View previous topic :: View next topic |
Author |
Message |
roarinelk Guru
Joined: 04 Mar 2004 Posts: 520
|
Posted: Mon Dec 04, 2017 12:15 pm Post subject: [SOLVED] NFSv4: gids not respected. |
|
|
I'm trying to access a directory on an NFS4-mount, which has RWX access granted only to a certain gid:
d---rwx--- 4 root backup 4096 Jan 1 00:01 restricted
The exporting and mounting machine use identical user names AND uids/gids, but I cannot access
the directory "restricted" on the machine mounting the share.
I can read/write/create/delete files on the share that belong to my login user, but cannot
for example, change their group. Of course the login user is member of group "backup"
on both the exporting and mounting machine.
Am I missing a special configuration option somewhere? (nfs-utils-2.2.2)
Thanks!
Last edited by roarinelk on Tue Dec 05, 2017 12:16 pm; edited 1 time in total |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Dec 04, 2017 12:42 pm Post subject: |
|
|
If it's not something obvious, it could be the NFS 16 group id limit.
Look at the output of "id". If 16 or more groups are shown before "backup", you have passed over that limit. A solution could be to set Code: | OPTS_RPC_MOUNTD="--manage-gids" |
in /etc/conf.d/nfs on your NFS server. But make sure to understand what that means. Be aware of the security implications. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Mon Dec 04, 2017 2:26 pm Post subject: Re: NFSv4: gids not respected. |
|
|
do you use all_squash? |
|
Back to top |
|
|
roarinelk Guru
Joined: 04 Mar 2004 Posts: 520
|
Posted: Tue Dec 05, 2017 12:14 pm Post subject: |
|
|
mike155 wrote: | If it's not something obvious, it could be the NFS 16 group id limit.
Look at the output of "id". If 16 or more groups are shown before "backup", you have passed over that limit. A solution could be to set Code: | OPTS_RPC_MOUNTD="--manage-gids" |
in /etc/conf.d/nfs on your NFS server. But make sure to understand what that means. Be aware of the security implications. |
You've hit the nail on the head, your suggestion works fine, thank you!
What are the security implications? Right now both server and clients have
identical uids/gids, using -g on the mountd actually does what the client
tries to do while running into the 16 gid limit. It's a shame that I can't
filter e.g. gids<1000 in the client's mount request, which would also "solve" this.
Thanks again! Grüsse aus Hofheim |
|
Back to top |
|
|
|