Dec 022007
 

Symptoms

The client gets permission denied on some item inside an NFS mount (this is not a mount problem). Everything looks ok, the user should have access to the file because he is in the correct group, the file has correct permissions, the ids map/are the same (idmapd does not report any issues), but there still is no access to the file from the client.

Source of the Problem

NFS, even NFSv4, is most often using AUTH_SYS to authenticate connections. AUTH_SYS only allows 16 groups to be transmitted with a request. My Linux (2.6.22, nfs-common 1.1.1) truncated all group memberships, and only sent the first 16, resulting in this seemingly unexplicable “access denied” even though the user was part of the group on both the client and the server.

Solution

A quick fix is reducing the number of groups the user is a member of.

A better solution is to use a different authentication mechanism instead of AUTH_SYS (which does not provide real security anyways), suggested is RPCSEC_GSS. I read somewhere that at the moment (2007-12-02) only kerberos is properly supported in the Linux gss library, but I’m not certain about that. I went ahead and setup kerberos, just because its known to be mature: NFSKerberos.

Resources

I found out about the problem in Eisler’s NFS Blog, which includes much more details on this issue.