Folder in NFS-Share-Permission denied-but the user is group member

Folder in NFS-Share-Permission denied-but the user is group member

[Steffen Kolbe]

Hi,

- a client has mounted some nfs shares
- in these shares are folders wich are owned by different groups
- rights of these folders are 2770
- getent group: user is member in these groups (on server and client via 
ldap)

but access to these folders says "Permission denied"

- if I copy the folder to local disk this error does not occur and the 
user has access

NFS-Server: Debian amd64 with nfs-kernel-server 1.0.7-12
NFS-Client: Debian i386 with nfs-common 1.0.7-11

Can anybody help, where I should search ?

Thanks
Steffen




-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: Folder in NFS-Share-Permission denied-but the user is group member

[Neil Brown]

On Friday May 5, kolbe@vwi.tu-dresden.de wrote:
> Hi,
> 
> - a client has mounted some nfs shares
> - in these shares are folders wich are owned by different groups
> - rights of these folders are 2770
> - getent group: user is member in these groups (on server and client via 
> ldap)
> 
> but access to these folders says "Permission denied"
> 
> - if I copy the folder to local disk this error does not occur and the 
> user has access
> 
> NFS-Server: Debian amd64 with nfs-kernel-server 1.0.7-12
> NFS-Client: Debian i386 with nfs-common 1.0.7-11
> 
> Can anybody help, where I should search ?

How many groups in the user a member of?  If >16, that could be the
problem.  NFS requests only carry the first 16 groups.

Otherwise, capture a tcpdump trace and post that somewhere.

  on client
   tcpdump -s 1500 -w /tmp/trace host CLIENT and host SERVER and port 2049
  then try to access file.

NeilBrown


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: trace attached - Re: Folder in NFS-Share-Permission denied-but the user is group member

[Steffen Kolbe]

@ Neil Brown: Thanks

Neil Brown wrote:

>On Monday May 8, kolbe@vwi.tu-dresden.de wrote:
>  
>
>>Hi Neil,
>>
>>I've reduced the groups massive. The test user is in 15 groups, an other 
>>test user is in 14 groups - same problem.
>>I've traced the traffic with ethereal, the captured traffic files are here:
>>
>>http://141.30.186.11/~kolbe/nfs   or    
>>http://vwitme011.vkw.tu-dresden.de/~kolbe/nfs
>>    
>>
>
>This trace shows requests coming from user with uid 10010, gid 10012 and
>Auxiliary gids: 20,21,24,25,29,30,44,46,100,110,10010,10011,10012,10014,10016,10017
>
>The accesses are for a file with uid 10021 and gid 10038 (not on this
>list).
>
>  
>
yes, the file/folder was written by user 10021 with sec. gid 10038  
(pri. gid 10012)
but the file (parent folder) is 2770, so members of gid 10038 should 
have access

the user who would access them has uid 10010 and primary gid 10012
but: the user (uid  10010) is also member of gid 10038 and should so 
have access (because 2770) - but haven't

>Maybe you need to log out and log back in again for the changes you
>made to take effect properly?
>  
>
done + restart nfs-server, same problem

>I use the 'groups' command to find out exactly what groups you are in
>at a given time.
>  
>
ooops, 'groups' shows also the system groups...

vwitme-staff dialout fax cdrom floppy audio dip video plugdev users 
scanner vwi-all vwitme-all vwitme-students vwitme-admins vwi-admins 
vwitme-projects vwitme-extern vwitme-projects-katastrophen vwi-staff 
vwitme-library vwitme-projects-lanechanging vwitme-projects-roadnetworks 
vwitme-studi vwitme-www

.....so the user is in 25 groups, hmmmmm...... but I've no real chance 
to reduce them. I think the system groups + ~30 network groups for some 
users is minimum I need.

>  
>
>>-----------------------------------------------------------
>>general question:
>>Is their a real solution to use ~50 groups with nfs? Because we've many 
>>project groups, some team leaders, many crossover memberships over some 
>>departments and .......
>>How is this solved in bigger environments?
>>    
>>
???? , any ideas ?

>>    
>>
>
>I'll be happy to answer this when you post it to the list :-)
>  
>
sorry, I've understand ;-)

>NeilBrown
>  
>
Thanks and regards
Steffen


-- 


Mit freundlichen Gruessen

Steffen Kolbe
Andreas-Schubert-Str. 23
D-01062 Dresden
------------------------------------------------------
Phone: +49/0 351 463-36750
Fax: +49/0 351 463-36809
e-mail: kolbe1@vwi.tu-dresden.de
------------------------------------------------------
Institut fuer Wirtschaft und Verkehr
Fakultaet Verkehrswissenschaften "Friedrich List"
Technische Universitaet Dresden
------------------------------------------------------ 



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: trace attached - Re: Folder in NFS-Share-Permission denied-but the user is group member

[Neil Brown]

On Monday May 8, kolbe@vwi.tu-dresden.de wrote:
> >>-----------------------------------------------------------
> >>general question:
> >>Is their a real solution to use ~50 groups with nfs? Because we've many 
> >>project groups, some team leaders, many crossover memberships over some 
> >>departments and .......
> >>How is this solved in bigger environments?
> >>    

No easy answers I'm afraid.

One option is a hack on the client to get it to sort the gids so that
the gid of the file being accessed appears first in the list.
I believe there were patches to do this floating around a while ago.
However Trond didn't like them and that is quite understandable.  It
is, after all, a hack.

Another option is to do something on the server side.  When a request
arrives, the uid could be mapped to a list of gids, and these could be
added to the list in the request.
I think this is a sensible approach and I have thought about it a few
times, but never got around to actually doing it ... and nor did
anyone else.

Finally you can ditch AUTH_UNIX altogether and use AUTH_GSS.  This
requires you to have a Kerberos authentication infrastructure set up
and requires bleeding edge kernel and tools.  It is similar to option
two in that the list of gids is calculated on the server rather than
on the client.  It is different in that it is actually implemented (I
think).

Finally+1 ... if you feel like recompiling all your own kernels, you
could change one constant on the server and client and raise the limit
to 128 groups.  This would work fine, but you could have
interoperability problems.  I recall that Tru64 Unix simply sent all
the gids in the NFS request, and our Solaris servers rejected any
request from any user wit more than 16 - not good.

I don't know how "bigger environments" handle this.  My approach has
always been to find some group that wasn't really needed, and remove
it.

NeilBrown


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: trace attached - Re: Folder in NFS-Share-Permission denied-but the user is group member

[Frank van Maarseveen]

On Mon, May 08, 2006 at 02:33:21PM +0200, Steffen Kolbe wrote:

[...]

> .....so the user is in 25 groups, hmmmmm...... but I've no real chance 
> to reduce them. I think the system groups + ~30 network groups for some 
> users is minimum I need.

Have a look at http://www.frankvm.com/nfs-ngroups/


-- 
Frank


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs