16+ GID issue, mountd's --manage-gids not helping

16+ GID issue, mountd's --manage-gids not helping

[Contact]

Hi all,

I'm having an issue with my NFS mount and being able to access it from
my normal user account. The mount point is chmod'ed to 2770 with a GID
of 1100 (nfs) which is the same on both systems. I can access it if I
change my active group using newgrp, but not normally.

====================================
noir ~ # ls -lhd /home/nfs/share
drwxrws--- 8 nfs nfs 4.0K Sep  4 15:30 /home/nfs/share

rypervenche@svelte ~ $ pwd
/home/rypervenche
rypervenche@svelte ~ $ cd nfs
-su: cd: nfs: Permission denied
rypervenche@svelte ~ $ newgrp nfs
rypervenche@svelte ~ $ cd nfs
rypervenche@svelte ~/nfs $ 

svelte ~ # grep nfs /etc/group
nfs:x:1100:rypervenche
====================================

You can find the details of my NFS server and client here:

====================================
svelte = client
noir = server

svelte ~ # tail -1 /etc/fstab
192.168.1.100:/ /home/rypervenche/nfs   nfs
rw,noauto,noexec,nodev,nosuid   0       0

noir ~ # cat /etc/exports 
# /etc/exports: NFS file systems being exported.  See exports(5).
/home/nfs/share 192.168.1.205(rw,sync,fsid=0,no_root_squash,no_subtree_check) 192.168.2.100(rw,sync,fsid=0,no_root_squash,no_subtree_check)

noir ~ # id nfs
uid=1100(nfs) gid=1100(nfs) groups=1100(nfs)

noir ~ # grep -v ^# /etc/conf.d/nfs | grep -v ^$
NFS_NEEDED_SERVICES="rpc.idmapd"
OPTS_RPC_NFSD="8"
OPTS_RPC_MOUNTD="-V 4 --manage-gids -p 32767"
OPTS_RPC_STATD="-p 32765 -o 32766"
OPTS_RPC_IDMAPD=""
OPTS_RPC_GSSD=""
OPTS_RPC_SVCGSSD=""
OPTS_RPC_RQUOTAD=""
EXPORTFS_TIMEOUT=30

noir ~ # iptables-save | egrep '(NFS|T -m conn)'
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.205/32 -p tcp -m tcp -m multiport --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT
-A INPUT -s 192.168.1.205/32 -p udp -m udp -m multiport --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT
-A INPUT -s 192.168.2.100/32 -p tcp -m tcp -m multiport --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT
-A INPUT -s 192.168.2.100/32 -p udp -m udp -m multiport --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT

svelte:
net-fs/nfs-utils-1.2.6 was built with the following:
USE="ipv6 nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps -kerberos (-selinux)"

noir:
net-fs/nfs-utils-1.2.6 was built with the following:
USE="ipv6 (multilib) nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps -kerberos (-selinux)" ABI_X86="64"

svelte ~ # uname -a
Linux svelte 3.10.7-gentoo-svelte #1 SMP Thu Aug 22 17:46:44 CDT 2013 i686 Intel(R) Atom(TM) CPU N450 @ 1.66GHz GenuineIntel GNU/Linux

noir ~ # uname -a
Linux noir 3.10.7-gentoo-noir #1 SMP Wed Aug 28 11:19:43 CDT 2013 x86_64 AMD Athlon(tm) II X2 260 Processor AuthenticAMD GNU/Linux
====================================


I found online that the issue is due to NFS not being able to grab
over 16 GIDs. I found help in the following two links:

https://xkyle.com/solving-the-nfs-16-group-limit-problem/
https://wiki.archlinux.org/index.php/NFS_Troubleshooting

I tried adding the --manage-gids flag to mountd (which can be seen in
the /etc/conf.d/nfs file above), however, it does not appear to
resolve the issue.

====================================
noir ~ #
cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
0 10: 0 1 2 3 4 6 10 11 26 27
1000 9: 10 18 19 27 78 85 100 250 1000

noir ~ # date +%s > /proc/net/rpc/auth.unix.gid/flush     
                                                                                                                              
noir ~ #
cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...

Then I mount the NFS again:

noir ~ # cat /proc/net/rpc/auth.unix.gid/content
#uid cnt: gids...
0 10: 0 1 2 3 4 6 10 11 26 27
1000 9: 10 18 19 27 78 85 100 250 1000
====================================

It looks as though it is not grabbing all of my GIDs.

Does anyone have some light they can shed on this? Thanks.

Re: 16+ GID issue, mountd's --manage-gids not helping

[J. Bruce Fields]

On Mon, Sep 16, 2013 at 09:43:51AM -0500, Contact wrote:
> Hi all,
> 
> I'm having an issue with my NFS mount and being able to access it from
> my normal user account. The mount point is chmod'ed to 2770 with a GID
> of 1100 (nfs) which is the same on both systems. I can access it if I
> change my active group using newgrp, but not normally.
> 
> ====================================
> noir ~ # ls -lhd /home/nfs/share
> drwxrws--- 8 nfs nfs 4.0K Sep  4 15:30 /home/nfs/share
> 
> rypervenche@svelte ~ $ pwd
> /home/rypervenche
> rypervenche@svelte ~ $ cd nfs
> -su: cd: nfs: Permission denied
> rypervenche@svelte ~ $ newgrp nfs
> rypervenche@svelte ~ $ cd nfs
> rypervenche@svelte ~/nfs $ 
> 
> svelte ~ # grep nfs /etc/group
> nfs:x:1100:rypervenche
> ====================================
> 
> You can find the details of my NFS server and client here:
> 
> ====================================
> svelte = client
> noir = server
> 
> svelte ~ # tail -1 /etc/fstab
> 192.168.1.100:/ /home/rypervenche/nfs   nfs
> rw,noauto,noexec,nodev,nosuid   0       0
> 
> noir ~ # cat /etc/exports 
> # /etc/exports: NFS file systems being exported.  See exports(5).
> /home/nfs/share 192.168.1.205(rw,sync,fsid=0,no_root_squash,no_subtree_check) 192.168.2.100(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> 
> noir ~ # id nfs
> uid=1100(nfs) gid=1100(nfs) groups=1100(nfs)
> 
> noir ~ # grep -v ^# /etc/conf.d/nfs | grep -v ^$
> NFS_NEEDED_SERVICES="rpc.idmapd"
> OPTS_RPC_NFSD="8"
> OPTS_RPC_MOUNTD="-V 4 --manage-gids -p 32767"
> OPTS_RPC_STATD="-p 32765 -o 32766"
> OPTS_RPC_IDMAPD=""
> OPTS_RPC_GSSD=""
> OPTS_RPC_SVCGSSD=""
> OPTS_RPC_RQUOTAD=""
> EXPORTFS_TIMEOUT=30
> 
> noir ~ # iptables-save | egrep '(NFS|T -m conn)'
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 192.168.1.205/32 -p tcp -m tcp -m multiport --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT
> -A INPUT -s 192.168.1.205/32 -p udp -m udp -m multiport --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT
> -A INPUT -s 192.168.2.100/32 -p tcp -m tcp -m multiport --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT
> -A INPUT -s 192.168.2.100/32 -p udp -m udp -m multiport --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT
> 
> svelte:
> net-fs/nfs-utils-1.2.6 was built with the following:
> USE="ipv6 nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps -kerberos (-selinux)"
> 
> noir:
> net-fs/nfs-utils-1.2.6 was built with the following:
> USE="ipv6 (multilib) nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps -kerberos (-selinux)" ABI_X86="64"
> 
> svelte ~ # uname -a
> Linux svelte 3.10.7-gentoo-svelte #1 SMP Thu Aug 22 17:46:44 CDT 2013 i686 Intel(R) Atom(TM) CPU N450 @ 1.66GHz GenuineIntel GNU/Linux
> 
> noir ~ # uname -a
> Linux noir 3.10.7-gentoo-noir #1 SMP Wed Aug 28 11:19:43 CDT 2013 x86_64 AMD Athlon(tm) II X2 260 Processor AuthenticAMD GNU/Linux
> ====================================
> 
> 
> I found online that the issue is due to NFS not being able to grab
> over 16 GIDs. I found help in the following two links:
> 
> https://xkyle.com/solving-the-nfs-16-group-limit-problem/
> https://wiki.archlinux.org/index.php/NFS_Troubleshooting
> 
> I tried adding the --manage-gids flag to mountd (which can be seen in
> the /etc/conf.d/nfs file above), however, it does not appear to
> resolve the issue.
> 
> ====================================
> noir ~ #
> cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> 0 10: 0 1 2 3 4 6 10 11 26 27
> 1000 9: 10 18 19 27 78 85 100 250 1000
> 
> noir ~ # date +%s > /proc/net/rpc/auth.unix.gid/flush     
>                                                                                                                               
> noir ~ #
> cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> 
> Then I mount the NFS again:
> 
> noir ~ # cat /proc/net/rpc/auth.unix.gid/content
> #uid cnt: gids...
> 0 10: 0 1 2 3 4 6 10 11 26 27
> 1000 9: 10 18 19 27 78 85 100 250 1000
> ====================================
> 
> It looks as though it is not grabbing all of my GIDs.

What do you expect the list to be?  Which groups is uid 1000 a member of
on the server?

--b.

Re: 16+ GID issue, mountd's --manage-gids not helping

[Contact]

Hello,

I was assuming it would grab all of my GIDs as it appears to do in the
following link:
https://xkyle.com/solving-the-nfs-16-group-limit-problem/

Just under the quote:
"Also, the NFS server will cache group lookups so it doesn’t have to
continuously make queries. The cache is visible like this:"

The GID 1000 is my primary user on both boxes (rypervenche).

If there is another way to do this (aside maybe from setting up
kerberos/ldap) I would be willing to try that.

Thank you.


On Mon, 16 Sep 2013 15:37:09 -0400
"J. Bruce Fields" <bfields@fieldses.org> wrote:

> On Mon, Sep 16, 2013 at 09:43:51AM -0500, Contact wrote:
> > Hi all,
> > 
> > I'm having an issue with my NFS mount and being able to access it
> > from my normal user account. The mount point is chmod'ed to 2770
> > with a GID of 1100 (nfs) which is the same on both systems. I can
> > access it if I change my active group using newgrp, but not
> > normally.
> > 
> > ====================================
> > noir ~ # ls -lhd /home/nfs/share
> > drwxrws--- 8 nfs nfs 4.0K Sep  4 15:30 /home/nfs/share
> > 
> > rypervenche@svelte ~ $ pwd
> > /home/rypervenche
> > rypervenche@svelte ~ $ cd nfs
> > -su: cd: nfs: Permission denied
> > rypervenche@svelte ~ $ newgrp nfs
> > rypervenche@svelte ~ $ cd nfs
> > rypervenche@svelte ~/nfs $ 
> > 
> > svelte ~ # grep nfs /etc/group
> > nfs:x:1100:rypervenche
> > ====================================
> > 
> > You can find the details of my NFS server and client here:
> > 
> > ====================================
> > svelte = client
> > noir = server
> > 
> > svelte ~ # tail -1 /etc/fstab
> > 192.168.1.100:/ /home/rypervenche/nfs   nfs
> > rw,noauto,noexec,nodev,nosuid   0       0
> > 
> > noir ~ # cat /etc/exports 
> > # /etc/exports: NFS file systems being exported.  See exports(5).
> > /home/nfs/share
> > 192.168.1.205(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> > 192.168.2.100(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> > 
> > noir ~ # id nfs
> > uid=1100(nfs) gid=1100(nfs) groups=1100(nfs)
> > 
> > noir ~ # grep -v ^# /etc/conf.d/nfs | grep -v ^$
> > NFS_NEEDED_SERVICES="rpc.idmapd"
> > OPTS_RPC_NFSD="8"
> > OPTS_RPC_MOUNTD="-V 4 --manage-gids -p 32767"
> > OPTS_RPC_STATD="-p 32765 -o 32766"
> > OPTS_RPC_IDMAPD=""
> > OPTS_RPC_GSSD=""
> > OPTS_RPC_SVCGSSD=""
> > OPTS_RPC_RQUOTAD=""
> > EXPORTFS_TIMEOUT=30
> > 
> > noir ~ # iptables-save | egrep '(NFS|T -m conn)'
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -s 192.168.1.205/32 -p tcp -m tcp -m multiport --dports
> > 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment
> > --comment NFS -j ACCEPT -A INPUT -s 192.168.1.205/32 -p udp -m udp
> > -m multiport --dports 111,2049,4001,32765:32767 -m conntrack
> > --ctstate NEW -m comment --comment NFS -j ACCEPT -A INPUT -s
> > 192.168.2.100/32 -p tcp -m tcp -m multiport --dports
> > 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment
> > --comment NFS -j ACCEPT -A INPUT -s 192.168.2.100/32 -p udp -m udp
> > -m multiport --dports 111,2049,4001,32765:32767 -m conntrack
> > --ctstate NEW -m comment --comment NFS -j ACCEPT
> > 
> > svelte:
> > net-fs/nfs-utils-1.2.6 was built with the following:
> > USE="ipv6 nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps -kerberos
> > (-selinux)"
> > 
> > noir:
> > net-fs/nfs-utils-1.2.6 was built with the following:
> > USE="ipv6 (multilib) nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps
> > -kerberos (-selinux)" ABI_X86="64"
> > 
> > svelte ~ # uname -a
> > Linux svelte 3.10.7-gentoo-svelte #1 SMP Thu Aug 22 17:46:44 CDT
> > 2013 i686 Intel(R) Atom(TM) CPU N450 @ 1.66GHz GenuineIntel
> > GNU/Linux
> > 
> > noir ~ # uname -a
> > Linux noir 3.10.7-gentoo-noir #1 SMP Wed Aug 28 11:19:43 CDT 2013
> > x86_64 AMD Athlon(tm) II X2 260 Processor AuthenticAMD GNU/Linux
> > ====================================
> > 
> > 
> > I found online that the issue is due to NFS not being able to grab
> > over 16 GIDs. I found help in the following two links:
> > 
> > https://xkyle.com/solving-the-nfs-16-group-limit-problem/
> > https://wiki.archlinux.org/index.php/NFS_Troubleshooting
> > 
> > I tried adding the --manage-gids flag to mountd (which can be seen
> > in the /etc/conf.d/nfs file above), however, it does not appear to
> > resolve the issue.
> > 
> > ====================================
> > noir ~ #
> > cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> > 0 10: 0 1 2 3 4 6 10 11 26 27
> > 1000 9: 10 18 19 27 78 85 100 250 1000
> > 
> > noir ~ # date +%s > /proc/net/rpc/auth.unix.gid/flush     
> >                                                                                                                               
> > noir ~ #
> > cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> > 
> > Then I mount the NFS again:
> > 
> > noir ~ # cat /proc/net/rpc/auth.unix.gid/content
> > #uid cnt: gids...
> > 0 10: 0 1 2 3 4 6 10 11 26 27
> > 1000 9: 10 18 19 27 78 85 100 250 1000
> > ====================================
> > 
> > It looks as though it is not grabbing all of my GIDs.
> 
> What do you expect the list to be?  Which groups is uid 1000 a member
> of on the server?
> 
> --b.

Re: 16+ GID issue, mountd's --manage-gids not helping

[J. Bruce Fields]

On Mon, Sep 16, 2013 at 05:56:12PM -0500, Contact wrote:
> Hello,
> 
> I was assuming it would grab all of my GIDs as it appears to do in the
> following link:
> https://xkyle.com/solving-the-nfs-16-group-limit-problem/
> 
> Just under the quote:
> "Also, the NFS server will cache group lookups so it doesn’t have to
> continuously make queries. The cache is visible like this:"
> 
> The GID 1000 is my primary user on both boxes (rypervenche).
> 
> If there is another way to do this (aside maybe from setting up
> kerberos/ldap) I would be willing to try that.

Could you please answer the two questions which I asked in my previous
email?

--b.

> 
> Thank you.
> 
> 
> On Mon, 16 Sep 2013 15:37:09 -0400
> "J. Bruce Fields" <bfields@fieldses.org> wrote:
> 
> > On Mon, Sep 16, 2013 at 09:43:51AM -0500, Contact wrote:
> > > Hi all,
> > > 
> > > I'm having an issue with my NFS mount and being able to access it
> > > from my normal user account. The mount point is chmod'ed to 2770
> > > with a GID of 1100 (nfs) which is the same on both systems. I can
> > > access it if I change my active group using newgrp, but not
> > > normally.
> > > 
> > > ====================================
> > > noir ~ # ls -lhd /home/nfs/share
> > > drwxrws--- 8 nfs nfs 4.0K Sep  4 15:30 /home/nfs/share
> > > 
> > > rypervenche@svelte ~ $ pwd
> > > /home/rypervenche
> > > rypervenche@svelte ~ $ cd nfs
> > > -su: cd: nfs: Permission denied
> > > rypervenche@svelte ~ $ newgrp nfs
> > > rypervenche@svelte ~ $ cd nfs
> > > rypervenche@svelte ~/nfs $ 
> > > 
> > > svelte ~ # grep nfs /etc/group
> > > nfs:x:1100:rypervenche
> > > ====================================
> > > 
> > > You can find the details of my NFS server and client here:
> > > 
> > > ====================================
> > > svelte = client
> > > noir = server
> > > 
> > > svelte ~ # tail -1 /etc/fstab
> > > 192.168.1.100:/ /home/rypervenche/nfs   nfs
> > > rw,noauto,noexec,nodev,nosuid   0       0
> > > 
> > > noir ~ # cat /etc/exports 
> > > # /etc/exports: NFS file systems being exported.  See exports(5).
> > > /home/nfs/share
> > > 192.168.1.205(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> > > 192.168.2.100(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> > > 
> > > noir ~ # id nfs
> > > uid=1100(nfs) gid=1100(nfs) groups=1100(nfs)
> > > 
> > > noir ~ # grep -v ^# /etc/conf.d/nfs | grep -v ^$
> > > NFS_NEEDED_SERVICES="rpc.idmapd"
> > > OPTS_RPC_NFSD="8"
> > > OPTS_RPC_MOUNTD="-V 4 --manage-gids -p 32767"
> > > OPTS_RPC_STATD="-p 32765 -o 32766"
> > > OPTS_RPC_IDMAPD=""
> > > OPTS_RPC_GSSD=""
> > > OPTS_RPC_SVCGSSD=""
> > > OPTS_RPC_RQUOTAD=""
> > > EXPORTFS_TIMEOUT=30
> > > 
> > > noir ~ # iptables-save | egrep '(NFS|T -m conn)'
> > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > -A INPUT -s 192.168.1.205/32 -p tcp -m tcp -m multiport --dports
> > > 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment
> > > --comment NFS -j ACCEPT -A INPUT -s 192.168.1.205/32 -p udp -m udp
> > > -m multiport --dports 111,2049,4001,32765:32767 -m conntrack
> > > --ctstate NEW -m comment --comment NFS -j ACCEPT -A INPUT -s
> > > 192.168.2.100/32 -p tcp -m tcp -m multiport --dports
> > > 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment
> > > --comment NFS -j ACCEPT -A INPUT -s 192.168.2.100/32 -p udp -m udp
> > > -m multiport --dports 111,2049,4001,32765:32767 -m conntrack
> > > --ctstate NEW -m comment --comment NFS -j ACCEPT
> > > 
> > > svelte:
> > > net-fs/nfs-utils-1.2.6 was built with the following:
> > > USE="ipv6 nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps -kerberos
> > > (-selinux)"
> > > 
> > > noir:
> > > net-fs/nfs-utils-1.2.6 was built with the following:
> > > USE="ipv6 (multilib) nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps
> > > -kerberos (-selinux)" ABI_X86="64"
> > > 
> > > svelte ~ # uname -a
> > > Linux svelte 3.10.7-gentoo-svelte #1 SMP Thu Aug 22 17:46:44 CDT
> > > 2013 i686 Intel(R) Atom(TM) CPU N450 @ 1.66GHz GenuineIntel
> > > GNU/Linux
> > > 
> > > noir ~ # uname -a
> > > Linux noir 3.10.7-gentoo-noir #1 SMP Wed Aug 28 11:19:43 CDT 2013
> > > x86_64 AMD Athlon(tm) II X2 260 Processor AuthenticAMD GNU/Linux
> > > ====================================
> > > 
> > > 
> > > I found online that the issue is due to NFS not being able to grab
> > > over 16 GIDs. I found help in the following two links:
> > > 
> > > https://xkyle.com/solving-the-nfs-16-group-limit-problem/
> > > https://wiki.archlinux.org/index.php/NFS_Troubleshooting
> > > 
> > > I tried adding the --manage-gids flag to mountd (which can be seen
> > > in the /etc/conf.d/nfs file above), however, it does not appear to
> > > resolve the issue.
> > > 
> > > ====================================
> > > noir ~ #
> > > cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> > > 0 10: 0 1 2 3 4 6 10 11 26 27
> > > 1000 9: 10 18 19 27 78 85 100 250 1000
> > > 
> > > noir ~ # date +%s > /proc/net/rpc/auth.unix.gid/flush     
> > >                                                                                                                               
> > > noir ~ #
> > > cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> > > 
> > > Then I mount the NFS again:
> > > 
> > > noir ~ # cat /proc/net/rpc/auth.unix.gid/content
> > > #uid cnt: gids...
> > > 0 10: 0 1 2 3 4 6 10 11 26 27
> > > 1000 9: 10 18 19 27 78 85 100 250 1000
> > > ====================================
> > > 
> > > It looks as though it is not grabbing all of my GIDs.
> > 
> > What do you expect the list to be?  Which groups is uid 1000 a member
> > of on the server?
> > 
> > --b.
> 

Re: 16+ GID issue, mountd's --manage-gids not helping

[J. Bruce Fields]

On Mon, Sep 16, 2013 at 07:20:24PM -0400, J. Bruce Fields wrote:
> On Mon, Sep 16, 2013 at 05:56:12PM -0500, Contact wrote:
> > Hello,
> > 
> > I was assuming it would grab all of my GIDs as it appears to do in the
> > following link:
> > https://xkyle.com/solving-the-nfs-16-group-limit-problem/
> > 
> > Just under the quote:
> > "Also, the NFS server will cache group lookups so it doesn’t have to
> > continuously make queries. The cache is visible like this:"
> > 
> > The GID 1000 is my primary user on both boxes (rypervenche).
> > 
> > If there is another way to do this (aside maybe from setting up
> > kerberos/ldap) I would be willing to try that.
> 
> Could you please answer the two questions which I asked in my previous
> email?

To make them more concrete:

	- if you run "id rypervenche" on the server, what is the output?
	- on the output from "cat /proc/net/rpc/auth.unix.gid/content"
	  which you list below, which id that you expected to be present
	  is not included?

--b.

> 
> --b.
> 
> > 
> > Thank you.
> > 
> > 
> > On Mon, 16 Sep 2013 15:37:09 -0400
> > "J. Bruce Fields" <bfields@fieldses.org> wrote:
> > 
> > > On Mon, Sep 16, 2013 at 09:43:51AM -0500, Contact wrote:
> > > > Hi all,
> > > > 
> > > > I'm having an issue with my NFS mount and being able to access it
> > > > from my normal user account. The mount point is chmod'ed to 2770
> > > > with a GID of 1100 (nfs) which is the same on both systems. I can
> > > > access it if I change my active group using newgrp, but not
> > > > normally.
> > > > 
> > > > ====================================
> > > > noir ~ # ls -lhd /home/nfs/share
> > > > drwxrws--- 8 nfs nfs 4.0K Sep  4 15:30 /home/nfs/share
> > > > 
> > > > rypervenche@svelte ~ $ pwd
> > > > /home/rypervenche
> > > > rypervenche@svelte ~ $ cd nfs
> > > > -su: cd: nfs: Permission denied
> > > > rypervenche@svelte ~ $ newgrp nfs
> > > > rypervenche@svelte ~ $ cd nfs
> > > > rypervenche@svelte ~/nfs $ 
> > > > 
> > > > svelte ~ # grep nfs /etc/group
> > > > nfs:x:1100:rypervenche
> > > > ====================================
> > > > 
> > > > You can find the details of my NFS server and client here:
> > > > 
> > > > ====================================
> > > > svelte = client
> > > > noir = server
> > > > 
> > > > svelte ~ # tail -1 /etc/fstab
> > > > 192.168.1.100:/ /home/rypervenche/nfs   nfs
> > > > rw,noauto,noexec,nodev,nosuid   0       0
> > > > 
> > > > noir ~ # cat /etc/exports 
> > > > # /etc/exports: NFS file systems being exported.  See exports(5).
> > > > /home/nfs/share
> > > > 192.168.1.205(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> > > > 192.168.2.100(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> > > > 
> > > > noir ~ # id nfs
> > > > uid=1100(nfs) gid=1100(nfs) groups=1100(nfs)
> > > > 
> > > > noir ~ # grep -v ^# /etc/conf.d/nfs | grep -v ^$
> > > > NFS_NEEDED_SERVICES="rpc.idmapd"
> > > > OPTS_RPC_NFSD="8"
> > > > OPTS_RPC_MOUNTD="-V 4 --manage-gids -p 32767"
> > > > OPTS_RPC_STATD="-p 32765 -o 32766"
> > > > OPTS_RPC_IDMAPD=""
> > > > OPTS_RPC_GSSD=""
> > > > OPTS_RPC_SVCGSSD=""
> > > > OPTS_RPC_RQUOTAD=""
> > > > EXPORTFS_TIMEOUT=30
> > > > 
> > > > noir ~ # iptables-save | egrep '(NFS|T -m conn)'
> > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > > -A INPUT -s 192.168.1.205/32 -p tcp -m tcp -m multiport --dports
> > > > 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment
> > > > --comment NFS -j ACCEPT -A INPUT -s 192.168.1.205/32 -p udp -m udp
> > > > -m multiport --dports 111,2049,4001,32765:32767 -m conntrack
> > > > --ctstate NEW -m comment --comment NFS -j ACCEPT -A INPUT -s
> > > > 192.168.2.100/32 -p tcp -m tcp -m multiport --dports
> > > > 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m comment
> > > > --comment NFS -j ACCEPT -A INPUT -s 192.168.2.100/32 -p udp -m udp
> > > > -m multiport --dports 111,2049,4001,32765:32767 -m conntrack
> > > > --ctstate NEW -m comment --comment NFS -j ACCEPT
> > > > 
> > > > svelte:
> > > > net-fs/nfs-utils-1.2.6 was built with the following:
> > > > USE="ipv6 nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps -kerberos
> > > > (-selinux)"
> > > > 
> > > > noir:
> > > > net-fs/nfs-utils-1.2.6 was built with the following:
> > > > USE="ipv6 (multilib) nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps
> > > > -kerberos (-selinux)" ABI_X86="64"
> > > > 
> > > > svelte ~ # uname -a
> > > > Linux svelte 3.10.7-gentoo-svelte #1 SMP Thu Aug 22 17:46:44 CDT
> > > > 2013 i686 Intel(R) Atom(TM) CPU N450 @ 1.66GHz GenuineIntel
> > > > GNU/Linux
> > > > 
> > > > noir ~ # uname -a
> > > > Linux noir 3.10.7-gentoo-noir #1 SMP Wed Aug 28 11:19:43 CDT 2013
> > > > x86_64 AMD Athlon(tm) II X2 260 Processor AuthenticAMD GNU/Linux
> > > > ====================================
> > > > 
> > > > 
> > > > I found online that the issue is due to NFS not being able to grab
> > > > over 16 GIDs. I found help in the following two links:
> > > > 
> > > > https://xkyle.com/solving-the-nfs-16-group-limit-problem/
> > > > https://wiki.archlinux.org/index.php/NFS_Troubleshooting
> > > > 
> > > > I tried adding the --manage-gids flag to mountd (which can be seen
> > > > in the /etc/conf.d/nfs file above), however, it does not appear to
> > > > resolve the issue.
> > > > 
> > > > ====================================
> > > > noir ~ #
> > > > cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> > > > 0 10: 0 1 2 3 4 6 10 11 26 27
> > > > 1000 9: 10 18 19 27 78 85 100 250 1000
> > > > 
> > > > noir ~ # date +%s > /proc/net/rpc/auth.unix.gid/flush     
> > > >                                                                                                                               
> > > > noir ~ #
> > > > cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> > > > 
> > > > Then I mount the NFS again:
> > > > 
> > > > noir ~ # cat /proc/net/rpc/auth.unix.gid/content
> > > > #uid cnt: gids...
> > > > 0 10: 0 1 2 3 4 6 10 11 26 27
> > > > 1000 9: 10 18 19 27 78 85 100 250 1000
> > > > ====================================
> > > > 
> > > > It looks as though it is not grabbing all of my GIDs.
> > > 
> > > What do you expect the list to be?  Which groups is uid 1000 a member
> > > of on the server?
> > > 
> > > --b.
> > 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: 16+ GID issue, mountd's --manage-gids not helping

[Contact]

Hello,

My apologies for not providing the information that you requested.

(client)
rypervenche@svelte ~ $ id
uid=1000(rypervenche) gid=1000(rypervenche)
groups=1000(rypervenche),4(adm),6(disk),7(lp),10(wheel),16(cron),18(audio),27(video),35(games),70(postgres),85(usb),100(users),103(vboxusers),105(wireshark),106(lpadmin),244(plugdev),246(crontab),250(portage),1100(nfs)

(server)
nfs@noir ~ $ id
uid=1100(nfs) gid=1100(nfs) groups=1100(nfs)

I expect to see GID 1100 in the output of
"cat /proc/net/rpc/auth.unix.gid/content"

My friend who is using a Mac is able to mount the NFS mount just fine
and I can use it when using "newgrp", so I believe it is configured
correctly. I would just like to be able to have GUI access without
needing to use newgrp.

Thank you.


On Mon, 16 Sep 2013 20:38:25 -0400
"J. Bruce Fields" <bfields@fieldses.org> wrote:

> On Mon, Sep 16, 2013 at 07:20:24PM -0400, J. Bruce Fields wrote:
> > On Mon, Sep 16, 2013 at 05:56:12PM -0500, Contact wrote:
> > > Hello,
> > > 
> > > I was assuming it would grab all of my GIDs as it appears to do
> > > in the following link:
> > > https://xkyle.com/solving-the-nfs-16-group-limit-problem/
> > > 
> > > Just under the quote:
> > > "Also, the NFS server will cache group lookups so it doesn’t have
> > > to continuously make queries. The cache is visible like this:"
> > > 
> > > The GID 1000 is my primary user on both boxes (rypervenche).
> > > 
> > > If there is another way to do this (aside maybe from setting up
> > > kerberos/ldap) I would be willing to try that.
> > 
> > Could you please answer the two questions which I asked in my
> > previous email?
> 
> To make them more concrete:
> 
> 	- if you run "id rypervenche" on the server, what is the
> output?
> 	- on the output from "cat /proc/net/rpc/auth.unix.gid/content"
> 	  which you list below, which id that you expected to be
> present is not included?
> 
> --b.
> 
> > 
> > --b.
> > 
> > > 
> > > Thank you.
> > > 
> > > 
> > > On Mon, 16 Sep 2013 15:37:09 -0400
> > > "J. Bruce Fields" <bfields@fieldses.org> wrote:
> > > 
> > > > On Mon, Sep 16, 2013 at 09:43:51AM -0500, Contact wrote:
> > > > > Hi all,
> > > > > 
> > > > > I'm having an issue with my NFS mount and being able to
> > > > > access it from my normal user account. The mount point is
> > > > > chmod'ed to 2770 with a GID of 1100 (nfs) which is the same
> > > > > on both systems. I can access it if I change my active group
> > > > > using newgrp, but not normally.
> > > > > 
> > > > > ====================================
> > > > > noir ~ # ls -lhd /home/nfs/share
> > > > > drwxrws--- 8 nfs nfs 4.0K Sep  4 15:30 /home/nfs/share
> > > > > 
> > > > > rypervenche@svelte ~ $ pwd
> > > > > /home/rypervenche
> > > > > rypervenche@svelte ~ $ cd nfs
> > > > > -su: cd: nfs: Permission denied
> > > > > rypervenche@svelte ~ $ newgrp nfs
> > > > > rypervenche@svelte ~ $ cd nfs
> > > > > rypervenche@svelte ~/nfs $ 
> > > > > 
> > > > > svelte ~ # grep nfs /etc/group
> > > > > nfs:x:1100:rypervenche
> > > > > ====================================
> > > > > 
> > > > > You can find the details of my NFS server and client here:
> > > > > 
> > > > > ====================================
> > > > > svelte = client
> > > > > noir = server
> > > > > 
> > > > > svelte ~ # tail -1 /etc/fstab
> > > > > 192.168.1.100:/ /home/rypervenche/nfs   nfs
> > > > > rw,noauto,noexec,nodev,nosuid   0       0
> > > > > 
> > > > > noir ~ # cat /etc/exports 
> > > > > # /etc/exports: NFS file systems being exported.  See
> > > > > exports(5). /home/nfs/share
> > > > > 192.168.1.205(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> > > > > 192.168.2.100(rw,sync,fsid=0,no_root_squash,no_subtree_check)
> > > > > 
> > > > > noir ~ # id nfs
> > > > > uid=1100(nfs) gid=1100(nfs) groups=1100(nfs)
> > > > > 
> > > > > noir ~ # grep -v ^# /etc/conf.d/nfs | grep -v ^$
> > > > > NFS_NEEDED_SERVICES="rpc.idmapd"
> > > > > OPTS_RPC_NFSD="8"
> > > > > OPTS_RPC_MOUNTD="-V 4 --manage-gids -p 32767"
> > > > > OPTS_RPC_STATD="-p 32765 -o 32766"
> > > > > OPTS_RPC_IDMAPD=""
> > > > > OPTS_RPC_GSSD=""
> > > > > OPTS_RPC_SVCGSSD=""
> > > > > OPTS_RPC_RQUOTAD=""
> > > > > EXPORTFS_TIMEOUT=30
> > > > > 
> > > > > noir ~ # iptables-save | egrep '(NFS|T -m conn)'
> > > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > > > -A INPUT -s 192.168.1.205/32 -p tcp -m tcp -m multiport
> > > > > --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW
> > > > > -m comment --comment NFS -j ACCEPT -A INPUT -s
> > > > > 192.168.1.205/32 -p udp -m udp -m multiport --dports
> > > > > 111,2049,4001,32765:32767 -m conntrack --ctstate NEW -m
> > > > > comment --comment NFS -j ACCEPT -A INPUT -s 192.168.2.100/32
> > > > > -p tcp -m tcp -m multiport --dports 111,2049,4001,32765:32767
> > > > > -m conntrack --ctstate NEW -m comment --comment NFS -j ACCEPT
> > > > > -A INPUT -s 192.168.2.100/32 -p udp -m udp -m multiport
> > > > > --dports 111,2049,4001,32765:32767 -m conntrack --ctstate NEW
> > > > > -m comment --comment NFS -j ACCEPT
> > > > > 
> > > > > svelte:
> > > > > net-fs/nfs-utils-1.2.6 was built with the following:
> > > > > USE="ipv6 nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps -kerberos
> > > > > (-selinux)"
> > > > > 
> > > > > noir:
> > > > > net-fs/nfs-utils-1.2.6 was built with the following:
> > > > > USE="ipv6 (multilib) nfsdcld nfsidmap nfsv4 nfsv41 tcpd -caps
> > > > > -kerberos (-selinux)" ABI_X86="64"
> > > > > 
> > > > > svelte ~ # uname -a
> > > > > Linux svelte 3.10.7-gentoo-svelte #1 SMP Thu Aug 22 17:46:44
> > > > > CDT 2013 i686 Intel(R) Atom(TM) CPU N450 @ 1.66GHz
> > > > > GenuineIntel GNU/Linux
> > > > > 
> > > > > noir ~ # uname -a
> > > > > Linux noir 3.10.7-gentoo-noir #1 SMP Wed Aug 28 11:19:43 CDT
> > > > > 2013 x86_64 AMD Athlon(tm) II X2 260 Processor AuthenticAMD
> > > > > GNU/Linux ====================================
> > > > > 
> > > > > 
> > > > > I found online that the issue is due to NFS not being able to
> > > > > grab over 16 GIDs. I found help in the following two links:
> > > > > 
> > > > > https://xkyle.com/solving-the-nfs-16-group-limit-problem/
> > > > > https://wiki.archlinux.org/index.php/NFS_Troubleshooting
> > > > > 
> > > > > I tried adding the --manage-gids flag to mountd (which can be
> > > > > seen in the /etc/conf.d/nfs file above), however, it does not
> > > > > appear to resolve the issue.
> > > > > 
> > > > > ====================================
> > > > > noir ~ #
> > > > > cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> > > > > 0 10: 0 1 2 3 4 6 10 11 26 27
> > > > > 1000 9: 10 18 19 27 78 85 100 250 1000
> > > > > 
> > > > > noir ~ # date +%s > /proc/net/rpc/auth.unix.gid/flush     
> > > > >                                                                                                                               
> > > > > noir ~ #
> > > > > cat /proc/net/rpc/auth.unix.gid/content #uid cnt: gids...
> > > > > 
> > > > > Then I mount the NFS again:
> > > > > 
> > > > > noir ~ # cat /proc/net/rpc/auth.unix.gid/content
> > > > > #uid cnt: gids...
> > > > > 0 10: 0 1 2 3 4 6 10 11 26 27
> > > > > 1000 9: 10 18 19 27 78 85 100 250 1000
> > > > > ====================================
> > > > > 
> > > > > It looks as though it is not grabbing all of my GIDs.
> > > > 
> > > > What do you expect the list to be?  Which groups is uid 1000 a
> > > > member of on the server?
> > > > 
> > > > --b.
> > > 
> > --
> > To unsubscribe from this list: send the line "unsubscribe
> > linux-nfs" in the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: 16+ GID issue, mountd's --manage-gids not helping

[Myklebust, Trond]

PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBsaW51eC1uZnMtb3duZXJAdmdl
ci5rZXJuZWwub3JnIFttYWlsdG86bGludXgtbmZzLQ0KPiBvd25lckB2Z2VyLmtlcm5lbC5vcmdd
IE9uIEJlaGFsZiBPZiBDb250YWN0DQo+IFNlbnQ6IE1vbmRheSwgU2VwdGVtYmVyIDE2LCAyMDEz
IDk6MTEgUE0NCj4gVG86IEouIEJydWNlIEZpZWxkcw0KPiBDYzogbGludXgtbmZzQHZnZXIua2Vy
bmVsLm9yZw0KPiBTdWJqZWN0OiBSZTogMTYrIEdJRCBpc3N1ZSwgbW91bnRkJ3MgLS1tYW5hZ2Ut
Z2lkcyBub3QgaGVscGluZw0KPiANCj4gSGVsbG8sDQo+IA0KPiBNeSBhcG9sb2dpZXMgZm9yIG5v
dCBwcm92aWRpbmcgdGhlIGluZm9ybWF0aW9uIHRoYXQgeW91IHJlcXVlc3RlZC4NCj4gDQo+IChj
bGllbnQpDQo+IHJ5cGVydmVuY2hlQHN2ZWx0ZSB+ICQgaWQNCj4gdWlkPTEwMDAocnlwZXJ2ZW5j
aGUpIGdpZD0xMDAwKHJ5cGVydmVuY2hlKQ0KPiBncm91cHM9MTAwMChyeXBlcnZlbmNoZSksNChh
ZG0pLDYoZGlzayksNyhscCksMTAod2hlZWwpLDE2KGNyb24pLDE4KGF1ZGlvDQo+ICksMjcodmlk
ZW8pLDM1KGdhbWVzKSw3MChwb3N0Z3JlcyksODUodXNiKSwxMDAodXNlcnMpLDEwMyh2Ym94dXNl
cnMpLDEwNSgNCj4gd2lyZXNoYXJrKSwxMDYobHBhZG1pbiksMjQ0KHBsdWdkZXYpLDI0Nihjcm9u
dGFiKSwyNTAocG9ydGFnZSksMTEwMChuZnMpDQo+IA0KPiAoc2VydmVyKQ0KPiBuZnNAbm9pciB+
ICQgaWQNCj4gdWlkPTExMDAobmZzKSBnaWQ9MTEwMChuZnMpIGdyb3Vwcz0xMTAwKG5mcykNCg0K
RG9lcyB0aGUgJy9ldGMvZ3JvdXBzJyBlbnRyaWVzIGZvciB0aGUgdXNlciB3aXRoIHVpZD0xMDAw
IG9uIHRoZSBzZXJ2ZXIgbWF0Y2ggdGhvc2UgbGlzdGVkIGFib3ZlIGZvciB0aGUgY2xpZW50Pw0K
DQotLW1hbmFnZS1naWRzIHdpbGwgb25seSB3b3JrIGNvcnJlY3RseSBpZiB0aGUgL2V0Yy9wYXNz
d2QgYW5kIC9ldGMvZ3JvdXBzIGVudHJpZXMgb24gdGhlIHNlcnZlciBtYXRjaCB0aG9zZSBvbiB0
aGUgY2xpZW50Lg0KDQpDaGVlcnMsDQogIFRyb25kDQo=

Re: 16+ GID issue, mountd's --manage-gids not helping

[Contact]

THAT DID IT!

You guys are awesome! I didn't realize that they had to be the same for
the user. I thought that was independent of the user on the server's
end. So user 1000 has to have GID 1100 on both client and server. I
will remember that.

Again, thank you so much. I apologize if I made this more difficult
than it needed to be.


On Tue, 17 Sep 2013 01:59:42 +0000
"Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:

> > -----Original Message-----
> > From: linux-nfs-owner@vger.kernel.org [mailto:linux-nfs-
> > owner@vger.kernel.org] On Behalf Of Contact
> > Sent: Monday, September 16, 2013 9:11 PM
> > To: J. Bruce Fields
> > Cc: linux-nfs@vger.kernel.org
> > Subject: Re: 16+ GID issue, mountd's --manage-gids not helping
> > 
> > Hello,
> > 
> > My apologies for not providing the information that you requested.
> > 
> > (client)
> > rypervenche@svelte ~ $ id
> > uid=1000(rypervenche) gid=1000(rypervenche)
> > groups=1000(rypervenche),4(adm),6(disk),7(lp),10(wheel),16(cron),18(audio
> > ),27(video),35(games),70(postgres),85(usb),100(users),103(vboxusers),105(
> > wireshark),106(lpadmin),244(plugdev),246(crontab),250(portage),1100(nfs)
> > 
> > (server)
> > nfs@noir ~ $ id
> > uid=1100(nfs) gid=1100(nfs) groups=1100(nfs)
> 
> Does the '/etc/groups' entries for the user with uid=1000 on the
> server match those listed above for the client?
> 
> --manage-gids will only work correctly if the /etc/passwd
> and /etc/groups entries on the server match those on the client.
> 
> Cheers,
>   Trond