# issue with group permissions on NFS share

## ferg

With an NFS share that is group writable, a member of that group on the client cannot get group permissions. The user only has the same permissions as all users.

- GID is the same on the server and client of the "users' group.

- Remote folder has permissions of 774.

- Local user can only read but not write even though they have "users" as a secondary group.

- NFS is V4.

Any clues? Ta!

----------

## mike155

Is the user member of more than 16 groups? 

If that's the case, it could be that you hit the NFS 16 group limit.

----------

## ferg

 *mike155 wrote:*   

> Is the user member of more than 16 groups? 
> 
> If that's the case, it could be that you hit the NFS 16 group limit.

 

Thanks. I was not aware of that limit. The user was a member of 17 groups. So I removed 3 (including a CDROM group that had cobwebs on it!),logged out, restarted NFS and remounted the share.

However, the issue is still there.

I did notice that weirdly the root folder of that NFS share has the exact same permissions, but I CAN create a file in there with the same user. 

Weird!

----------

## mike155

Please show us the output of the commands below:

```
id

cd <root folder where you can create a file>

ls -lad

ls -ldan

findmnt -T .

cd <directory where you can't create a file>

ls -lad

ls -ldan

findmnt -T .

```

----------

## ferg

 *mike155 wrote:*   

> Please show us the output of the commands below:
> 
> ```
> id
> 
> ...

 

Thanks. Here you go. (It's not a direct terminal output as I use a fancy ZSH prompt that obscures the useful stuff). All I can see is that it's NFS3 and not 4 as I previously thought.

The obvious thing I guess is that I have the wrong permissions on the root folder (777) rather than the 774 I thought I had! Hence the difference. 

 /mnt/media/Video

```
  % touch chris

  % id

uid=1000(chris) gid=10(wheel) groups=10(wheel),16(cron),18(audio),27(video),35(games),81(apache),85(usb),100(users),444(plugdev),455(realtime),999(docker),1007(cvs_users),1016(svnusers),1020(motion)

  % ls -lad                    

drwxrwxrwx 1 100 users 208 Apr  2 09:15 .

  % ls -ldan                             

                                                                                                                                                                                                                                 

drwxrwxrwx 1 100 100 208 Apr  2 09:15 .

  % findmnt -T .   

TARGET     SOURCE             FSTYPE OPTIONS

/mnt/media ulrich:/data/media nfs    rw,relatime,vers=3,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.12,mountvers=3,mountport=50952,mountproto=udp,local_lock=none,addr=192.168.1.12

```

/mnt/media/Video/TV

```

  % touch chris   

touch: cannot touch 'chris': Permission denied

  % ls -lad              

drwxrwxr-x 1 100 users 1720 Feb  4 13:14 .

  % ls -ldan       

drwxrwxr-x 1 100 100 1720 Feb  4 13:14 .

  % findmnt -T .

TARGET     SOURCE             FSTYPE OPTIONS

/mnt/media ulrich:/data/media nfs    rw,relatime,vers=3,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.12,mountvers=3,mountport=50952,mountproto=udp,local_lock=none,addr=192.168.1.12

```

Thankyou.

Cheers,

Chris

----------

## mike155

Thanks for the output. Group matching doesn't seem to work, everything else looks good.

What type of NFS server is it? Is it a Linux machine? Or a NetApp? Or a NAS? Can you log in on that machine?

----------

## Jaglover

 *Quote:*   

> - NFS is V4.

 

Where are the NFSv4 mounts? They all show mountvers=3.

----------

## ferg

 *Jaglover wrote:*   

>  *Quote:*   - NFS is V4. 
> 
> Where are the NFSv4 mounts? They all show mountvers=3.

  Yeah, that surprised me too. I commented on it earlier.

----------

## ferg

 *mike155 wrote:*   

> Thanks for the output. Group matching doesn't seem to work, everything else looks good.
> 
> What type of NFS server is it? Is it a Linux machine? Or a NetApp? Or a NAS? Can you log in on that machine?

 

It's a ReadyNAS (running some Debian version). I do have SSH access to it.

----------

## ferg

 *mike155 wrote:*   

> Thanks for the output. Group matching doesn't seem to work, everything else looks good.
> 
> What type of NFS server is it? Is it a Linux machine? Or a NetApp? Or a NAS? Can you log in on that machine?

 

It's a ReadyNAS (running some Debian version). I do have SSH access to it.

----------

## mike155

Your NFS client machine seems to be fine.

I guess that something is wrong on your ReadyNAS. Please check the NFS related settings on your ReadyNAS, 

especially settings related to user and group mapping. A NFS server must map user and group names/ids 

of the NFS clients to its own settings. Usually, there are a couple of options that control how this is done.

You could also search Google for 

```
ReadyNAS group "permission denied"
```

Google returns several results. So it seems that you are not the only one having trouble with permissions.

----------

## Hu

 *ferg wrote:*   

> The obvious thing I guess is that I have the wrong permissions on the root folder (777) rather than the 774 I thought I had!

 774 is an odd choice.  Usually, if you grant read on a directory, you should also grant search. *ferg wrote:*   

> 
> 
> ```
>   % touch chris
> ```
> ...

 Please show the output of ls -l chris; ls -ln chris after this touch succeeds. *ferg wrote:*   

> 
> 
> ```
> drwxrwxrwx 1 100 100 208 Apr  2 09:15 .
> ```
> ...

 Although this may be useful for testing, world write access is almost always a bad idea, and is especially bad if you do not also enable the sticky bit.

Is all-squashing enabled on this server?

----------

## ferg

 *Hu wrote:*   

>  *ferg wrote:*   The obvious thing I guess is that I have the wrong permissions on the root folder (777) rather than the 774 I thought I had! 774 is an odd choice.  Usually, if you grant read on a directory, you should also grant search. *ferg wrote:*   
> 
> ```
>   % touch chris
> ```
> ...

 

Sorry the permissions everywhere _should_ be 775 not 774. I'm not sure why the root folder is like that. I likely changed it in a rush a while ago for some reason, then forgot to change it back.

I'm afraid that I do not know what "all-squashing" means. Is this similar to root squash? In which case this client is.

```
chris@scotgate /mnt/media/Video/TV

  % cd ..                                                                                                                                                                                                                                                                  !866

chris@scotgate /mnt/media/Video

  % touch chris                                                                                                                                                                                                                                                            !867

chris@scotgate /mnt/media/Video

  % ls -l chris                                                                                                                                                                                                                                                            !868

-rw-r--r-- 1 chris wheel 0 Apr  3 10:32 chris

chris@scotgate /mnt/media/Video

  % ls -ln chris                                                                                                                                                                                                                                                           !869

-rw-r--r-- 1 1000 10 0 Apr  3 10:32 chris
```

I think the best bet for me it to take this to the ReadyNas forums. It seems Gentoo is behaving properly, so the fault must lie elsewhere! Thank you everybody for you valuable help!

Stay safe and healthy.

Cheers

Ferg

----------

## Hu

Yes, all-squash is related to root-squash.  In root-squashing, client requests that claim to have uid=0 are squashed to the anonymous uid, but other requests use the uid sent by the client.  In all-squashing, all client requests are squashed to the anonymous uid, completely ignoring what they were on the client.  This can be useful if the share is intended to provide the same level of access to every user.  On a home LAN, you might use this for a media server where all clients are intended to be able to watch the same videos / play the same songs.  On a corporate LAN, it might be used as a mirror of publicly offered files (such as a local cache of Fedora/Debian/Ubuntu packages).

----------

## ferg

Hu: Thanks for the explanation.

Root squash is enabled on the server, but not all-squash.

----------

