Login or Register to Ask a Question and Join Our Community


Solaris

16 groups membership limit (part 2)

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris 16 groups membership limit (part 2)
# 1  
Old 02-12-2010
16 groups membership limit (part 2)
Part 1 is here: Group membership limit

So I am having to solve and re-visit this problem... I've tried various OSes (Solaris10/Opensolaris/MacOSX/Debian) and ngroup_max settings, some work for local filesystems but not over NFSv4.

Peter Harvey's blog

Eisler's NFS Blog: What's the deal on the 16 group id limitation in NFS?

Bug ID: 4088757 Customer would like to increase ngroups_max more than 32

Has anyone overcome this problem of being limited to 16 groups over NFS?

---------- Post updated at 03:46 PM ---------- Previous update was at 09:37 AM ----------

I've been given a hint to use AUTH_DH: Diffie-Hellman authentication over NFS to achieve more than 16 group permissions...

So I've been trying my hardest but can not get the keys and authentication set up correctly for this to work. My attempt with:
Code:
mount -F nfs -o sec=dh server:/var/tmp/test /mnt

hangs forever! Could someone explain how I set up these authentication keys on the server and client for this to work, please?

I am running NIS, on the NFS server I have in the /etc/dfs/dfstab

Code:
share -F nfs -o sec=dh,rw=client,root=client /var/tmp

On each server and client I've run newkey -h server/client and I've even done this on the NIS master and pumped the keys out using the publickey file. Nothing seems to be working... why? Am I missing out a step here? Help or hints will be appreciated!
# 2  
Old 02-13-2010
One thought is to make absolutely sure you are mounting using NFS Version 4 by specifiying that in the mount line, .e.g:
Code:
mount -o vers=4 nfs_server:/export_path /mount_point

Or amend /etc/default/nfs to prevent the system dropping back to NFS V3 or V2 (a bit drastic though).

The other suggestion is confirm that the kernel change has been picked up by running:
Code:
getconf -a | grep ngroups

in order to check what the kernel reports the maximum number of groups to be. Saying that on boot you get a warning message about having more than 16 groups will break with NFS V3 which should be obvious enough.

The increasing of the number of groups is only a case of putting the line into /etc/system, e.g.:
Code:
set ngroups_max=32

and rebooting, it is not a hack but a long recognised but little used configuration change due to the NFS problem.
# 3  
Old 02-15-2010
Many thanks for the reply and ideas. I have checked all that's suggested and they are all correct, but this still does not work, and still hangs.

I think the current problem is to do with the authentication keys... please help! Here are some log messages:

Code:
client# mount -F nfs -o vers=4,sec=dh server:/var/tmp/test /mnt

nfs mount: mount: /mnt: Invalid argument

client# tail messages
Feb 15 12:42:21 client rpcsec: [ID 270986 kern.notice] NOTICE: authdes_create: unable to get client's netname: RPC: Timed out (error 5)
Feb 15 12:49:19 client last message repeated 3 times
Feb 15 12:49:19 client nfs: [ID 120876 kern.warning] WARNING: NFS server initial call to server failed: Invalid argument

What RPC service should be running? NIS (ypbind) certainly is...

---------- Post updated at 03:53 PM ---------- Previous update was at 01:24 PM ----------

More error messages:
Code:
Feb 15 13:13:20 client rpcsec: [ID 270986 kern.notice] NOTICE: authdes_create: unable to get client's netname: RPC: Timed out (error 5)
Feb 15 13:16:51 client last message repeated 1 time
Feb 15 13:20:19 client rpcsec: [ID 270986 kern.notice] NOTICE: authdes_create: unable to get client's netname: RPC: Timed out (error 5)
Feb 15 13:20:19 client nfs: [ID 120876 kern.warning] WARNING: NFS server initial call to server failed: Invalid argument
Feb 15 13:35:07 client rpcsec: [ID 270986 kern.notice] NOTICE: authdes_create: unable to get client's netname: RPC: Timed out (error 5)
Feb 15 13:42:06 client last message repeated 3 times
Feb 15 13:42:06 client nfs: [ID 120876 kern.warning] WARNING: NFS server initial call to server failed: Invalid argument

What other services do I need to run? (ypbind is certainly running)...
# 4  
Old 02-15-2010
Two suggestions:
1. Make an alternative mount point to /mnt, e.g. /mount and try it.

2. Can the NFS server ping the client by name and can the NFS client ping the server by name? If not then either put their names and IP addresses in the each ends hosts files or else put them into the NIS hosts table.

If still no success then what does running:
Code:
# rpcinfo -p server

show you when run on the client?
# 5  
Old 02-16-2010
1. Done this and it does not work (so mount point /mnt is not the problem).
2. Yes, and yes. In fact a normal NFS share (without the sec=dh) shares and mounts (on /mnt) no problems. So I assume it is all to do with keys and AUTH_DH authentication and the mounting method. Anyone got any suggestions on how to do this..?

Code:
client# rpcinfo -p server
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100024    1   udp  32773  status
    100024    1   tcp  32772  status
    100133    1   udp  32773
    100133    1   tcp  32772
    100004    2   udp   1023  ypserv
    100004    1   udp   1023  ypserv
    100004    1   tcp   1017  ypserv
    100004    2   tcp  32773  ypserv
1073741824    2   udp  32774
    100021    1   udp   4045  nlockmgr
    100021    2   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    2   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr
    100007    3   udp  32781  ypbind
    100007    2   udp  32781  ypbind
    100007    1   udp  32781  ypbind
    100007    3   tcp  32776  ypbind
    100007    2   tcp  32776  ypbind
    100007    1   tcp  32776  ypbind
1073741824    1   tcp  32777
    100011    1   udp  32787  rquotad
    100005    1   udp  32790  mountd
    100005    1   tcp  32779  mountd
    100005    2   udp  32790  mountd
    100005    2   tcp  32779  mountd
    100005    3   udp  32790  mountd
    100005    3   tcp  32779  mountd
    100003    4   tcp   2049  nfs

Login or Register to Ask a Question

Previous Thread | Next Thread

6 More Discussions You Might Find Interesting

1. What is on Your Mind?

Future New Underground Membership Criteria

Recently I did what I was hesitant to do for years, I purged all forum Underground (UG) members who had not been active within a certain period. We need to change the UG membership criteria (from mod voting) and create a new criteria for UG membership which is not based on "voting" because mods... (13 Replies)
Discussion started by: Neo
13 Replies

2. Solaris

Maximum limit for allocation of groups to a folder in solaris 10

Hi, As per my knowledge, the maximum number of groups that can be allocated to a folder (in Solaris 10) is 16. But I wonder how this rule is applicable to folders which are mounted on NFS which can be accessed by 100s of groups? or is there is a restriction present? I have never handled such a... (5 Replies)
Discussion started by: poga
5 Replies

3. Post Here to Contact Site Administrators and Moderators

monthly membership??

Hi, Do we have monthly membership (VIP) in our forum? if not, do we have any plans for it? Regards, (1 Reply)
Discussion started by: clx
1 Replies

4. Solaris

Group membership limit

On Solaris, a user is limited to being a member of a maximum of 16 groups. Could someone tell me where this limit comes from, i.e. is it NIS, or Solaris, or NFS that is imposing this limit? What is the work-around to remove this limitation? (4 Replies)
Discussion started by: son_t
4 Replies

5. UNIX for Dummies Questions & Answers

Limit "exploring" from users/groups

I have a unix box which runs as a webserver and ftp server. I have a user account for a friend and while I trust him, I noticed that he can view directories above his own "web" folder which is his default directory. I'm still trying to understand users/groups and privileges so bear with me if... (2 Replies)
Discussion started by: creyc
2 Replies

6. Post Here to Contact Site Administrators and Moderators

Membership

what is the meaning of the types of membership and when am i a full member:confused: :confused: :confused: (1 Reply)
Discussion started by: nigel
1 Replies
Login or Register to Ask a Question