Re: nfs group permissions not recognized between linux systems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/14/2017 7:11 PM, John Ratliff wrote:
I have been working on trying to setup an NFS server, but my clients cannot access the files after mounting.

It seems to be a problem with group permissions, but I can't figure out why.

My server is a debian 9 machine with kernel 4.9.51. If I use a debian client, either Debian 8 or Debian 9, everything works fine. However, if I try with an Ubuntu 14.04, 16.04, or CentOS 7 client, they cannot access the files.

My directory on the server has permissions 2750. It is owned by root with ssl-cert as the group. The ssl-cert group ID is 555. I have made sure that same group is on all the client machines and has the same ID of 555. The users I am trying to have access the files are members of this group. Yet I keep getting permission denied.

I have turned off the firewall (both on server and client). I have put ALL:ALL in /etc/hosts.allow. The machines are in the same subnet. They can ping one another and can SSH freely between them.

I have tried NFS v3 and NFS v4, but this doesn't matter.

This is my /etc/exports

/etc/ssl/wildcard.smithville.com 192.168.1.0/24(rw,sync,no_subtree_check)

I've tried making the Ubuntu 16.04 machine the server and the Debian machine the client, but I have the same problem (but Ubuntu to Ubuntu is fine, and Ubuntu server to CentOS 7 client works).

I'm not sure how to further troubleshoot.

Thanks for any suggestions.

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


After much googling, I have found the answer.

The Debian NFS server, by default, uses --manage-gids in the RPCMOUNTDOPTS in /etc/default/nfs-kernel-server. I guess I never looked very hard at that option, but what it means is that group membership is checked on the server, not trusted from the client. This is a good thing overall; it improves security and overcomes a limitation of the NFS protocol (16 group count).

In my case, the user on the client I was testing was UID 1003, which on the server he was UID 1000. So they both had the group, but UID 1003 on the server did not have the group, because that user did not exist. Therefore, permission denied.

Although it's not the best solution from a security standpoint, I'm going to disable the manage-gids option for now and limit access by hosts.allow and the firewall.

Thanks very much to https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1454112 this post.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux