Issue with NFS and LDAP, attribute caching with "Permission denied"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I'm having a particular issue with NFS and LDAP permissions causing "Permission denied" when trying to access directories where my apache user is a member of another's group, and there seems to be some kind of caching of permissions that are stopping me from getting into directories until the NFS server is restarted. I've tried reducing attribute caching timeouts as well as turning attribute caching off with noac, which help to alleviate the problem on the client side but still require a restart of NFS on the server side otherwise there is a long (up to 15 minute) wait. The setup is as follows:

1) A random user and group are added to LDAP on the LDAP server, for example `matt` 2) `apache` is added as a memberUid to the group `matt` so that `apache` has access to everything that the `group` matt can read 3) Checking the groups for the `apache` user on the client shows it's a member of the `matt` group 4) Trying to access directories that are group-read/executable to `matt` (drwxr-x---) from `apache` produces "Permission denied" 5) Restarting the NFS server then allows the `apache` user to access the `matt`-owned directory

Originally, we didn't have the noac option on the client-side mount and even after restarting the NFS server it would still be anywhere between 30 seconds and 15 minutes before the `apache` user had access to the directory, but since turning on noac (or reducing actimeo to something small) means that after an NFS server restart we're able to use `apache` to access the directory straight away.

I'm just wondering if there's some sort of cache on the server side that also needs to be reduced so that we don't have to restart the NFS server to avoid the 15 minute wait as well?

NFS-specific files and commands are as follows

/etc/exports (on the server):
-----------------------------
/my/shared/dir x.x.x.x(rw,nohide,insecure,no_subtree_check,async)

/etc/fstab (on the client):
---------------------------
x.x.x.x:/my/shared/dir /my/shared/dir nfs defaults,noatime,actimeo=1 1 1

commands on the client (as the `apache` LDAP user):
---------------------------------------------------
$ whoami
apache
$ groups
apache matt
$ cd /my/shared/dir
$ ls -l
drwxr-s--- 7 matt matt 4096 Jul 6 16:56 matt
$ ls -a matt
ls: cannot open directory matt: Permission denied
(RESTART NFS SERVER)
$ ls -a matt
. ..
$

============
Matthew Ward
Web and Mobile Application Developer
Fubra Limited

w: www.fubra.com
e: matthew.ward@xxxxxxxxx

------------------------------

Fubra is a company limited by shares and registered in England and
Wales with number 3967214 at Anstey Park House, Anstey Road,
Alton, Hampshire, GU34 2RL. We are registered for VAT with number
GB733667024, and as a data controller with number Z5193400.
We are members of RIPE, Nominet, The Italian RA and registered
with OfCom as a provider of electronic communications services.

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux