NFS permission strangeness

Fri Apr 16 00:16:48 UTC 2010

On Thu, 15 Apr 2010, Giulio Ferro wrote:

> Here's the setup:
> server : NFS server machine (fb 8 stable amd64 )
> client : NFS client machine (as above)
>
> server and client are both sharing the same permission database through ldap:
>
> Both have in /etc/nsswitch.conf
> ...
> group: files ldap
> ...
> passwd: files ldap
>
> This issue isn't related to ldap, however. I get the same result if I 
> manually add
> groups to /etc/group file (read on)
>
> Let's suppose I have user "giulio" configured in my system.
> giulio is also part (-G) of groups:
> group1, group2, group3, ... , group10
>
> server is exporting the directory
> /path/to/root (on zfs)
>
> the directory
> /path/to/root/dir/etc/subdir1
> has permission 770 and group ownership "group3"
>
> I login as user "giulio" on server I can enter "subdir1" directory, since I'm
> member of group "group3"
>
> I then login as user "giulio" on client, and I can do the same (as expected).
>
>
> When groups are more than a few, however, I get this strange behavior:
>
> let's suppose the directory:
> /path/to/root/dir/etc/subdir2
> has permission 770 and group ownership "group10"
>
> What happens is that I can access "subdir2" on the server machine when I
> login as "giulio", but when I try to access that same dir on the client 
> machine
> I get:
> $ cd /path/to/root/dir/etc
> (ok)
> $ cd subdir2
> subdir2/: Permission denied.
>

Yes, it should work. I just tried the same thing with a server running
UFS/FFS and it worked fine, so I think that the problem might be ZFS 
related. (You will get into trouble with more than 16 groups, since
that is all that AUTH_SYS for Sun RPC handles, but I did 10 like your
example and it worked ok for me, using FreeBSD-CURRENT client/server,
except that my server uses UFS/FFS.)

Hopefully someone with ZFS expertise can help out here?

If you can conveniently do the same test using a server that exports
a UFS/FFS file system, that would be helpful w.r.t. isolating the
problem.

rick