Issues with LDAP user/group permissions on NFS share | Unix Linux Forums | Red Hat

  Go Back    


Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

Issues with LDAP user/group permissions on NFS share

Red Hat


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 07-16-2009
dfinn dfinn is offline
Registered User
 
Join Date: Jul 2009
Last Activity: 11 November 2010, 11:58 PM EST
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Issues with LDAP user/group permissions on NFS share

I can't seem to make sense of this.

[sshaun@upilampdev ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga)
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
upi-nasc:/vol/upilampdev/html on /var/www/html type nfs (rw,addr=192.168.43.9)
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ ls -ld /var/www/html/test-dir
drwxrwxr-x 2 apache web-developers 4096 Jul 16 2009 /var/www/html/test-dir
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ ls -ld /tmp/test-dir
drwxrwxr-x 2 apache web-developers 4096 Jul 16 16:07 /tmp/test-dir
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ id
uid=1010(sshaun) gid=2016(sshaun) groups=48(apache),1018(prod-ultradent),1022(prod-upijapan),1024(stage-distributornews),1032(stage-ultradent),1036(stage-upijapan),1052(stage-upiitaly),1066(stage-upibrazil),1067(stage-upispanish),1080(stage-upicroatia),1081(prod-upispanish),1084(prod-sfd),1085(stg-valo),1089(prod-scripts),1091(stg-upifrench),1092(stg-upidutch),1094(web-developers),1095(stg-upirussian),2016(sshaun)
[sshaun@upilampdev ~]$ getent group web-developers
web-developers:x:1094:aangela,wjonathan,sshaun
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ touch /tmp/test-dir/file
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ touch /var/www/html/test-dir/file
touch: cannot touch `/var/www/html/test-dir/file': Permission denied

What might be causing this? That NFS share is being mounted from a netapp and I don't believe it's being exported on there with any special options.

edit: and to make things even more weird this is only happening to 1 of the 4 users in the web-developers group

Thanks,
Dan
Sponsored Links
    #2  
Old 07-16-2009
TonyFullerMalv's Avatar
TonyFullerMalv TonyFullerMalv is offline Forum Advisor  
Registered User
 
Join Date: Sep 2008
Last Activity: 1 July 2013, 6:45 PM EDT
Location: Malvern, Worcs. U.K.
Posts: 1,033
Thanks: 0
Thanked 8 Times in 8 Posts
If this is being mounted using NFS V3 then NFS V3 will only honour the first 16 groups the user is a member of, the user sshaun has the web-developers group as their 18th group by my count.
Sponsored Links
    #3  
Old 07-16-2009
dfinn dfinn is offline
Registered User
 
Join Date: Jul 2009
Last Activity: 11 November 2010, 11:58 PM EST
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by TonyFullerMalv View Post
If this is being mounted using NFS V3 then NFS V3 will only honour the first 16 groups the user is a member of, the user sshaun has the web-developers group as their 18th group by my count.
that might explain why it's randomly happening for this user as well as other users. I don't think LDAP keeps the groups in the same order every time. I did mount this with the -t NFS4 option and it didn't seem to fix the problem. I'll look into remove some of the groups from that user.
    #4  
Old 07-16-2009
TonyFullerMalv's Avatar
TonyFullerMalv TonyFullerMalv is offline Forum Advisor  
Registered User
 
Join Date: Sep 2008
Last Activity: 1 July 2013, 6:45 PM EDT
Location: Malvern, Worcs. U.K.
Posts: 1,033
Thanks: 0
Thanked 8 Times in 8 Posts
On the ldap systems I have seen the groups are listed in the order the user was added to them, so you could try removing the user from all the secondary groups, adding the user back into the web-developers group first and then add them back into the other groups?
Sponsored Links
    #5  
Old 07-16-2009
dfinn dfinn is offline
Registered User
 
Join Date: Jul 2009
Last Activity: 11 November 2010, 11:58 PM EST
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
removing him from several groups fixed the issue.

Should this be fixed in NFS_V4? I mounted this same Netapp share with mount.nfs4 and it didn't seem to make a difference. Does the netapp have to be NFS4 aware?
Sponsored Links
    #6  
Old 07-20-2009
TonyFullerMalv's Avatar
TonyFullerMalv TonyFullerMalv is offline Forum Advisor  
Registered User
 
Join Date: Sep 2008
Last Activity: 1 July 2013, 6:45 PM EDT
Location: Malvern, Worcs. U.K.
Posts: 1,033
Thanks: 0
Thanked 8 Times in 8 Posts
NFS V4 will overcome the limit of 16 groups. The NetApp filer either needs to use the LDAP system or else replicate the users and groups in local files if it is not already so it "knows" who the users are and what groups they are in.
Sponsored Links
    #7  
Old 08-06-2009
velmont velmont is offline
Registered User
 
Join Date: Aug 2009
Last Activity: 6 August 2009, 11:04 AM EDT
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
You can add --manage-group-gids to the server. It'll fix this problem. If you're not having the same problem as me (I can't find a solution to it).

Cut down the groups until you've only got 3-4 and then test... If it's the same, then we're in the same boat.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
output of file from several machines written to network share, then emailed to group. glev2005 UNIX for Dummies Questions & Answers 1 04-14-2009 04:58 AM
bin group strange permissions dgaixsysadm AIX 2 11-07-2008 10:33 AM
How can i copy user permissions(privileges) to a group The Dark Knight Shell Programming and Scripting 14 10-15-2008 04:57 AM
group permissions/webserver doozer Filesystems, Disks and Memory 3 07-28-2006 09:32 AM
Permissions issues lightspd UNIX for Dummies Questions & Answers 3 02-10-2006 02:32 PM



All times are GMT -4. The time now is 02:57 PM.