NFS permission strangeness
Rick Macklem
rmacklem at uoguelph.ca
Fri Apr 16 13:57:22 UTC 2010
On Fri, 16 Apr 2010, Giulio Ferro wrote:
> On 16.04.2010 10:29, Sean wrote:
>>
>>> Yes, I have more than 16 groups, 22 actually...
>>>
>> Then there's nothing "wrong" per se, you're just hitting the fact that NFS
>> v2 and v3 only support 16 groups on the wire. That's just the way the
>> protocol is defined.
>>
>>
>
> Ops, I didn't know that...
>
> Is there any solution solid enough for a production environment. Maybe nfs4?
>
Well, when you use sec=krb5[ip] on NFSv3 or NFSv4, the limitation of 16/17
groups goes away. However, this has a lot of other implications. (NFSv4
uses the same RPC protocol as NFSv2,3 and it is the specification of the
authentication header for what is called AUTH_SYS, which is the problem.
AUTH_SYS authenticators simply list a uid, gid and groups<16> #s in the
RPC header.
rick
More information about the freebsd-net
mailing list