NFS mount - aancel/admin GitHub Wiki

Problem 1: Group permission on NFS

Initial description by Premchandra Preetham Kukillaya for HADOOP: https://issues.apache.org/jira/browse/HADOOP-10701

Referenced in: http://ubuntuforums.org/showthread.php?t=1231263 => provided the removal of "--manage-ids" solution

Description

Initial setup:

  • Have 2 PCs: one named "server" and the other one "client". Data to be shared will be hosted on server, and will be made available to "client" through NFS.
  • Create group1
  • Create group2
  • Create a user "foo" with primary group1 and add it to group2:
uid=1000(foo) gid=6000(group1) groups=6000(group1),7000(group2)
  • Create a directory named data1 and assign the ownership to foo:group1 with permission 770
  • Create a directory named data2 and assign the ownership to foo:group2 with permission 770 drwxrwx--- - foo group1 0 2015-01-01 00:00 /data1 drwxrwx--- - foo group2 0 2015-01-01 00:00 /data2

Bug reproduction:

  • Login as “foo" on "client" and type “id": (the user if and gid must match with the server) uid=1000(foo) gid=6000(group1) groups=6000(group1),7000(group2)

  • Mount data1 and data2 from "server" with NFS.

  • Execute "ls – ltra", the permissions should match the one of the mounted filesystem: drwxrwx---. 2 foo group1 64 Jan 01 01:00 data1 drwxrwx---. 2 foo group2 64 Jan 01 01:00 data2

  • Check that "foo" belongs to the 2 groups foo : group1 group2

  • Now the user “foo” can only access data1 and NOT data2, as for some reasons it ignores the secondary group while accessing the mounted file system and throws Permission denied. -sh-4.1$ cd data2 -sh: cd: data2: Permission denied -sh-4.1$ cd data1 -sh-4.1$

  • Now if execute the command “newgrp group2” then the user can access data2 and not data1 as the primary group of the user “foo” is group2 newgrp group2 cd data1 cd: data1: Permission denied cd data2

Bug solving:

  • Create a user with the primary group set as the one owning the shared directory;
  • Change the main group (newgrp) of the user to match the one of the shared data;
  • Remove the --manage-gids from RPCMOUNTDOPTS in /etc/default/nfs-kernel-server. Attention: this option is supposed to solve a bug with a 16 group limit in NFS (http://www.xkyle.com/solving-the-nfs-16-group-limit-problem/);
  • Using ACLs.