Permission issues

Permission issues

[Riccardo Tritto]

Hi everyone,

I'm having some headache configuring nfs on my nas on which I've
installed Debian Lenny.

Basically it works, but I can access the shares of my nas only if
their permissions allow everyone. Having the right "group" permissions
is not enough, and I get a "Permission denied" when I try to access
directories where I should have "group" access.

Of course usernames, uids and gids are the same between the machines,
and my user is in the right groups.

Here are some more details:


root@nas ~ # cat /etc/exports
/home 192.168.0.1(rw,sync,no_subtree_check)

root@nas ~ # cat /proc/fs/nfs/exports
# Version 1.1
# Path Client(Flags) # IPs
/home   192.168.0.1
(rw,root_squash,sync,wdelay,no_subtree_check,uuid=aaff1cde:08674ab9:97d5909a:214f393a)

rk@alfa ~ $ grep nfs /etc/fstab
nas:/home /mnt/nas nfs noauto,rw,hard,intr 0 0

rk@alfa ~ $ grep nfs /proc/mounts
rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
nas:/home /mnt/nas nfs
rw,relatime,vers=3,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.0.101,mountvers=3,mountport=34015,mountproto=udp,addr=192.168.0.101
0 0

root@nas ~ # ls -ld /home/test
drwxr-x--- 2 root doc 4.0K Jul  3 20:39 /home/test

rk@alfa ~ $ ls -ld /mnt/nas/test
drwxr-x--- 2 root doc 4,0K  3 lug 20.39 /mnt/nas/test

rk@nas ~ $ ls -la /home/test/
total 8.0K
drwxr-x---  2 root doc  4.0K Jul  3 21:25 ./
drwxr-xr-x 19 root root 4.0K Jul  3 20:56 ../
-rw-r-----  1 root doc     0 Jul  3 21:25 testfile.txt

rk@alfa ~ $ LC_ALL=POSIX ls /mnt/nas/test/
ls: cannot open directory /mnt/nas/test/: Permission denied

rk@alfa ~ $ LC_ALL=POSIX id | grep doc
uid=500(rk) gid=500(rk)
groups=500(rk),4(adm),6(disk),7(lp),8(mail),9(news),20(dialout),21(fax),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),34(backup),40(src),44(video),46(plugdev),60(games),100(users),108(powerdev),109(scanner),120(polkituser),124(vboxusers),200(wheel),510(rknet),511(contab),512(ppp),513(inst),514(mount),515(rsync),516(software),517(film),518(modem),520(wine),521(mp3),523(log),525(kernel),527(rep),528(htman),529(cdsearch),530(foto),531(samba),532(firewire),535(sd),536(sm),537(cf),538(ms),539(mmread),540(pen0),541(pen1),542(pen2),543(pen3),544(pen4),545(pen5),546(pen6),547(pen7),549(win),550(doc),552(dos),553(xwin),554(cdrw),555(dvdrw),556(dvd),557(checkinstall),558(ipod),559(roms),561(alfa),562(beta),563(gamma),564(delta),565(sat),566(media),567(nas),571(usb30),572(usb40),573(usb200)

rk@nas ~ $ id | grep doc
uid=500(rk) gid=500(rk)
groups=4(adm),6(disk),7(lp),8(mail),9(news),20(dialout),21(fax),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),34(backup),40(src),44(video),46(plugdev),60(games),100(users),104(powerdev),500(rk),510(rknet),511(contab),512(ppp),513(inst),514(mount),515(rsync),516(software),517(film),518(modem),520(wine),521(mp3),523(log),525(kernel),527(rep),528(htman),529(cdsearch),530(foto),531(samba),532(firewire),535(sd),536(sm),537(cf),538(ms),539(mmread),540(pen0),541(pen1),542(pen2),543(pen3),544(pen4),545(pen5),546(pen6),547(pen7),549(win),550(doc),552(dos),553(xwin),554(cdrw),555(dvdrw),556(dvd),557(checkinstall),558(ipod),559(roms),561(alfa),562(beta),563(gamma),564(delta),565(sat),566(media),571(usb30),572(usb40),573(usb200)

It seems an "ordinary" permission problem, but "ordinary" solutions
don't seem to work...

I've read all the man pages about nfs, nfsd, exports, etc., particularly here:
http://nfs.sourceforge.net/nfs-howto/ar01s07.html#pemission_issues
and the NFS-HOWTO, searched with Google, etc. etc., but I still
haven't found any
solution.

Thank you in advance for your answers.

Re: Permission issues

[Trond Myklebust]

On Sat, 2010-07-10 at 21:34 +0200, Riccardo Tritto wrote:
> Hi everyone,
> 
> I'm having some headache configuring nfs on my nas on which I've
> installed Debian Lenny.
> 
> Basically it works, but I can access the shares of my nas only if
> their permissions allow everyone. Having the right "group" permissions
> is not enough, and I get a "Permission denied" when I try to access
> directories where I should have "group" access.
> 
> Of course usernames, uids and gids are the same between the machines,
> and my user is in the right groups.
> 
> Here are some more details:
> 
> 
> root@nas ~ # cat /etc/exports
> /home 192.168.0.1(rw,sync,no_subtree_check)
> 
> root@nas ~ # cat /proc/fs/nfs/exports
> # Version 1.1
> # Path Client(Flags) # IPs
> /home   192.168.0.1
> (rw,root_squash,sync,wdelay,no_subtree_check,uuid=aaff1cde:08674ab9:97d5909a:214f393a)
> 
> rk@alfa ~ $ grep nfs /etc/fstab
> nas:/home /mnt/nas nfs noauto,rw,hard,intr 0 0
> 
> rk@alfa ~ $ grep nfs /proc/mounts
> rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
> nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
> nas:/home /mnt/nas nfs
> rw,relatime,vers=3,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.0.101,mountvers=3,mountport=34015,mountproto=udp,addr=192.168.0.101
> 0 0
> 
> root@nas ~ # ls -ld /home/test
> drwxr-x--- 2 root doc 4.0K Jul  3 20:39 /home/test
> 
> rk@alfa ~ $ ls -ld /mnt/nas/test
> drwxr-x--- 2 root doc 4,0K  3 lug 20.39 /mnt/nas/test
> 
> rk@nas ~ $ ls -la /home/test/
> total 8.0K
> drwxr-x---  2 root doc  4.0K Jul  3 21:25 ./
> drwxr-xr-x 19 root root 4.0K Jul  3 20:56 ../
> -rw-r-----  1 root doc     0 Jul  3 21:25 testfile.txt
> 
> rk@alfa ~ $ LC_ALL=POSIX ls /mnt/nas/test/
> ls: cannot open directory /mnt/nas/test/: Permission denied
> 
> rk@alfa ~ $ LC_ALL=POSIX id | grep doc
> uid=500(rk) gid=500(rk)
> groups=500(rk),4(adm),6(disk),7(lp),8(mail),9(news),20(dialout),21(fax),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),34(backup),40(src),44(video),46(plugdev),60(games),100(users),108(powerdev),109(scanner),120(polkituser),124(vboxusers),200(wheel),510(rknet),511(contab),512(ppp),513(inst),514(mount),515(rsync),516(software),517(film),518(modem),520(wine),521(mp3),523(log),525(kernel),527(rep),528(htman),529(cdsearch),530(foto),531(samba),532(firewire),535(sd),536(sm),537(cf),538(ms),539(mmread),540(pen0),541(pen1),542(pen2),543(pen3),544(pen4),545(pen5),546(pen6),547(pen7),549(win),550(doc),552(dos),553(xwin),554(cdrw),555(dvdrw),556(dvd),557(checkinstall),558(ipod),559(roms),561(alfa),562(beta),563(gamma),564(delta),565(sat),566(media),567(nas),571(usb30),572(usb40),573(usb200)
> 
> rk@nas ~ $ id | grep doc
> uid=500(rk) gid=500(rk)
> groups=4(adm),6(disk),7(lp),8(mail),9(news),20(dialout),21(fax),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),34(backup),40(src),44(video),46(plugdev),60(games),100(users),104(powerdev),500(rk),510(rknet),511(contab),512(ppp),513(inst),514(mount),515(rsync),516(software),517(film),518(modem),520(wine),521(mp3),523(log),525(kernel),527(rep),528(htman),529(cdsearch),530(foto),531(samba),532(firewire),535(sd),536(sm),537(cf),538(ms),539(mmread),540(pen0),541(pen1),542(pen2),543(pen3),544(pen4),545(pen5),546(pen6),547(pen7),549(win),550(doc),552(dos),553(xwin),554(cdrw),555(dvdrw),556(dvd),557(checkinstall),558(ipod),559(roms),561(alfa),562(beta),563(gamma),564(delta),565(sat),566(media),571(usb30),572(usb40),573(usb200)
> 
> It seems an "ordinary" permission problem, but "ordinary" solutions
> don't seem to work...
> 
> I've read all the man pages about nfs, nfsd, exports, etc., particularly here:
> http://nfs.sourceforge.net/nfs-howto/ar01s07.html#pemission_issues
> and the NFS-HOWTO, searched with Google, etc. etc., but I still
> haven't found any
> solution.

You are relying on being able to use more than 16 groups, but the SUNRPC
protocol will not support that:
  http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html

In addition to the solutions Mike lists, a Linux server will also allow
you to use the '--manage-gids' option to rpc.mountd (man rpc.mountd) to
map the groups on the server side. This solution does, of course,
require you to set up /etc/groups on the server to match that on the
client.

Trond

Re: Permission issues

[Riccardo Tritto]

2010/7/11 Trond Myklebust <trond.myklebust@fys.uio.no>:
> You are relying on being able to use more than 16 groups, but the SUN=
RPC
> protocol will not support that:
> =C2=A0http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-=
limitation.html

I solved this problem using nfsv4 instead of v3.
Thank you for your suggestions.