Ubuntu
linux package

Secondary groups not working with NFS

Bug #409366 reported by Odin Hørthe Omdal
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I´m using LDAP for groups and NFS for home dirs. My problem is as follows:

I only have a few groups, so it's not the problem everyone else had. When I've mounted a disk over NFS, I need to have my primary group in order to read in the groups I'm a member of. Secondary groups is not working.

Code:

root@machine:/home/user# smbldap-groupshow secret
...
gidNumber: 1504
displayName: secret
memberUid: user,anotheruser

root@machine:/home/user# su - user

user@machine:~$ groups
users secret

user@machine:~$ ls -ald ../secret/
drwxr-x--- 12 anotheruser secret 4096 2009-07-27 15:39 ../secret/

user@machine:~$ cd ../secret/
bash: cd: ../secret/: Permission denied

user@machine:~$ ls ../secret/
ls: cannot open directory ../secret/: Permission denied

But it works if I change the group to primary by hand with newgrp:

Code:

user@machine:~$ newgrp secret
user@machine:~$ cd ../secret/
user@machine:/home/secret$ ls
Nice secrets.txt

But my users cannot be expected to do this!

The server where the real files are held (the NFS server) do not know anything about users. And it shouldn´t, it´s only job is to export files via NFS and do backups.

I've tested this on clients: 9.10 Karmic, 9.04 Jaunty, 8.10 Intrepid

The NFS server is running: 9.04 Jaunty.

See original description
Odin Hørthe Omdal (velmont)
description: updated
Revision history for this message
Odin Hørthe Omdal (velmont) wrote :

A nice fellow on ubuntuforums found the culprit.

Remove --manage-gids in /etc/default/nfs-kernel-server

I guess this problem will just surface more and more as people replace the older Ubuntu server with newer systems. So I would look out for this bug, maybe fix it before you get a ton of broken systems... :-)

Revision history for this message
JB (jmb365) wrote :

I am having a similar problem, which has not been solved by the removal of "--manage-gids" in /etc/default/nfs-kernel-server of the Karmic client PC. I did a "sudo /etc/init.d/nfs-kernel-server restart" on the Karmic client, though it is irrelevant, I believe.

I am mounting a user directory from a Fedora7 PC ("linux0") NFS server. On the client (Ubuntu Karmic) PC a user ("js") who also belongs to the group 'family" tries to read file "/home/as/MyFiles/Calendar.ics" mounted from "linux0" with the permissions "-rw-r----- 1 as family". This is a problem ONLY in a client PC running Ubuntu Karmic 9.10. It works fine on any other PC running any other version of Ubuntu. I have tested this on several Ubuntu PCs using Karmic, Hardy, Jaunty etc.

The user's id is:
uid=1001(js) gid=1001(js) groups=1001(js),4(adm),20(dialout),21(fax),24(cdrom),26(tape),29(audio),30(dip),44(video),46(plugdev),103(fuse),104(lpadmin),112(netdev),115(admin),120(sambashare),1999(family),1100(parents)

When I try "less /home/as/MyFiles/Calendar.ics" on a PC running "Karmic" I get "Permission denied".

I believe that Karmic still has a bug.

JB (jmb365)
Changed in linux (Ubuntu):
status: New → Incomplete
JB (jmb365)
Changed in linux (Ubuntu):
status: Incomplete → New
Revision history for this message
JB (jmb365) wrote :

I was wrong. It is NOT a bug in my situation. I fixed my problem by reducing the number of groups that "js" belongs to (to below 16), which is the limit imposed by NFS. Please see http://ubuntuforums.org/newreply.php?do=newreply&p=8612417. Since "js" had more than 16 group memberships in the client, the server did not see its membership beyond that limit, so the server denied permission.

Revision history for this message
Jeremy Foshee (jeremyfoshee) wrote :

Hi Odin,

Please be sure to confirm this issue exists with the latest development release of Ubuntu. ISO CD images are available from http://cdimage.ubuntu.com/releases/ . If the issue remains, please run the following command from a Terminal (Applications->Accessories->Terminal). It will automatically gather and attach updated debug information to this report.

apport-collect -p linux 409366

Also, if you could test the latest upstream kernel available that would be great. It will allow additional upstream developers to examine the issue. Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Once you've tested the upstream kernel, please remove the 'needs-upstream-testing' tag. This can be done by clicking on the yellow pencil icon next to the tag located at the bottom of the bug description and deleting the 'needs-upstream-testing' text. Please let us know your results.

Thanks in advance.

[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

tags: added: needs-kernel-logs
tags: added: needs-upstream-testing
tags: added: kj-triage
Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Jeremy Foshee (jeremyfoshee) wrote :

This bug report was marked as Incomplete and has not had any updated comments for quite some time. As a result this bug is being closed. Please reopen if this is still an issue in the current Ubuntu release http://www.ubuntu.com/getubuntu/download . Also, please be sure to provide any requested information that may have been missing. To reopen the bug, click on the current status under the Status column and change the status back to "New". Thanks.

[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

tags: added: kj-expired
Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.