Re: NFS permission strangeness
On Fri, 16 Apr 2010, Giulio Ferro wrote: On 16.04.2010 10:29, Sean wrote: Yes, I have more than 16 groups, 22 actually... Then there's nothing "wrong" per se, you're just hitting the fact that NFS v2 and v3 only support 16 groups on the wire. That's just the way the protocol is defined. Ops, I didn't know that... Is there any solution solid enough for a production environment. Maybe nfs4? Well, when you use sec=krb5[ip] on NFSv3 or NFSv4, the limitation of 16/17 groups goes away. However, this has a lot of other implications. (NFSv4 uses the same RPC protocol as NFSv2,3 and it is the specification of the authentication header for what is called AUTH_SYS, which is the problem. AUTH_SYS authenticators simply list a uid, gid and groups<16> #s in the RPC header. rick ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: NFS permission strangeness
On Fri, 16 Apr 2010, Giulio Ferro wrote: Yes, I have more than 16 groups, 22 actually... However I still think this might be a NFS problem, since when I login on the server machine I can access that directory all right, the problem arises only when I try to access that dir in the client machine... The problem is that the specification of the RPC header used by NFS for authentication unless you are using krb5 is limited to a gid + 16 additional groups (a lot of implementations put the gid in the first entry of the additional groups list, so 16 is the safe limit and 17 might work). So, you could call it a problem w.r.t. the specification of the RPC protocol that is used for NFS RPCs, but it would be a bug in the implementation to handle more than the 16 additional groups. (Admittedly, it just silently truncates at 16, but I don't think automatically failing an RPC with more than 16 groups in its cred would be better?) So, yes, it is an NFS problem, but intrisic to the protocol spec, rick ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: NFS permission strangeness
On 16.04.2010 10:29, Sean wrote: Yes, I have more than 16 groups, 22 actually... Then there's nothing "wrong" per se, you're just hitting the fact that NFS v2 and v3 only support 16 groups on the wire. That's just the way the protocol is defined. Ops, I didn't know that... Is there any solution solid enough for a production environment. Maybe nfs4? Please advice... Giulio. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: NFS permission strangeness
On 16.04.2010 02:30, Rick Macklem wrote: login as "giulio", but when I try to access that same dir on the client machine I get: $ cd /path/to/root/dir/etc (ok) $ cd subdir2 subdir2/: Permission denied. What happens is that I can access "subdir2" on the server machine when I Yes, it should work. I just tried the same thing with a server running UFS/FFS and it worked fine, so I think that the problem might be ZFS related. (You will get into trouble with more than 16 groups, since that is all that AUTH_SYS for Sun RPC handles, but I did 10 like your example and it worked ok for me, using FreeBSD-CURRENT client/server, except that my server uses UFS/FFS.) Hopefully someone with ZFS expertise can help out here? If you can conveniently do the same test using a server that exports a UFS/FFS file system, that would be helpful w.r.t. isolating the problem. rick Yes, I have more than 16 groups, 22 actually... However I still think this might be a NFS problem, since when I login on the server machine I can access that directory all right, the problem arises only when I try to access that dir in the client machine... Giulio ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: NFS permission strangeness
On Thu, 15 Apr 2010, Giulio Ferro wrote: Here's the setup: server : NFS server machine (fb 8 stable amd64 ) client : NFS client machine (as above) server and client are both sharing the same permission database through ldap: Both have in /etc/nsswitch.conf ... group: files ldap ... passwd: files ldap This issue isn't related to ldap, however. I get the same result if I manually add groups to /etc/group file (read on) Let's suppose I have user "giulio" configured in my system. giulio is also part (-G) of groups: group1, group2, group3, ... , group10 server is exporting the directory /path/to/root (on zfs) the directory /path/to/root/dir/etc/subdir1 has permission 770 and group ownership "group3" I login as user "giulio" on server I can enter "subdir1" directory, since I'm member of group "group3" I then login as user "giulio" on client, and I can do the same (as expected). When groups are more than a few, however, I get this strange behavior: let's suppose the directory: /path/to/root/dir/etc/subdir2 has permission 770 and group ownership "group10" What happens is that I can access "subdir2" on the server machine when I login as "giulio", but when I try to access that same dir on the client machine I get: $ cd /path/to/root/dir/etc (ok) $ cd subdir2 subdir2/: Permission denied. Yes, it should work. I just tried the same thing with a server running UFS/FFS and it worked fine, so I think that the problem might be ZFS related. (You will get into trouble with more than 16 groups, since that is all that AUTH_SYS for Sun RPC handles, but I did 10 like your example and it worked ok for me, using FreeBSD-CURRENT client/server, except that my server uses UFS/FFS.) Hopefully someone with ZFS expertise can help out here? If you can conveniently do the same test using a server that exports a UFS/FFS file system, that would be helpful w.r.t. isolating the problem. rick ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
NFS permission strangeness
Here's the setup: server : NFS server machine (fb 8 stable amd64 ) client : NFS client machine (as above) server and client are both sharing the same permission database through ldap: Both have in /etc/nsswitch.conf ... group: files ldap ... passwd: files ldap This issue isn't related to ldap, however. I get the same result if I manually add groups to /etc/group file (read on) Let's suppose I have user "giulio" configured in my system. giulio is also part (-G) of groups: group1, group2, group3, ... , group10 server is exporting the directory /path/to/root (on zfs) the directory /path/to/root/dir/etc/subdir1 has permission 770 and group ownership "group3" I login as user "giulio" on server I can enter "subdir1" directory, since I'm member of group "group3" I then login as user "giulio" on client, and I can do the same (as expected). When groups are more than a few, however, I get this strange behavior: let's suppose the directory: /path/to/root/dir/etc/subdir2 has permission 770 and group ownership "group10" What happens is that I can access "subdir2" on the server machine when I login as "giulio", but when I try to access that same dir on the client machine I get: $ cd /path/to/root/dir/etc (ok) $ cd subdir2 subdir2/: Permission denied. if I issue this command on the client: $ id I get : uid=1000 (giulio), gid=1000 (giuliogroup), groups=group1(1001), group2(1002), group3(1003),...,group10(1010) So there shouldn't really be any reason for me not to be able to access that dir... Any idea? ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"