NFS permission problem with secondary groups

filesgroupnfs

I have a server running Debian 7 that exports an NFSv3 share, and a client running Centos 5 that accesses it. This works fine, except for one issue with permissions based on non-primary groups.

When I create a directory with 770 permissions on the server, a client user that belongs to the same group as the owner of the directory still can't access it if that group is not the user's primary group.

Any idea what the issue could be here? It works fine when the directory belongs to the primary group of the user, but not if it belongs to a secondary group.

Best Answer

Your issue may be related with the --manage-gids option of rpc.mountd enabled by default in debian (see /etc/default/nfs-kernel-server).

From the man page:

-g or --manage-gids

Accept requests from the kernel to map user id numbers into lists of group id numbers for use in access control. An NFS request will normally (except when using Kerberos or other cryptographic authentication) contains a user-id and a list of group-ids. Due to a limitation in the NFS protocol, at most 16 groups ids can be listed. If you use the -g flag, then the list of group ids received from the client will be replaced by a list of group ids determined by an appropriate lookup on the server. Note that the 'primary' group id is not affected so a newgroup command on the client will still be effective. This function requires a Linux Kernel with version at least 2.6.21.

So if you don't hit the "16 groups" limit, you may try to disable this option on your server.

Related Solutions

Primary and secondary groups

Yes, they can.

$ id foo
uid=1002(foo) gid=1002(foo) groups=1002(foo)
$ id bar
uid=1003(bar) gid=1003(bar) groups=1003(bar)

Changing the primary group of user foo to bar which is the primary group for user bar:

$ sudo usermod -g bar foo

Now:

$ id foo
uid=1002(foo) gid=1003(bar) groups=1003(bar)
$ id bar
uid=1003(bar) gid=1003(bar) groups=1003(bar)

Yes, it can be.

$ id foo
uid=1002(foo) gid=1002(foo) groups=1002(foo)
$ id bar
uid=1003(bar) gid=1003(bar) groups=1003(bar)

Adding user bar to group foo which is the primary group of user foo:

$ sudo usermod -a -G foo bar

Now:

$ id foo
uid=1002(foo) gid=1002(foo) groups=1002(foo)
$ id bar
uid=1003(bar) gid=1003(bar) groups=1003(bar),1002(foo)

Ubuntu – Groups not registering in X

I've got my exact problem fixed, thanks to the defect reported here https://bugzilla.redhat.com/show_bug.cgi?id=1581495

I had errors logged into the /var/log/auth.log which made me suspect problems around this.

These Ubuntu package was updated yesterday, libpam-kwallet4:amd64 (4:5.5.5-0ubuntu1.2, 4:5.5.5-0ubuntu1.3), libpam-kwallet5:amd64 (4:5.5.5-0ubuntu1.2, 4:5.5.5-0ubuntu1.3) and this must have caused the trouble. I just commented out the following lines in /etc/pam.d/lightdm

auth    optional        pam_kwallet.so
auth    optional        pam_kwallet5.so

and a reboot saved my day

Best Answer

Related Solutions

Primary and secondary groups

Ubuntu – Groups not registering in X

Related Question