# NFS group permissions won't work

## weird wonko

I cannot access files on a share from a remote machine, unless the permissions are set to allow reading/writing for every user.

My setup: weird is the local machine, zone the server. The exported mpeg directory is owned by user p2p and group p2p, the GID and UID are the same on the client.

Here are the relevant parts of the config files.

/etc/exports on zone:

```
/data/store/mpeg   192.168.1.0/255.255.255.0(rw)
```

/etc/fstab on weird:

```
zone:/data/store/mpeg   /mnt/mpeg      nfs   async,rsize=8192,wsize=8192   0 0

```

Checking permissions:

```
# ls -ld /mnt/mpeg on weird:

drwxrwxr-x  14 p2p p2p 4096 20. Sep 21:09 /mnt/mpeg

```

Checking groups:

```
# groups

disk lp wheel cron audio cdrom dialout video games cdrw users slocate portage cvs weirdos wonko mp3 atv xcdwrite cdrecording p2p
```

Trying to create a file there:

```
# touch /mnt/mpeg/foo

touch: cannot touch `/mnt/mpeg/foo': Permission denied

```

So, I am in group p2p, but cannot write to the share, even if group p2p has write permissions set. Same goes for reading, if I do a chmod o-r on the share.

While testing this I changed the group of the mpeg directory to audio, just because these groups are also the same on both machines. And now it works as it should!

It also works from another machine. This leaves me puzzled. I'm out of ideas.

----------

## BlinkEye

i don't get write permission neither, only with root if no_root_sqash is enabled which i don't want. any ideas?

[EDIT]solved for me -> kernel upgrade from 2.6.8-mm2 to 2.6.10-mm2[/EDIT]

[EDIT2]and changing the UIDs so they were the same on both computers[/EDIT2]

----------

## weird wonko

It's still not working. I'm at gentoo-dev-sources-2.6.10-r6 now.

The UIDs are identical on both systems.

----------

## Chris W

Since you are attempting to access the remote share as root you probably want to look at the User ID Mapping section in the exports(5) man page.  By default, the root UID is mapped to an anonymous user.

----------

## weird wonko

No, I am not root. Just a user being in the p2p group, but having no access despite of group access rights being set on the share.

----------

## weird wonko

This is becoming really annoying, so I did some more tests. There are really weird things going on here.

The problem hapens on one of my machines only, and only with my user. But I could reproduce the problem after adding a test user and giving it all of my groups. I then removed the groups, one after another, and suddenly it was working again.

Same goes for me. After removing some probably not so necessary groups like cdrecord, dialout and video, I could access a remote directory where I had only matching group permissions. 

I am in 22 groups now. When I add any other group to my groups, access is denied again.

Strange, huh?

----------

## thecooptoo

is this the same problem as I ( and others ) are having 

https://forums.gentoo.org/viewtopic-t-370765-highlight-.html

----------

## weird wonko

I don't think so. Mounting is okay, it's a permission only.

----------

## Chris W

Check that UIDs align between client and server for the user(s) concerned: 

```
root@server# id -a chrisw

uid=1000(chrisw) gid=100(users) groups=10(wheel),100(users),250(portage),409(mailusers)
```

vs.

```
root@client# id -a chrisw

uid=1000(chrisw) gid=100(users) groups=10(wheel),100(users),250(portage),409(mailusers)
```

It is the UID (i.e. 1000) that is passed from client to server not the user name (i.e. chrisw).   If UID=1000 on the server is not user name chrisw then you will have problems, not to mention potentially embarrassing privacy breaches.

----------

## weird wonko

The UIDs are the same.

----------

## Chris W

My bad...been down the UID path before.

How are you mounting the export on the client?  Are you using /etc/init.d/netmount, nfsmount, or manually?  Are portmap and rpc.statd running on the client?  Are there any associated error messages in dmesg or /var/log/messages on client or server?

----------

## weird wonko

Oh, sorry for not responding, I overlooked your answer.

My setup is currently working, somehow. I had to remove some groups from my account, which was quite annoying, as I had to switch from time to time: Without being in games, all was fine, but then I wanted to play, so I re-added myselt to this group, and removed lp, until I needed to print, and so on. I don't remember which group I removed at last, but I don't seem to need it often, because I had no problems for a while  :Smile: 

But I think I just found the answer: It looks like NFS does work only with up to 16 groups. I just read this in article <2005Dec22.180925@mips.complang.tuwien.ac.at> on alt.os.linux.gentoo. Googling for "NFS 16 groups" seems to confirm this. Oh my. Sometimes NFS really sucks in my opinion, I would never have thougt about such a problem. 

Here is my current list of groups:

users: my primary group

lp: yes I want to print

wheel: I want to su

cron: I need cron jobs

audio: yes, I want this

cdrom: probably needed to access CD-ROMs

dialout: needed for my ISDN setup

video: I don''t remember what that was for, but I think I ran into a problem when I temporarily disabled that

games: sure!

slocate: also a must-have

p2p: that's where all the trouble started

vmware: I guess this has a purpose

portage: I could do it as root only, but I'd like to use portage as a regular user, too

13 groups until here. This is getting close.

cdrecording: I don't know, but I guess I need this

xcdwrite: Wasn't this only for xcdroast? Then I can get rid of it.

stats: Probably not necessary.

And some more groups that I created:

mp3: I do not like to have everyone access my MP3s

atv: My company's stuff, must not be available to others

wonko: another group only for me, I could remove that

ecat: another group having to do with my company, also not really important, but nice to have

So I can get below the 16-group-limit if necessary, but it's not very convenient. Well, I'll see if I get into trouble again, and until that I will keep the setup as it is. But I guess I now know what to do just in case.

----------

## Kentar

Hi

I've had the same problem, but i discovered something helpful:

If you've got more than 16 groups, NFS cuts off everyhting behind the 16th group. Change your necessary group ID (the one, which is needed by nfs to have write-permissions) so it is inside this Limit.

With it, it is possible to be in more than 16 Groups and have group-permissons with nfs. At Least it works for me.

----------

## Kaboosh

 *weird wonko wrote:*   

> Oh, sorry for not responding, I overlooked your answer.
> 
> But I think I just found the answer: It looks like NFS does work only with up to 16 groups. I just read this in article <2005Dec22.180925@mips.complang.tuwien.ac.at> on alt.os.linux.gentoo. Googling for "NFS 16 groups" seems to confirm this. Oh my. Sometimes NFS really sucks in my opinion, I would never have thougt about such a problem. 
> 
> 

 

OH MY GOD!  You said it buddy! Let me tell you about the profanity-filled NFS adventure that I just had this weekend:

First I had my family's hard-disk die ... and they live quite a distance away ... so thinking that I was so smart I asked my fiance if I could snag the 2nd HDD in her PC to give them - I promised her I could set it up to use "My Computer" downstairs, that I could have it running in no time, and that she wouldn't even notice a difference.  So I backed up her files to my PC downstairs and took out the drive ... all the while thinking that it'll be pretty nice not to be maintaining 2 sets of home directories and settings...

So first I set up NFS and bizarre things are happening.  Folders sometimes appear...sometimes don't...files are read as empty (0 bytes).  I take the network out of the equation by mounting my second drive as /testing on my PC and then mount /home via NFS locally.  TADA!  The problem is reproduced!  I finally figure out that only files of which I am not the owner or o (all users) don't have access to.  I finally find out that I'm only running the NFSv2 server/client so I go about downloading the latest gentoo-sources, reconfiguring, and recompiling as this was also opportunity for a kernel update.

(Now from what I can gather of the behaviour exhibited by NFSv2 is that it doesn't give "permission denied" when you don't have access - it simply doesn't list the folder or provide the contents of the file without any other explanation...and not only is it limited to 16 groups but they are applied to users in random order, hence the "randomness" of these empty/missing files/folders.)

I finally get the NFSv3 server/client option running and now I can't access files, although they appear consistently.  I count my groups and there's only 12 I am a member of ... but (AHA) I am using the PAM_GROUP authentication module to add my users to additional groups when they log on locally (mainly for device access such as that of soundcards, cdrom, etc...).  When I take that list into account the number is like 26 ... and when I bumped "users" further up the list as suggested above it worked like a charm!  This raises a concern, however, that NFS mounts apply the permissions of a locally-logged on user in respect to PAM_CONSOLE!

Anyways, thanks for the life-saving informative post guys (and I mean life-saving, I think my fiance's about ready to kill me)!

----------

## RAPHEAD

Hi,

for all that experience similar problems with NFSv4 like described in this thread, I found a solution:

If you can't get your UID / GID stuff being properly resolved on the client side (using netmount),

you probably need to start the nfs services -- that was at least the problem with my setup.

So do:

cd /etc/init.d

./nfs start

and try to mount again using 

./netmount restart

@chrisw

you made me thinking about whether nfs is actually running or not -- thx

----------

