4

My NFS server seems to be ignoring secondary groups. I have fewer than 16 groups per user, but have --manage-gids on. The NFS share doesn't mount when this option is missing. Users and groups are managed with LDAP, and authentication is done via Kerberos. My exports are set up like this:

> cat /etc/exports
/srv/nfs4 *(rw,sync,fsid=root,crossmnt,no_subtree_check,sec=krb5i,insecure)
> grep /srv/nfs4 /etc/fstab
/home   /srv/nfs4/home  none    bind    0   0
/var/backups/home   /srv/nfs4/archive   none    bind    0   0
> hostname -f
nfs.example.com

The NFS mount is mounted as follows, both on the server itself and on a few other client machines:

> grep nfs4 /etc/fstab
nfs.example.com:/ /mnt/nfs nfs rw,exec,nfsvers=4 0 0

UIDs are correct, since the NFS filesystem is mounted on the server itself. This also happens when I mount it on another machine.

> id
uid=1027(kai) gid=1027(kai) groups=1027(kai),27(sudo),100(users)
> ls -n /mnt/nfs/home/kai/test
total 0
drwxr-xr-- 1 1001  100 0 Mar 27 11:44 test1/
drwxr-xr-x 1 1001  100 0 Mar 27 11:44 test2/
drwxr-xr-- 1 1001 1027 0 Mar 27 11:44 test3/

In the local directory (/home/kai/test and /srv/nfs4/home/kai/test), I can cd to all of the test directories. In /mnt/nfs/home/kai/test, I cannot cd to test1/. My conclusion is that the group permission (r-x) on the secondary group users is being ignored - any idea why this might be?

Investigation

After investigating some more with wireshark, it seems to be a host-side issue. The client is issuing LOOKUP calls, and getting the expected response (which it should be, since the correct permissions are shown with ls). However, it is not getting the correct response to ACCESS calls - the client sends Check: Read/Lookup/Modify/Extend/Delete and receives Allowed: Read/Lookup for test2 and test3, but only Allowed: Read for test1.

kai
  • 141
  • 5
  • I'm a bit confused. Your `/etc/exports` shows that your export is `/srv/nfs4` then your `fstab` shows that you are mounting the root directory of a different machine at `/mnt/nfs` on the same computer. Can you edit your question to specify the export on the server and the fstab/where your are trying to mount the export on the client? – Nasir Riley Mar 27 '18 at 11:30
  • @NasirRiley - almost, the NFS is mounted on the server itself (which I'm calling `nfs.example.com` here) as well as a few clients. I've split it up to hopefully make it clearer? – kai Mar 27 '18 at 12:01
  • Why do you need to mount the export on the server itself? Aren't the users accessing it from their workstations? Wouldn't it make more sense to add an entry to `/etc/fstab` for the export on their workstations? – Nasir Riley Mar 27 '18 at 16:51
  • It is only mounted on the server itself for testing (to exclude the possibility that it is a difference in UID/GID assignment causing the issue). It is also on the users workstations, the problem occurs in both places. – kai Mar 27 '18 at 16:56
  • What does the fstab file look like on the workstations? – Nasir Riley Mar 27 '18 at 17:30
  • It just contains the line from the second block - `nfs.example.com:/ /mnt/nfs nfs4 rw,user,exec 0 0`. – kai Mar 28 '18 at 08:49
  • In your `/etc/fstab/`, why not just 'nfs.example.com:/srv/nfs4 /mnt/nfs nfs4 rw,user,exec 0 0' instead of mounting the server's entire root directory? Also, what are the permissions of `/srv/nfs4` on the server and `/mnt/nfs` on the client? – Nasir Riley Mar 28 '18 at 10:06
  • Your suggestion for `fstab` results in the error: `requested NFS version or transport protocol is not supported`. The `fsid=root` option in `exports` has the effect of making `/srv/nfs4` effectively the root of the server doesn't it? Permissions are `root:root` and `drwxr-xr-x` for both of those directories. – kai Mar 28 '18 at 11:00
  • I have deleted my answer because I am rather confused about what you want. If you can't get to certain directories inside because of subpermissions then that means that things are working exactly as they should so I don't understand why you need to change them. It appears that you want it that way as you are against giving everyone permission. If you want different users to be able to acces directories that they can't then you can alter their group membership or better yet, create different exports for each group so that you don't have to go through the tedious ordeal of subpermissions. – Nasir Riley Apr 03 '18 at 13:13
  • I'm not exactly sure where in my question I am unclear, so here it is rephrased: Directory `test1` is set to group `users` (with GID `100`), as shown in the question. The group permissions are `r-x`. I should therefore be able to `cd` into this directory, as I am a member of that group (shown by the `id` command). However, I cannot `cd` to this directory over NFS. Why, and how do I fix this? – kai Apr 03 '18 at 14:53
  • I have replicated what you've done on my end with the exception of mounting `nfs.example.com:/srv/nfs4` instead of the server's entire root directory and I am able to access subdirectories without any issues when the user is in the group. `fsid` just identifies the export so I don't see why you need to mount the share's root directory. The root directory is not in your exports and I've never done it that way nor seen anyone else do it that way. I don't get the error when mounting the export itself that you reported so I give up unless there is something you're just not mentioning. – Nasir Riley Apr 03 '18 at 16:58
  • The post is getting old but did you find the solution in the end? I'm experiencing exactly the same problem, and it seems the gid is not respected by nfs although the uid is. – Boson Bear May 20 '22 at 18:36
  • Just a me too in that I am experiencing exactly the symptoms as the question describes. To me it is not ambiguous at all what the poster has written; it's just not working as expected. – Christopher Causer Sep 12 '22 at 09:47

0 Answers0