Group limit for NFS exported file systems

Group limit for NFS exported file systems

[Robert Szentmihalyi]

Hi,

is there a group limit for NFS exported file systems in recent kernels?
One if my users cannot access directories that belong to a group he actually _is_ a member of. That, however, is true only when accessing them over NFS. On the local file system, everything is fine. UIDs and GIDs are the same on client and server, so that cannot be the problem. Client and server run Gentoo Linux with kernel 2.6.16 on the server and 2.6.17 on the client.
Any ideas?

TIA,
 Robert

Re: Group limit for NFS exported file systems

[Jan Engelhardt]

>Hi,
>
>is there a group limit for NFS exported file systems in recent kernels?
>One if my users cannot access directories that belong to a group he actually _is_ a member of. That, however, is true only when accessing them over NFS. On the local file system, everything is fine. UIDs and GIDs are the same on client and server, so that cannot be the problem. Client and server run Gentoo Linux with kernel 2.6.16 on the server and 2.6.17 on the client.
>Any ideas?

Is his fsuid/fsgid suddenly different?


Jan Engelhardt
-- 

Re: Group limit for NFS exported file systems

[Robert Szentmihalyi]

> >Hi,
> >
> >is there a group limit for NFS exported file systems in recent kernels?
> >One if my users cannot access directories that belong to a group he
> actually _is_ a member of. That, however, is true only when accessing them over
> NFS. On the local file system, everything is fine. UIDs and GIDs are the
> same on client and server, so that cannot be the problem. Client and server
> run Gentoo Linux with kernel 2.6.16 on the server and 2.6.17 on the client.
> >Any ideas?
> 
> Is his fsuid/fsgid suddenly different?
> 

No. He just gets "access denied" for no obvious reason.
 
> 
> Jan Engelhardt
> -- 

 Robert

Re: Group limit for NFS exported file systems

[Ray Lee]

On 8/23/06, Robert Szentmihalyi <robert.szentmihalyi@gmx.de> wrote:
> is there a group limit for NFS exported file systems in recent kernels?
> One if my users cannot access directories that belong to a group he actually _is_ a
> member of. That, however, is true only when accessing them over NFS. On the local file
> system, everything is fine. UIDs and GIDs are the same on client and server, so that
> cannot be the problem. Client and server run Gentoo Linux with kernel 2.6.16 on the
> server and 2.6.17 on the client.

Is he a member of more than 16 groups?

Re: Group limit for NFS exported file systems

[Robert Szentmihalyi]

> On 8/23/06, Robert Szentmihalyi <robert.szentmihalyi@gmx.de> wrote:
> > is there a group limit for NFS exported file systems in recent kernels?
> > One if my users cannot access directories that belong to a group he
> actually _is_ a
> > member of. That, however, is true only when accessing them over NFS. On
> the local file
> > system, everything is fine. UIDs and GIDs are the same on client and
> server, so that
> > cannot be the problem. Client and server run Gentoo Linux with kernel
> 2.6.16 on the
> > server and 2.6.17 on the client.
> 
> Is he a member of more than 16 groups?

Yes. He is actually a member of 27 groups.
Is the limit of 16 groups still current? I was under the impression that it is a limitation of 2.4 kernels....
Is there any proper work-around for this?

Thanks,
 Robert

Re: Group limit for NFS exported file systems

[Ray Lee]

On 8/23/06, Robert Szentmihalyi <robert.szentmihalyi@gmx.de> wrote:
> > Is he a member of more than 16 groups?
>
> Yes. He is actually a member of 27 groups.
> Is the limit of 16 groups still current? I was under the impression that it is a limitation of 2.4 kernels....

Under 2.6 local group membership was expanded to 65536. NFS, however,
is a standard separate from Linux, and it imposes a limit of 16 groups
on the wire for the AUTH_UNIX credentials.

If all your client systems are Linux, you can use the patch at:
    http://www.frankvm.com/nfs-ngroups/
as a work around. (Only the client systems need the patch.)

I haven't used it myself, so best of luck.

Ray

Re: Group limit for NFS exported file systems

[Andi Kleen]

"Robert Szentmihalyi" <robert.szentmihalyi@gmx.de> writes:

> is there a group limit for NFS exported file systems in recent kernels?
> One if my users cannot access directories that belong to a group he actually _is_ a member of. That, however, is true only when accessing them over NFS. On the local file system, everything is fine. UIDs and GIDs are the same on client and server, so that cannot be the problem. Client and server run Gentoo Linux with kernel 2.6.16 on the server and 2.6.17 on the client.

NFSv2 has a 8 groups limit in the protocol iirc.

-Andi

Re: Group limit for NFS exported file systems

[Jan Engelhardt]

>
> Under 2.6 local group membership was expanded to 65536. NFS, however,
> is a standard separate from Linux, and it imposes a limit of 16 groups
> on the wire for the AUTH_UNIX credentials.
>
> If all your client systems are Linux, you can use the patch at:
>   http://www.frankvm.com/nfs-ngroups/
> as a work around. (Only the client systems need the patch.)

If only the client needs to be patched, non-patched and/or non-Linux 
clients and the server (linux or not) should have a problem, should they?


Jan Engelhardt
-- 

Re: Group limit for NFS exported file systems

[Ray Lee]

On 8/23/06, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
> If only the client needs to be patched, non-patched and/or non-Linux
> clients and the server (linux or not) should have a problem, should they?

As I understand it, that's correct. Robert could legitimately patch
only the system(s) in use by the user with 27 groups.

Again, though, I haven't used it, so take that with a grain of salt.

~r.

Re: Group limit for NFS exported file systems

[Trond Myklebust]

On Wed, 2006-08-23 at 13:51 +0200, Andi Kleen wrote:
> "Robert Szentmihalyi" <robert.szentmihalyi@gmx.de> writes:
> 
> > is there a group limit for NFS exported file systems in recent kernels?
> > One if my users cannot access directories that belong to a group he actually _is_ a member of. That, however, is true only when accessing them over NFS. On the local file system, everything is fine. UIDs and GIDs are the same on client and server, so that cannot be the problem. Client and server run Gentoo Linux with kernel 2.6.16 on the server and 2.6.17 on the client.
> 
> NFSv2 has a 8 groups limit in the protocol iirc.

16, and it is a limitation of the RPC protocol's AUTH_UNIX/AUTH_SYS
authentication scheme, rather than being specific to NFS.

Note that if you use KerberosV based authentication at your workplace,
then you can migrate your NFS setup to the stronger RPCSEC_GSS/krb5
authentication. That also happens to fix the 16 groups limit problem.

Cheers,
  Trond

Re: Group limit for NFS exported file systems

[Peter Staubach]

Robert Szentmihalyi wrote:
>> On 8/23/06, Robert Szentmihalyi <robert.szentmihalyi@gmx.de> wrote:
>>     
>>> is there a group limit for NFS exported file systems in recent kernels?
>>> One if my users cannot access directories that belong to a group he
>>>       
>> actually _is_ a
>>     
>>> member of. That, however, is true only when accessing them over NFS. On
>>>       
>> the local file
>>     
>>> system, everything is fine. UIDs and GIDs are the same on client and
>>>       
>> server, so that
>>     
>>> cannot be the problem. Client and server run Gentoo Linux with kernel
>>>       
>> 2.6.16 on the
>>     
>>> server and 2.6.17 on the client.
>>>       
>> Is he a member of more than 16 groups?
>>     
>
> Yes. He is actually a member of 27 groups.
> Is the limit of 16 groups still current? I was under the impression that it is a limitation of 2.4 kernels....
> Is there any proper work-around for this?

The 16 group limit is defined by the specification for AUTH_SYS for the RPC.
It can not be easily changed without affecting interoperability.

The use of RPCSEC_GSS and Kerberos can remove this limit.

    Thanx...

       ps

Re: Group limit for NFS exported file systems

[Peter Staubach]

Andi Kleen wrote:
> "Robert Szentmihalyi" <robert.szentmihalyi@gmx.de> writes:
>
>   
>> is there a group limit for NFS exported file systems in recent kernels?
>> One if my users cannot access directories that belong to a group he actually _is_ a member of. That, however, is true only when accessing them over NFS. On the local file system, everything is fine. UIDs and GIDs are the same on client and server, so that cannot be the problem. Client and server run Gentoo Linux with kernel 2.6.16 on the server and 2.6.17 on the client.
>>     
>
> NFSv2 has a 8 groups limit in the protocol iirc.

Ahh, no.  None of the NFS protocols define anything about the authentication
protocols.  This is defined by the RPC protocol and it defines a limit of 16
for AUTH_SYS, otherwise known as AUTH_UNIX.

Interestingly, the original NFSv2 implementations had a limit of 8, then 10,
and then finally 16.

    Thanx...

       ps