OT - NFS group ignored [SOLVED]

Cameron Simpson cs at zip.com.au
Sun Jul 26 23:33:08 UTC 2015 

On 26Jul2015 13:42, Emmett Culley <lst_manage at webengineer.com> wrote:
>On 07/25/2015 08:31 PM, Cameron Simpson wrote:
>> On 26Jul2015 10:39, Ed Greshko <ed.greshko at greshko.com> wrote:
>>> On 07/26/15 10:34, Cameron Simpson wrote:
>>>> On 26Jul2015 08:06, Ed Greshko <ed.greshko at greshko.com> wrote:
>>>>> But, FWIW, I'm trying to replicate a failure here and can't.
>>>> My standard question in this situation is: how many groups is the user in on the client machine? [...]
>> Historically there was a 16 group protocol limit on what the client passed to the NFS server, so unless the file's group was in your first 15 secondary groups it would not be consulted for file access. [...]
>
>Turns out this is the clue I needed.  Using the search "NFS4 group ID limitations", I found this article:
>http://www.xkyle.com/solving-the-nfs-16-group-limit-problem/
>Running rpc.mountd --manage-gids on the server seems to have fixed my problem.  I don't know if that command is persistent, but I will soon  :-)

Note that this means that you are now using you're server's groups file as the 
basis for group membership and ignoring the client. Arguably this is both more 
secure and much easier to administer, but it _is_ different from the default 
arrangement, so don't forget it.

In a former life I wrote a user/group database (and tools), and drove both the 
UNIX and Windows group memberships from it. (And mailing aliases - very handy 
when your org has lots of projects and structural stuff; you could email 
"projectname" to contact all people working on that project, 
"projectname-leader" for the team leader and so forth - arbitrarily complex).

One side effect of this was that users ended up in many grous, allowing easy 
and automatic fine tuned control of fine access, but also exposing us to the 16 
group limit quite often.

Therefore I have a prioritising system, which chose group membership selection 
- you could mark a user as needing some specific groups in an ad hoc basis, 
mark a group as being "useful", and otherwise the code sorted groups on 
probably usefulness - essentially fewest numbers of name components, and those 
groups were attached to files/dirs most generally.

This servered us well.

Cheers,
Cameron Simpson <cs at zip.com.au>

In article <323C4DB9.6A76 at ss1.csd.sc.edu>, lhartley at ss1.csd.sc.edu wrote:
| It still is true that the best touring bike is the one that you are
| riding right now.  Anything can be used for touring.  As long as you
| can travel, you are touring.
I beleive such true and profound statements are NOT allowed to be posted
in this newsgroup, and are also against the charter.  You've been warned.
        - Randy Davis DoD #0013 <randy at agames.com> in rec.moto

More information about the users mailing list