View previous topic :: View next topic |
Author |
Message |
weird wonko Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/8563582363e4f049a94c88.jpg)
Joined: 05 Jan 2003 Posts: 141
|
Posted: Tue Oct 12, 2004 10:50 pm Post subject: NFS group permissions won't work |
|
|
I cannot access files on a share from a remote machine, unless the permissions are set to allow reading/writing for every user.
My setup: weird is the local machine, zone the server. The exported mpeg directory is owned by user p2p and group p2p, the GID and UID are the same on the client.
Here are the relevant parts of the config files.
/etc/exports on zone:
Code: | /data/store/mpeg 192.168.1.0/255.255.255.0(rw) | /etc/fstab on weird:
Code: | zone:/data/store/mpeg /mnt/mpeg nfs async,rsize=8192,wsize=8192 0 0
| Checking permissions:
Code: | # ls -ld /mnt/mpeg on weird:
drwxrwxr-x 14 p2p p2p 4096 20. Sep 21:09 /mnt/mpeg
| Checking groups:
Code: | # groups
disk lp wheel cron audio cdrom dialout video games cdrw users slocate portage cvs weirdos wonko mp3 atv xcdwrite cdrecording p2p | Trying to create a file there:
Code: | # touch /mnt/mpeg/foo
touch: cannot touch `/mnt/mpeg/foo': Permission denied
|
So, I am in group p2p, but cannot write to the share, even if group p2p has write permissions set. Same goes for reading, if I do a chmod o-r on the share.
While testing this I changed the group of the mpeg directory to audio, just because these groups are also the same on both machines. And now it works as it should!
It also works from another machine. This leaves me puzzled. I'm out of ideas. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
BlinkEye Veteran
![Veteran Veteran](/images/ranks/rank_rect_5_vet.gif)
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Thu Jan 06, 2005 10:29 pm Post subject: |
|
|
i don't get write permission neither, only with root if no_root_sqash is enabled which i don't want. any ideas?
[EDIT]solved for me -> kernel upgrade from 2.6.8-mm2 to 2.6.10-mm2[/EDIT]
[EDIT2]and changing the UIDs so they were the same on both computers[/EDIT2] _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
weird wonko Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/8563582363e4f049a94c88.jpg)
Joined: 05 Jan 2003 Posts: 141
|
Posted: Sat Mar 26, 2005 3:07 am Post subject: |
|
|
It's still not working. I'm at gentoo-dev-sources-2.6.10-r6 now.
The UIDs are identical on both systems. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Chris W l33t
![l33t l33t](/images/ranks/rank_rect_4.gif)
![](images/avatars/gallery/Simpsons/Simpsons_-_Ralph.jpg)
Joined: 25 Jun 2002 Posts: 972 Location: Brisbane, Australia
|
Posted: Sat Mar 26, 2005 3:59 am Post subject: |
|
|
Since you are attempting to access the remote share as root you probably want to look at the User ID Mapping section in the exports(5) man page. By default, the root UID is mapped to an anonymous user. _________________ Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
weird wonko Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/8563582363e4f049a94c88.jpg)
Joined: 05 Jan 2003 Posts: 141
|
Posted: Sat Mar 26, 2005 11:52 am Post subject: |
|
|
No, I am not root. Just a user being in the p2p group, but having no access despite of group access rights being set on the share. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
weird wonko Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/8563582363e4f049a94c88.jpg)
Joined: 05 Jan 2003 Posts: 141
|
Posted: Wed Nov 02, 2005 2:57 am Post subject: |
|
|
This is becoming really annoying, so I did some more tests. There are really weird things going on here.
The problem hapens on one of my machines only, and only with my user. But I could reproduce the problem after adding a test user and giving it all of my groups. I then removed the groups, one after another, and suddenly it was working again.
Same goes for me. After removing some probably not so necessary groups like cdrecord, dialout and video, I could access a remote directory where I had only matching group permissions.
I am in 22 groups now. When I add any other group to my groups, access is denied again.
Strange, huh? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
thecooptoo Veteran
![Veteran Veteran](/images/ranks/rank_rect_5_vet.gif)
Joined: 27 Apr 2003 Posts: 1353 Location: UK
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
weird wonko Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/8563582363e4f049a94c88.jpg)
Joined: 05 Jan 2003 Posts: 141
|
Posted: Wed Nov 02, 2005 9:06 pm Post subject: |
|
|
I don't think so. Mounting is okay, it's a permission only. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Chris W l33t
![l33t l33t](/images/ranks/rank_rect_4.gif)
![](images/avatars/gallery/Simpsons/Simpsons_-_Ralph.jpg)
Joined: 25 Jun 2002 Posts: 972 Location: Brisbane, Australia
|
Posted: Wed Nov 02, 2005 9:59 pm Post subject: |
|
|
Check that UIDs align between client and server for the user(s) concerned: Code: | root@server# id -a chrisw
uid=1000(chrisw) gid=100(users) groups=10(wheel),100(users),250(portage),409(mailusers) | vs. Code: | root@client# id -a chrisw
uid=1000(chrisw) gid=100(users) groups=10(wheel),100(users),250(portage),409(mailusers) | It is the UID (i.e. 1000) that is passed from client to server not the user name (i.e. chrisw). If UID=1000 on the server is not user name chrisw then you will have problems, not to mention potentially embarrassing privacy breaches. _________________ Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
weird wonko Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/8563582363e4f049a94c88.jpg)
Joined: 05 Jan 2003 Posts: 141
|
Posted: Thu Nov 03, 2005 2:13 am Post subject: |
|
|
The UIDs are the same. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Chris W l33t
![l33t l33t](/images/ranks/rank_rect_4.gif)
![](images/avatars/gallery/Simpsons/Simpsons_-_Ralph.jpg)
Joined: 25 Jun 2002 Posts: 972 Location: Brisbane, Australia
|
Posted: Thu Nov 03, 2005 9:59 am Post subject: |
|
|
My bad...been down the UID path before.
How are you mounting the export on the client? Are you using /etc/init.d/netmount, nfsmount, or manually? Are portmap and rpc.statd running on the client? Are there any associated error messages in dmesg or /var/log/messages on client or server? _________________ Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
weird wonko Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/8563582363e4f049a94c88.jpg)
Joined: 05 Jan 2003 Posts: 141
|
Posted: Mon Dec 26, 2005 1:45 am Post subject: |
|
|
Oh, sorry for not responding, I overlooked your answer.
My setup is currently working, somehow. I had to remove some groups from my account, which was quite annoying, as I had to switch from time to time: Without being in games, all was fine, but then I wanted to play, so I re-added myselt to this group, and removed lp, until I needed to print, and so on. I don't remember which group I removed at last, but I don't seem to need it often, because I had no problems for a while
But I think I just found the answer: It looks like NFS does work only with up to 16 groups. I just read this in article <2005Dec22.180925@mips.complang.tuwien.ac.at> on alt.os.linux.gentoo. Googling for "NFS 16 groups" seems to confirm this. Oh my. Sometimes NFS really sucks in my opinion, I would never have thougt about such a problem.
Here is my current list of groups:
users: my primary group
lp: yes I want to print
wheel: I want to su
cron: I need cron jobs
audio: yes, I want this
cdrom: probably needed to access CD-ROMs
dialout: needed for my ISDN setup
video: I don''t remember what that was for, but I think I ran into a problem when I temporarily disabled that
games: sure!
slocate: also a must-have
p2p: that's where all the trouble started
vmware: I guess this has a purpose
portage: I could do it as root only, but I'd like to use portage as a regular user, too
13 groups until here. This is getting close.
cdrecording: I don't know, but I guess I need this
xcdwrite: Wasn't this only for xcdroast? Then I can get rid of it.
stats: Probably not necessary.
And some more groups that I created:
mp3: I do not like to have everyone access my MP3s
atv: My company's stuff, must not be available to others
wonko: another group only for me, I could remove that
ecat: another group having to do with my company, also not really important, but nice to have
So I can get below the 16-group-limit if necessary, but it's not very convenient. Well, I'll see if I get into trouble again, and until that I will keep the setup as it is. But I guess I now know what to do just in case. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Kentar n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 04 Nov 2003 Posts: 15 Location: München
|
Posted: Wed Jan 04, 2006 8:51 am Post subject: |
|
|
Hi
I've had the same problem, but i discovered something helpful:
If you've got more than 16 groups, NFS cuts off everyhting behind the 16th group. Change your necessary group ID (the one, which is needed by nfs to have write-permissions) so it is inside this Limit.
With it, it is possible to be in more than 16 Groups and have group-permissons with nfs. At Least it works for me. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Kaboosh Apprentice
![Apprentice Apprentice](/images/ranks/rank_rect_2.gif)
![](images/avatars/144638519740c7dd8ba818c.png)
Joined: 10 Jun 2004 Posts: 162 Location: Edmonton, AB - Canada
|
Posted: Sun Nov 12, 2006 10:08 pm Post subject: Nfs has taken years off of my life |
|
|
weird wonko wrote: | Oh, sorry for not responding, I overlooked your answer.
But I think I just found the answer: It looks like NFS does work only with up to 16 groups. I just read this in article <2005Dec22.180925@mips.complang.tuwien.ac.at> on alt.os.linux.gentoo. Googling for "NFS 16 groups" seems to confirm this. Oh my. Sometimes NFS really sucks in my opinion, I would never have thougt about such a problem.
|
OH MY GOD! You said it buddy! Let me tell you about the profanity-filled NFS adventure that I just had this weekend:
First I had my family's hard-disk die ... and they live quite a distance away ... so thinking that I was so smart I asked my fiance if I could snag the 2nd HDD in her PC to give them - I promised her I could set it up to use "My Computer" downstairs, that I could have it running in no time, and that she wouldn't even notice a difference. So I backed up her files to my PC downstairs and took out the drive ... all the while thinking that it'll be pretty nice not to be maintaining 2 sets of home directories and settings...
So first I set up NFS and bizarre things are happening. Folders sometimes appear...sometimes don't...files are read as empty (0 bytes). I take the network out of the equation by mounting my second drive as /testing on my PC and then mount /home via NFS locally. TADA! The problem is reproduced! I finally figure out that only files of which I am not the owner or o (all users) don't have access to. I finally find out that I'm only running the NFSv2 server/client so I go about downloading the latest gentoo-sources, reconfiguring, and recompiling as this was also opportunity for a kernel update.
(Now from what I can gather of the behaviour exhibited by NFSv2 is that it doesn't give "permission denied" when you don't have access - it simply doesn't list the folder or provide the contents of the file without any other explanation...and not only is it limited to 16 groups but they are applied to users in random order, hence the "randomness" of these empty/missing files/folders.)
I finally get the NFSv3 server/client option running and now I can't access files, although they appear consistently. I count my groups and there's only 12 I am a member of ... but (AHA) I am using the PAM_GROUP authentication module to add my users to additional groups when they log on locally (mainly for device access such as that of soundcards, cdrom, etc...). When I take that list into account the number is like 26 ... and when I bumped "users" further up the list as suggested above it worked like a charm! This raises a concern, however, that NFS mounts apply the permissions of a locally-logged on user in respect to PAM_CONSOLE!
Anyways, thanks for the life-saving informative post guys (and I mean life-saving, I think my fiance's about ready to kill me)! |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
RAPHEAD Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
Joined: 20 Jun 2003 Posts: 134 Location: Germany
|
Posted: Sun Jul 08, 2007 10:35 pm Post subject: |
|
|
Hi,
for all that experience similar problems with NFSv4 like described in this thread, I found a solution:
If you can't get your UID / GID stuff being properly resolved on the client side (using netmount),
you probably need to start the nfs services -- that was at least the problem with my setup.
So do:
cd /etc/init.d
./nfs start
and try to mount again using
./netmount restart
@chrisw
you made me thinking about whether nfs is actually running or not -- thx |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|