NFS permission problems - group access not working

Please post questions and issues pertaining to share access and file permission here.

NFS permission problems - group access not working

Postby alexander.isacson » Sun Apr 11, 2010 11:29 am

Hello

I'm trying to set up NFS from my readyNas to replace a the NFS server I had before. I have created a shares for video, music etc and I have also created groups on the readynas that will belong to each share. I have also synced the UIDs and GIDs so that they are the same on the NAS and the clients.

From the NAS
Code: Select all
nas:/c# id alexander
uid=2000(alexander) gid=2000(alexander) groups=2000(alexander),100(users),3002(documents),3001(music),3005(pictures),3003(games),3004(videos)

nas:/c# cat /etc/exports
"/documents" *(insecure,insecure_locks,rw,async)
"/downloads" *(insecure,insecure_locks,rw,async)
"/games" *(insecure,insecure_locks,rw,async)
"/music" *(insecure,insecure_locks,rw,async)
"/pictures" *(insecure,insecure_locks,rw,async)
"/videos" *(insecure,insecure_locks,rw,async)
"/homes" *(insecure,insecure_locks,rw,sync)

From a client
Code: Select all
alexander@client:/mnt$ id
uid=2000(alexander) gid=2000(alexander) groups=4(adm),20(dialout),21(fax),24(cdrom),26(tape),29(audio),30(dip),44(video),46(plugdev),60(games),104(fuse),106(lpadmin),112(netdev),121(admin),122(sambashare),2000(alexander),3001(music),3002(documents),3003(game),3004(videos),3005(pictures)

alexander@client:/mnt$ cat /etc/fstab
<SNIP>
192.168.0.6:/documents        /mnt/documents  nfs rw,user,noauto,hard,intr    0       0
192.168.0.6:/downloads        /mnt/downloads  nfs rw,user,noauto,hard,intr    0       0
192.168.0.6:/videos           /mnt/videos     nfs rw,user,noauto,hard,intr    0       0
192.168.0.6:/music            /mnt/music      nfs rw,user,noauto,hard,intr    0       0
192.168.0.6:/pictures         /mnt/pictures   nfs rw,user,noauto,hard,intr    0       0
192.168.0.6:/games            /mnt/games      nfs rw,user,noauto,hard,intr    0       0
192.168.0.6:/backup           /mnt/backup     nfs rw,user,noauto,hard,intr    0       0

After much fiddling I was able to get the user to mount the directory. (The problem was that the user did not have read and execute rights on the directory on the client to which the share should be mounted.) However I get permission denied as soon as I try to cd into a directory.
Code: Select all
alexander@client:/mnt$ ls -lhd pictures/
drwxrwx--- 13 pictures pictures 16K 2010-04-05 11:32 pictures/
alexander@client:/mnt$ ls -lhdn pictures/
drwxrwx--- 13 3005 3005 16K 2010-04-05 11:32 pictures/
alexander@client:/mnt$ cd pictures/
bash: cd: pictures/: Permission denied

Why do I get permission denied? Obviously the user belongs to the correct group. If I ssh to the readynas as the user alexander I can cd into the directory without any problems. Where do I start looking at the error? Is it the client or the server that doesn't allow the access? If a use the world readable/writable folder I can access it and its contaning files without any problems.

Thanks
/Alexander
alexander.isacson
ReadyNAS Newbie
 
Posts: 5
Joined: Sat Apr 10, 2010 11:35 pm
ReadyNAS: Duo

Re: NFS permission problems - group access not working

Postby alexander.isacson » Mon Apr 12, 2010 10:22 am

What am I overlooking?

It works if I make the shared files world readable or if I browse them as root. But I don't want to make the NFS shares world readable. Why aren't the group permissions honored?

If I ssh to the NAS as the user alexander I can access the directories based on the group permissions locally on the NAS. But if I try to do it over NFS it gives me permission denied.

If I change the ownership of a directory so it is owned by "alexander" I can access it over NFS.
alexander.isacson
ReadyNAS Newbie
 
Posts: 5
Joined: Sat Apr 10, 2010 11:35 pm
ReadyNAS: Duo

Re: NFS permission problems - group access not working

Postby ewok » Mon Apr 12, 2010 6:08 pm

Can you try temporarily setting the group owner on the pictures share directory to 20 and see if that helps?
User avatar
ewok
Jedi Council
 
Posts: 9455
Joined: Tue Mar 08, 2005 3:58 pm
Location: Fremont, CA
ReadyNAS: Pro

Re: NFS permission problems - group access not working

Postby alexander.isacson » Tue Apr 13, 2010 12:42 am

Thanks for the suggestion!

I did as you said and ran the following on the NAS
Code: Select all
chgrp 20 pictures

I remounted the pictures share on the client. It showed up as beloning to the group dailout. Now I had access to the directory!

Why does it work with the dailout group and not with the group I created for this porpose? Are the gid to high?
alexander.isacson
ReadyNAS Newbie
 
Posts: 5
Joined: Sat Apr 10, 2010 11:35 pm
ReadyNAS: Duo

Re: NFS permission problems - group access not working

Postby ewok » Tue Apr 13, 2010 10:17 am

The underlying authentication mechanism only supports 16 groups. Look here for more info:

http://nfsworld.blogspot.com/2005/03/wh ... ation.html
User avatar
ewok
Jedi Council
 
Posts: 9455
Joined: Tue Mar 08, 2005 3:58 pm
Location: Fremont, CA
ReadyNAS: Pro

Re: NFS permission problems - group access not working

Postby alexander.isacson » Wed Apr 14, 2010 1:13 pm

Thanks - now I know where to start looking for a solution. I found this switch in the mountd manpage:
-g or --manage-gids
Accept requests from the kernel to map user id numbers into lists of group id numbers for use in access
control. An NFS request will normally (except when using Kerberos or other cryptographic authentica‐
tion) contains a user-id and a list of group-ids. Due to a limitation in the NFS protocol, at most 16
groups ids can be listed. If you use the -g flag, then the list of group ids received from the client
will be replaced by a list of group ids determined by an appropriate lookup on the server. Note that the
'primary' group id is not affected so a newgroup command on the client will still be effective. This
function requires a Linux Kernel with version at least 2.6.21.

So I added the file /etc/default/nfs-kernel-server with the following line in it
Code: Select all
RPCMOUNTDOPTS="--manage-gids"


Unfortunately the ReadyNAS is running kenel:
Linux sigma 2.6.17.8ReadyNAS #1 Tue Jun 9 13:59:28 PDT 2009 padre unknown


What have other people done to get around the problem? What I'm thinking right now is to set the GIDs on NAS-relevant groups below 30 so they come first in the list.
alexander.isacson
ReadyNAS Newbie
 
Posts: 5
Joined: Sat Apr 10, 2010 11:35 pm
ReadyNAS: Duo

Re: NFS permission problems - group access not working

Postby alexander.isacson » Thu Apr 22, 2010 4:53 am

If anyone else reads this I changed all the GIDs to a low number and now everything works. However I wish that netgear would upgrade the kernel to 2.6.21 so that you can use the RPCMOUNTDOPTS="--manage-gids" option.
alexander.isacson
ReadyNAS Newbie
 
Posts: 5
Joined: Sat Apr 10, 2010 11:35 pm
ReadyNAS: Duo

Re: NFS permission problems - group access not working

Postby lith » Mon Mar 26, 2012 3:30 am

Old thread, but this is still an issue - the kernel on newer versions is now able to support the --manage-gids option, which is working fine
Not sure when this was from, I'm running 4.2.19 which is at 2.6.37 (x86)
lith
ReadyNAS Newbie
 
Posts: 9
Joined: Fri Feb 09, 2007 4:49 am


Return to Share Access and File Permission



Who is online

Users browsing this forum: Bing [Bot] and 3 guests