From owner-freebsd-stable@FreeBSD.ORG Fri Apr 16 13:57:22 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B633C106564A; Fri, 16 Apr 2010 13:57:22 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 4E6998FC19; Fri, 16 Apr 2010 13:57:22 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEABgJyEuDaFvG/2dsb2JhbACbc3G+HoUOBA X-IronPort-AV: E=Sophos;i="4.52,219,1270440000"; d="scan'208";a="72556661" Received: from amazon.cs.uoguelph.ca ([131.104.91.198]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 16 Apr 2010 09:57:21 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by amazon.cs.uoguelph.ca (Postfix) with ESMTP id 5F2182101BD; Fri, 16 Apr 2010 09:57:21 -0400 (EDT) X-Virus-Scanned: amavisd-new at amazon.cs.uoguelph.ca Received: from amazon.cs.uoguelph.ca ([127.0.0.1]) by localhost (amazon.cs.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hbLGZs3ATHt; Fri, 16 Apr 2010 09:57:20 -0400 (EDT) Received: from muncher.cs.uoguelph.ca (muncher.cs.uoguelph.ca [131.104.91.102]) by amazon.cs.uoguelph.ca (Postfix) with ESMTP id 4AA3321017A; Fri, 16 Apr 2010 09:57:20 -0400 (EDT) Received: from localhost (rmacklem@localhost) by muncher.cs.uoguelph.ca (8.11.7p3+Sun/8.11.6) with ESMTP id o3GEBIW04010; Fri, 16 Apr 2010 10:11:18 -0400 (EDT) X-Authentication-Warning: muncher.cs.uoguelph.ca: rmacklem owned process doing -bs Date: Fri, 16 Apr 2010 10:11:18 -0400 (EDT) From: Rick Macklem X-X-Sender: rmacklem@muncher.cs.uoguelph.ca To: Giulio Ferro In-Reply-To: <4BC820CA.8030002@zirakzigil.org> Message-ID: References: <4BC72276.6080003@zirakzigil.org> <4BC81EB2.9070107@zirakzigil.org> <6AB6F56B-5FDF-4926-B631-F933E9C7FCD2@gothic.net.au> <4BC820CA.8030002@zirakzigil.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: "freebsd-net@freebsd.org" , freebsd-stable@freebsd.org Subject: Re: NFS permission strangeness X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 13:57:22 -0000 On Fri, 16 Apr 2010, Giulio Ferro wrote: > On 16.04.2010 10:29, Sean wrote: >> >>> Yes, I have more than 16 groups, 22 actually... >>> >> Then there's nothing "wrong" per se, you're just hitting the fact that NFS >> v2 and v3 only support 16 groups on the wire. That's just the way the >> protocol is defined. >> >> > > Ops, I didn't know that... > > Is there any solution solid enough for a production environment. Maybe nfs4? > Well, when you use sec=krb5[ip] on NFSv3 or NFSv4, the limitation of 16/17 groups goes away. However, this has a lot of other implications. (NFSv4 uses the same RPC protocol as NFSv2,3 and it is the specification of the authentication header for what is called AUTH_SYS, which is the problem. AUTH_SYS authenticators simply list a uid, gid and groups<16> #s in the RPC header. rick