Date: Fri, 16 Apr 2010 10:11:18 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Giulio Ferro <auryn@zirakzigil.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, freebsd-stable@freebsd.org Subject: Re: NFS permission strangeness Message-ID: <Pine.GSO.4.63.1004161008090.2259@muncher.cs.uoguelph.ca> In-Reply-To: <4BC820CA.8030002@zirakzigil.org> References: <4BC72276.6080003@zirakzigil.org> <Pine.GSO.4.63.1004152023580.845@muncher.cs.uoguelph.ca> <4BC81EB2.9070107@zirakzigil.org> <6AB6F56B-5FDF-4926-B631-F933E9C7FCD2@gothic.net.au> <4BC820CA.8030002@zirakzigil.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 16 Apr 2010, Giulio Ferro wrote: > On 16.04.2010 10:29, Sean wrote: >> >>> Yes, I have more than 16 groups, 22 actually... >>> >> Then there's nothing "wrong" per se, you're just hitting the fact that NFS >> v2 and v3 only support 16 groups on the wire. That's just the way the >> protocol is defined. >> >> > > Ops, I didn't know that... > > Is there any solution solid enough for a production environment. Maybe nfs4? > Well, when you use sec=krb5[ip] on NFSv3 or NFSv4, the limitation of 16/17 groups goes away. However, this has a lot of other implications. (NFSv4 uses the same RPC protocol as NFSv2,3 and it is the specification of the authentication header for what is called AUTH_SYS, which is the problem. AUTH_SYS authenticators simply list a uid, gid and groups<16> #s in the RPC header. rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.1004161008090.2259>