and group ownership "group3" > > I login as user "giulio" on server I can enter "subdir1" directory, since I'm > member of group "group3" > > I then login as user "giulio" on client, and I can do the same (as expected). > > > When groups are more than a few, however, I get this strange behavior: > > let's suppose the directory: > /path/to/root/dir/etc/subdir2 > has permission 770 and group ownership "group10" > > What happens is that I can access "subdir2" on the server machine when I > login as "giulio", but when I try to access that same dir on the client > machine > I get: > $ cd /path/to/root/dir/etc > (ok) > $ cd subdir2 > subdir2/: Permission denied. >Yes, it should work. I just tried the same thing with a server running UFS/FFS and it worked fine, so I think that the problem might be ZFS related. (You will get into trouble with more than 16 groups, since that is all that AUTH_SYS for Sun RPC handles, but I did 10 like your example and it worked ok for me, using FreeBSD-CURRENT client/server, except that my server uses UFS/FFS.) Hopefully someone with ZFS expertise can help out here? If you can conveniently do the same test using a server that exports a UFS/FFS file system, that would be helpful w.r.t. isolating the problem. rick
On 16.04.2010 02:30, Rick Macklem wrote:>> login as "giulio", but when I try to access that same dir on the >> client machine >> I get: >> $ cd /path/to/root/dir/etc >> (ok) >> $ cd subdir2 >> subdir2/: Permission denied. >> > What happens is that I can access "subdir2" on the server machine when I > > Yes, it should work. I just tried the same thing with a server running > UFS/FFS and it worked fine, so I think that the problem might be ZFS > related. (You will get into trouble with more than 16 groups, since > that is all that AUTH_SYS for Sun RPC handles, but I did 10 like your > example and it worked ok for me, using FreeBSD-CURRENT client/server, > except that my server uses UFS/FFS.) > > Hopefully someone with ZFS expertise can help out here? > > If you can conveniently do the same test using a server that exports > a UFS/FFS file system, that would be helpful w.r.t. isolating the > problem. > > rickYes, I have more than 16 groups, 22 actually... However I still think this might be a NFS problem, since when I login on the server machine I can access that directory all right, the problem arises only when I try to access that dir in the client machine... Giulio
On 16.04.2010 10:29, Sean wrote:> >> Yes, I have more than 16 groups, 22 actually... >> > Then there's nothing "wrong" per se, you're just hitting the fact that NFS v2 and v3 only support 16 groups on the wire. That's just the way the protocol is defined. > >Ops, I didn't know that... Is there any solution solid enough for a production environment. Maybe nfs4? Please advice... Giulio.