× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: NFS permission problems - group access not working

alexander_isacs
Aspirant

NFS permission problems - group access not working

Hello

I'm trying to set up NFS from my readyNas to replace a the NFS server I had before. I have created a shares for video, music etc and I have also created groups on the readynas that will belong to each share. I have also synced the UIDs and GIDs so that they are the same on the NAS and the clients.

From the NAS
nas:/c# id alexander
uid=2000(alexander) gid=2000(alexander) groups=2000(alexander),100(users),3002(documents),3001(music),3005(pictures),3003(games),3004(videos)

nas:/c# cat /etc/exports
"/documents" *(insecure,insecure_locks,rw,async)
"/downloads" *(insecure,insecure_locks,rw,async)
"/games" *(insecure,insecure_locks,rw,async)
"/music" *(insecure,insecure_locks,rw,async)
"/pictures" *(insecure,insecure_locks,rw,async)
"/videos" *(insecure,insecure_locks,rw,async)
"/homes" *(insecure,insecure_locks,rw,sync)

From a client
alexander@client:/mnt$ id
uid=2000(alexander) gid=2000(alexander) groups=4(adm),20(dialout),21(fax),24(cdrom),26(tape),29(audio),30(dip),44(video),46(plugdev),60(games),104(fuse),106(lpadmin),112(netdev),121(admin),122(sambashare),2000(alexander),3001(music),3002(documents),3003(game),3004(videos),3005(pictures)

alexander@client:/mnt$ cat /etc/fstab
<SNIP>
192.168.0.6:/documents /mnt/documents nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/downloads /mnt/downloads nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/videos /mnt/videos nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/music /mnt/music nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/pictures /mnt/pictures nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/games /mnt/games nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/backup /mnt/backup nfs rw,user,noauto,hard,intr 0 0

After much fiddling I was able to get the user to mount the directory. (The problem was that the user did not have read and execute rights on the directory on the client to which the share should be mounted.) However I get permission denied as soon as I try to cd into a directory.
alexander@client:/mnt$ ls -lhd pictures/
drwxrwx--- 13 pictures pictures 16K 2010-04-05 11:32 pictures/
alexander@client:/mnt$ ls -lhdn pictures/
drwxrwx--- 13 3005 3005 16K 2010-04-05 11:32 pictures/
alexander@client:/mnt$ cd pictures/
bash: cd: pictures/: Permission denied

Why do I get permission denied? Obviously the user belongs to the correct group. If I ssh to the readynas as the user alexander I can cd into the directory without any problems. Where do I start looking at the error? Is it the client or the server that doesn't allow the access? If a use the world readable/writable folder I can access it and its contaning files without any problems.

Thanks
/Alexander
Message 1 of 8
alexander_isacs
Aspirant

Re: NFS permission problems - group access not working

What am I overlooking?

It works if I make the shared files world readable or if I browse them as root. But I don't want to make the NFS shares world readable. Why aren't the group permissions honored?

If I ssh to the NAS as the user alexander I can access the directories based on the group permissions locally on the NAS. But if I try to do it over NFS it gives me permission denied.

If I change the ownership of a directory so it is owned by "alexander" I can access it over NFS.
Message 2 of 8
ewok
NETGEAR Expert

Re: NFS permission problems - group access not working

Can you try temporarily setting the group owner on the pictures share directory to 20 and see if that helps?
Message 3 of 8
alexander_isacs
Aspirant

Re: NFS permission problems - group access not working

Thanks for the suggestion!

I did as you said and ran the following on the NAS
chgrp 20 pictures

I remounted the pictures share on the client. It showed up as beloning to the group dailout. Now I had access to the directory!

Why does it work with the dailout group and not with the group I created for this porpose? Are the gid to high?
Message 4 of 8
ewok
NETGEAR Expert

Re: NFS permission problems - group access not working

The underlying authentication mechanism only supports 16 groups. Look here for more info:

http://nfsworld.blogspot.com/2005/03/wh ... ation.html
Message 5 of 8
alexander_isacs
Aspirant

Re: NFS permission problems - group access not working

Thanks - now I know where to start looking for a solution. I found this switch in the mountd manpage:
-g or --manage-gids
Accept requests from the kernel to map user id numbers into lists of group id numbers for use in access
control. An NFS request will normally (except when using Kerberos or other cryptographic authentica‐
tion) contains a user-id and a list of group-ids. Due to a limitation in the NFS protocol, at most 16
groups ids can be listed. If you use the -g flag, then the list of group ids received from the client
will be replaced by a list of group ids determined by an appropriate lookup on the server. Note that the
'primary' group id is not affected so a newgroup command on the client will still be effective. This
function requires a Linux Kernel with version at least 2.6.21.

So I added the file /etc/default/nfs-kernel-server with the following line in it
RPCMOUNTDOPTS="--manage-gids"


Unfortunately the ReadyNAS is running kenel:
Linux sigma 2.6.17.8ReadyNAS #1 Tue Jun 9 13:59:28 PDT 2009 padre unknown


What have other people done to get around the problem? What I'm thinking right now is to set the GIDs on NAS-relevant groups below 30 so they come first in the list.
Message 6 of 8
alexander_isacs
Aspirant

Re: NFS permission problems - group access not working

If anyone else reads this I changed all the GIDs to a low number and now everything works. However I wish that netgear would upgrade the kernel to 2.6.21 so that you can use the RPCMOUNTDOPTS="--manage-gids" option.
Message 7 of 8
lith
Aspirant

Re: NFS permission problems - group access not working

Old thread, but this is still an issue - the kernel on newer versions is now able to support the --manage-gids option, which is working fine
Not sure when this was from, I'm running 4.2.19 which is at 2.6.37 (x86)
Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 4738 views
  • 0 kudos
  • 3 in conversation
Announcements