Date: Thu, 15 Apr 2010 20:30:42 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Giulio Ferro <auryn@zirakzigil.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, freebsd-stable@freebsd.org Subject: Re: NFS permission strangeness Message-ID: <Pine.GSO.4.63.1004152023580.845@muncher.cs.uoguelph.ca> In-Reply-To: <4BC72276.6080003@zirakzigil.org> References: <4BC72276.6080003@zirakzigil.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Apr 2010, Giulio Ferro wrote: > Here's the setup: > server : NFS server machine (fb 8 stable amd64 ) > client : NFS client machine (as above) > > server and client are both sharing the same permission database through ldap: > > Both have in /etc/nsswitch.conf > ... > group: files ldap > ... > passwd: files ldap > > This issue isn't related to ldap, however. I get the same result if I > manually add > groups to /etc/group file (read on) > > Let's suppose I have user "giulio" configured in my system. > giulio is also part (-G) of groups: > group1, group2, group3, ... , group10 > > server is exporting the directory > /path/to/root (on zfs) > > the directory > /path/to/root/dir/etc/subdir1 > has permission 770 and group ownership "group3" > > I login as user "giulio" on server I can enter "subdir1" directory, since I'm > member of group "group3" > > I then login as user "giulio" on client, and I can do the same (as expected). > > > When groups are more than a few, however, I get this strange behavior: > > let's suppose the directory: > /path/to/root/dir/etc/subdir2 > has permission 770 and group ownership "group10" > > What happens is that I can access "subdir2" on the server machine when I > login as "giulio", but when I try to access that same dir on the client > machine > I get: > $ cd /path/to/root/dir/etc > (ok) > $ cd subdir2 > subdir2/: Permission denied. > Yes, it should work. I just tried the same thing with a server running UFS/FFS and it worked fine, so I think that the problem might be ZFS related. (You will get into trouble with more than 16 groups, since that is all that AUTH_SYS for Sun RPC handles, but I did 10 like your example and it worked ok for me, using FreeBSD-CURRENT client/server, except that my server uses UFS/FFS.) Hopefully someone with ZFS expertise can help out here? If you can conveniently do the same test using a server that exports a UFS/FFS file system, that would be helpful w.r.t. isolating the problem. rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.1004152023580.845>