On 26Jul2015 13:42, Emmett Culley <lst_manage@xxxxxxxxxxxxxxx> wrote:
On 07/25/2015 08:31 PM, Cameron Simpson wrote:
On 26Jul2015 10:39, Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote:
On 07/26/15 10:34, Cameron Simpson wrote:
On 26Jul2015 08:06, Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote:
But, FWIW, I'm trying to replicate a failure here and can't.
My standard question in this situation is: how many groups is the user in on the client machine? [...]
Historically there was a 16 group protocol limit on what the client passed to the NFS server, so unless the file's group was in your first 15 secondary groups it would not be consulted for file access. [...]
Turns out this is the clue I needed. Using the search "NFS4 group ID limitations", I found this article:
http://www.xkyle.com/solving-the-nfs-16-group-limit-problem/
Running rpc.mountd --manage-gids on the server seems to have fixed my problem. I don't know if that command is persistent, but I will soon :-)
Note that this means that you are now using you're server's groups file as the
basis for group membership and ignoring the client. Arguably this is both more
secure and much easier to administer, but it _is_ different from the default
arrangement, so don't forget it.
In a former life I wrote a user/group database (and tools), and drove both the
UNIX and Windows group memberships from it. (And mailing aliases - very handy
when your org has lots of projects and structural stuff; you could email
"projectname" to contact all people working on that project,
"projectname-leader" for the team leader and so forth - arbitrarily complex).
One side effect of this was that users ended up in many grous, allowing easy
and automatic fine tuned control of fine access, but also exposing us to the 16
group limit quite often.
Therefore I have a prioritising system, which chose group membership selection
- you could mark a user as needing some specific groups in an ad hoc basis,
mark a group as being "useful", and otherwise the code sorted groups on
probably usefulness - essentially fewest numbers of name components, and those
groups were attached to files/dirs most generally.
This servered us well.
Cheers,
Cameron Simpson <cs@xxxxxxxxxx>
In article <323C4DB9.6A76@xxxxxxxxxxxxxx>, lhartley@xxxxxxxxxxxxxx wrote:
| It still is true that the best touring bike is the one that you are
| riding right now. Anything can be used for touring. As long as you
| can travel, you are touring.
I beleive such true and profound statements are NOT allowed to be posted
in this newsgroup, and are also against the charter. You've been warned.
- Randy Davis DoD #0013 <randy@xxxxxxxxxx> in rec.moto
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
