Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: NFS permission problems - group access not working
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2010-04-11
11:29 AM
2010-04-11
11:29 AM
NFS permission problems - group access not working
Hello
I'm trying to set up NFS from my readyNas to replace a the NFS server I had before. I have created a shares for video, music etc and I have also created groups on the readynas that will belong to each share. I have also synced the UIDs and GIDs so that they are the same on the NAS and the clients.
From the NAS
From a client
After much fiddling I was able to get the user to mount the directory. (The problem was that the user did not have read and execute rights on the directory on the client to which the share should be mounted.) However I get permission denied as soon as I try to cd into a directory.
Why do I get permission denied? Obviously the user belongs to the correct group. If I ssh to the readynas as the user alexander I can cd into the directory without any problems. Where do I start looking at the error? Is it the client or the server that doesn't allow the access? If a use the world readable/writable folder I can access it and its contaning files without any problems.
Thanks
/Alexander
I'm trying to set up NFS from my readyNas to replace a the NFS server I had before. I have created a shares for video, music etc and I have also created groups on the readynas that will belong to each share. I have also synced the UIDs and GIDs so that they are the same on the NAS and the clients.
From the NAS
nas:/c# id alexander
uid=2000(alexander) gid=2000(alexander) groups=2000(alexander),100(users),3002(documents),3001(music),3005(pictures),3003(games),3004(videos)
nas:/c# cat /etc/exports
"/documents" *(insecure,insecure_locks,rw,async)
"/downloads" *(insecure,insecure_locks,rw,async)
"/games" *(insecure,insecure_locks,rw,async)
"/music" *(insecure,insecure_locks,rw,async)
"/pictures" *(insecure,insecure_locks,rw,async)
"/videos" *(insecure,insecure_locks,rw,async)
"/homes" *(insecure,insecure_locks,rw,sync)
From a client
alexander@client:/mnt$ id
uid=2000(alexander) gid=2000(alexander) groups=4(adm),20(dialout),21(fax),24(cdrom),26(tape),29(audio),30(dip),44(video),46(plugdev),60(games),104(fuse),106(lpadmin),112(netdev),121(admin),122(sambashare),2000(alexander),3001(music),3002(documents),3003(game),3004(videos),3005(pictures)
alexander@client:/mnt$ cat /etc/fstab
<SNIP>
192.168.0.6:/documents /mnt/documents nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/downloads /mnt/downloads nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/videos /mnt/videos nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/music /mnt/music nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/pictures /mnt/pictures nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/games /mnt/games nfs rw,user,noauto,hard,intr 0 0
192.168.0.6:/backup /mnt/backup nfs rw,user,noauto,hard,intr 0 0
After much fiddling I was able to get the user to mount the directory. (The problem was that the user did not have read and execute rights on the directory on the client to which the share should be mounted.) However I get permission denied as soon as I try to cd into a directory.
alexander@client:/mnt$ ls -lhd pictures/
drwxrwx--- 13 pictures pictures 16K 2010-04-05 11:32 pictures/
alexander@client:/mnt$ ls -lhdn pictures/
drwxrwx--- 13 3005 3005 16K 2010-04-05 11:32 pictures/
alexander@client:/mnt$ cd pictures/
bash: cd: pictures/: Permission denied
Why do I get permission denied? Obviously the user belongs to the correct group. If I ssh to the readynas as the user alexander I can cd into the directory without any problems. Where do I start looking at the error? Is it the client or the server that doesn't allow the access? If a use the world readable/writable folder I can access it and its contaning files without any problems.
Thanks
/Alexander
Message 1 of 8
Labels:
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2010-04-12
10:22 AM
2010-04-12
10:22 AM
Re: NFS permission problems - group access not working
What am I overlooking?
It works if I make the shared files world readable or if I browse them as root. But I don't want to make the NFS shares world readable. Why aren't the group permissions honored?
If I ssh to the NAS as the user alexander I can access the directories based on the group permissions locally on the NAS. But if I try to do it over NFS it gives me permission denied.
If I change the ownership of a directory so it is owned by "alexander" I can access it over NFS.
It works if I make the shared files world readable or if I browse them as root. But I don't want to make the NFS shares world readable. Why aren't the group permissions honored?
If I ssh to the NAS as the user alexander I can access the directories based on the group permissions locally on the NAS. But if I try to do it over NFS it gives me permission denied.
If I change the ownership of a directory so it is owned by "alexander" I can access it over NFS.
Message 2 of 8
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2010-04-12
06:08 PM
2010-04-12
06:08 PM
Re: NFS permission problems - group access not working
Can you try temporarily setting the group owner on the pictures share directory to 20 and see if that helps?
Message 3 of 8
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2010-04-13
12:42 AM
2010-04-13
12:42 AM
Re: NFS permission problems - group access not working
Thanks for the suggestion!
I did as you said and ran the following on the NAS
I remounted the pictures share on the client. It showed up as beloning to the group dailout. Now I had access to the directory!
Why does it work with the dailout group and not with the group I created for this porpose? Are the gid to high?
I did as you said and ran the following on the NAS
chgrp 20 pictures
I remounted the pictures share on the client. It showed up as beloning to the group dailout. Now I had access to the directory!
Why does it work with the dailout group and not with the group I created for this porpose? Are the gid to high?
Message 4 of 8
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2010-04-13
10:17 AM
2010-04-13
10:17 AM
Re: NFS permission problems - group access not working
The underlying authentication mechanism only supports 16 groups. Look here for more info:
http://nfsworld.blogspot.com/2005/03/wh ... ation.html
http://nfsworld.blogspot.com/2005/03/wh ... ation.html
Message 5 of 8
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2010-04-14
01:13 PM
2010-04-14
01:13 PM
Re: NFS permission problems - group access not working
Thanks - now I know where to start looking for a solution. I found this switch in the mountd manpage:
So I added the file /etc/default/nfs-kernel-server with the following line in it
Unfortunately the ReadyNAS is running kenel:
What have other people done to get around the problem? What I'm thinking right now is to set the GIDs on NAS-relevant groups below 30 so they come first in the list.
-g or --manage-gids
Accept requests from the kernel to map user id numbers into lists of group id numbers for use in access
control. An NFS request will normally (except when using Kerberos or other cryptographic authentica‐
tion) contains a user-id and a list of group-ids. Due to a limitation in the NFS protocol, at most 16
groups ids can be listed. If you use the -g flag, then the list of group ids received from the client
will be replaced by a list of group ids determined by an appropriate lookup on the server. Note that the
'primary' group id is not affected so a newgroup command on the client will still be effective. This
function requires a Linux Kernel with version at least 2.6.21.
So I added the file /etc/default/nfs-kernel-server with the following line in it
RPCMOUNTDOPTS="--manage-gids"
Unfortunately the ReadyNAS is running kenel:
Linux sigma 2.6.17.8ReadyNAS #1 Tue Jun 9 13:59:28 PDT 2009 padre unknown
What have other people done to get around the problem? What I'm thinking right now is to set the GIDs on NAS-relevant groups below 30 so they come first in the list.
Message 6 of 8
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2010-04-22
04:53 AM
2010-04-22
04:53 AM
Re: NFS permission problems - group access not working
If anyone else reads this I changed all the GIDs to a low number and now everything works. However I wish that netgear would upgrade the kernel to 2.6.21 so that you can use the RPCMOUNTDOPTS="--manage-gids" option.
Message 7 of 8
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-03-26
03:30 AM
2012-03-26
03:30 AM
Re: NFS permission problems - group access not working
Old thread, but this is still an issue - the kernel on newer versions is now able to support the --manage-gids option, which is working fine
Not sure when this was from, I'm running 4.2.19 which is at 2.6.37 (x86)
Not sure when this was from, I'm running 4.2.19 which is at 2.6.37 (x86)
Message 8 of 8