From owner-freebsd-net@FreeBSD.ORG Fri Apr 16 00:45:47 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE97F106566C for ; Fri, 16 Apr 2010 00:45:47 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 748658FC13 for ; Fri, 16 Apr 2010 00:45:47 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAONIx0uDaFvH/2dsb2JhbACba3G+VYJ2AYIXBA X-IronPort-AV: E=Sophos;i="4.52,215,1270440000"; d="scan'208";a="72497346" Received: from danube.cs.uoguelph.ca ([131.104.91.199]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 15 Apr 2010 20:16:46 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by danube.cs.uoguelph.ca (Postfix) with ESMTP id 0F5B110845E0; Thu, 15 Apr 2010 20:16:47 -0400 (EDT) X-Virus-Scanned: amavisd-new at danube.cs.uoguelph.ca Received: from danube.cs.uoguelph.ca ([127.0.0.1]) by localhost (danube.cs.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5BhLYEeWpYj; Thu, 15 Apr 2010 20:16:46 -0400 (EDT) Received: from muncher.cs.uoguelph.ca (muncher.cs.uoguelph.ca [131.104.91.102]) by danube.cs.uoguelph.ca (Postfix) with ESMTP id 0778410845AC; Thu, 15 Apr 2010 20:16:46 -0400 (EDT) Received: from localhost (rmacklem@localhost) by muncher.cs.uoguelph.ca (8.11.7p3+Sun/8.11.6) with ESMTP id o3G0Ugw01978; Thu, 15 Apr 2010 20:30:42 -0400 (EDT) X-Authentication-Warning: muncher.cs.uoguelph.ca: rmacklem owned process doing -bs Date: Thu, 15 Apr 2010 20:30:42 -0400 (EDT) From: Rick Macklem X-X-Sender: rmacklem@muncher.cs.uoguelph.ca To: Giulio Ferro In-Reply-To: <4BC72276.6080003@zirakzigil.org> Message-ID: References: <4BC72276.6080003@zirakzigil.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: "freebsd-net@freebsd.org" , freebsd-stable@freebsd.org Subject: Re: NFS permission strangeness X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 00:45:47 -0000 On Thu, 15 Apr 2010, Giulio Ferro wrote: > Here's the setup: > server : NFS server machine (fb 8 stable amd64 ) > client : NFS client machine (as above) > > server and client are both sharing the same permission database through ldap: > > Both have in /etc/nsswitch.conf > ... > group: files ldap > ... > passwd: files ldap > > This issue isn't related to ldap, however. I get the same result if I > manually add > groups to /etc/group file (read on) > > Let's suppose I have user "giulio" configured in my system. > giulio is also part (-G) of groups: > group1, group2, group3, ... , group10 > > server is exporting the directory > /path/to/root (on zfs) > > the directory > /path/to/root/dir/etc/subdir1 > has permission 770 and group ownership "group3" > > I login as user "giulio" on server I can enter "subdir1" directory, since I'm > member of group "group3" > > I then login as user "giulio" on client, and I can do the same (as expected). > > > When groups are more than a few, however, I get this strange behavior: > > let's suppose the directory: > /path/to/root/dir/etc/subdir2 > has permission 770 and group ownership "group10" > > What happens is that I can access "subdir2" on the server machine when I > login as "giulio", but when I try to access that same dir on the client > machine > I get: > $ cd /path/to/root/dir/etc > (ok) > $ cd subdir2 > subdir2/: Permission denied. > Yes, it should work. I just tried the same thing with a server running UFS/FFS and it worked fine, so I think that the problem might be ZFS related. (You will get into trouble with more than 16 groups, since that is all that AUTH_SYS for Sun RPC handles, but I did 10 like your example and it worked ok for me, using FreeBSD-CURRENT client/server, except that my server uses UFS/FFS.) Hopefully someone with ZFS expertise can help out here? If you can conveniently do the same test using a server that exports a UFS/FFS file system, that would be helpful w.r.t. isolating the problem. rick