[opensuse] Can't access a certain directory over nfs, acl problem.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have a directory on a machine, like this (edited for simplicity): cer@AmonLanc:/data/hoard> l total 100 drwxr-xr-x 5 root root 94 Sep 26 2014 ./ drwxr-xr-x 5 root root 4096 Oct 2 20:36 ../ drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ - -rw-r--r-- 1 root root 86165 May 24 2014 remote_log cer@AmonLanc:/data/hoard> The entire "/data/hoard/" is an external disk, and I replaced it recently with a much bigger unit (2T). I _think_ it worked before (unsure). You see it has extended attributes, but I think it should not matter in this case. cer@AmonLanc:/data/hoard> getfacl TheHoard/ # file: TheHoard/ # owner: john # group: cosas # flags: -s- user::rwx user:wwwrun:r-x group::rwx mask::rwx other::--- cer@AmonLanc:/data/hoard> cer@AmonLanc:/data/hoard> l TheHoard/ total 20 drwxrws---+ 6 john cosas 4096 Nov 1 2014 ./ drwxr-xr-x 5 root root 94 Sep 26 2014 ../ drwxr-s---+ 12 john cosas 4096 Oct 25 14:43 Asnos/ drwxr-s--- 2 john cosas 4096 Nov 1 2014 Asnos - Wrong file, unwanted or useless/ - -rwxr-x---+ 1 john cosas 449 Sep 26 2014 cambiar_acls_hoard* cer@AmonLanc:/data/hoard> cer@AmonLanc:/data/hoard> groups users root cosas cer@AmonLanc:/data/hoard> As you see, user "cer" on that machine can access the directory "TheHoard". Then, I mount that filesystem over nfs on another machine: server: cer@AmonLanc:/data/hoard> cat /etc/exports /data/hoard 192.168.1.0/24(fsid=2456,rw,root_squash,sync,nohide,no_subtree_check) cer@AmonLanc:/data/hoard> client: cer@Telcontar:/data/hoard> grep hoard /etc/fstab AmonLanc.valinor:/data/hoard/ /data/hoard nfs4 noauto,nofail,_netdev,user,users,relatime,acl 0 0 cer@Telcontar:/data/hoard> (acl I added minutes ago, to try if it makes a difference; it does not). Telcontar:~ # mount | grep /data/hoard AmonLanc.valinor:/data/hoard on /data/hoard type nfs4 (rw,nosuid,nodev,noexec,relatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.X,local_lock=none,addr=192.168.1.Y,_netdev,user) Telcontar:~ # Now look at what I get on the client: cer@Telcontar:/data/hoard> l total 100 drwxr-xr-x 5 root root 94 Sep 26 2014 ./ drwxr-xr-x 21 root root 4096 Sep 9 2014 ../ drwxrws--- 6 john cosas 4096 Nov 1 2014 TheHoard/ - -rw-r--r-- 1 root root 86165 May 24 2014 remote_log cer@Telcontar:/data/hoard> getfacl TheHoard/ # file: TheHoard/ # owner: john # group: cosas # flags: -s- user::rwx group::rwx other::--- cer@Telcontar:/data/hoard> groups users root wheel cosas cer@Telcontar:/data/hoard> l TheHoard/ ls: cannot open directory TheHoard/: Permission denied cer@Telcontar:/data/hoard> You see, the ACLS are not transmitted over NFS. And despite being in the group, which has rwx permission, I can not access. User "john" on client machine, has access. The same happens on another client machine. All of them run oS 13.1. What am I doing wrong? :-? Ideas? - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYs5k4ACgkQtTMYHG2NR9XH2ACdH1Gk7vA2pjVdtwdZ5BxBlntU Z6YAnjgF+6+eoSmhr7a7l4WRmW3bQnN3 =MEuX -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
25.10.2015 17:25, Carlos E. R. пишет:
cer@Telcontar:/data/hoard> groups users root wheel cosas cer@Telcontar:/data/hoard> l TheHoard/ ls: cannot open directory TheHoard/: Permission denied cer@Telcontar:/data/hoard>
You see, the ACLS are not transmitted over NFS. And despite being in the group, which has rwx permission, I can not access.
User "john" on client machine, has access.
Are UIDs and GIDs the same on client and server for users/groups with identical names? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-25 17:24, Andrei Borzenkov wrote:
25.10.2015 17:25, Carlos E. R. пишет:
Are UIDs and GIDs the same on client and server for users/groups with identical names?
They must be, but I'll check again. [...] Yes, they are. Absolutely. I just did something. In the exports file, I changed /data/hoard 192.168.1.0/24(fsid=2456,rw,root_squash,sync,nohide,no_subtree_check) to /data/hoard 192.168.1.0/24(fsid=2457,rw,root_squash,sync,nohide,no_subtree_check) restarted the nfs server daemon, and now I have access from the laptop, which three days ago I did not. But the desktop remains with no access (even for root). I compared the output of "mount", and it is the same. Just the IP are different. AmonLanc.valinor:/data/hoard on /data/hoard type nfs4 (rw,nosuid,nodev,noexec,relatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.2.X,local_lock=none,addr=192.168.2.Z,_netdev,user) AmonLanc.valinor:/data/hoard on /data/hoard type nfs4 (rw,nosuid,nodev,noexec,relatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.2.Y,local_lock=none,addr=192.168.2.Z,_netdev,user) There is a slight difference in the laptop: I changed the name of the group the previous time I tried (same GID, of course) But that time I got no access, and today I have. Baffling. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYtN9AACgkQja8UbcUWM1yUxQD8CuJqwBBm/OpwCDZaI/eJrLlE ikRSMiJo8GzD6d2Tq0YBAJ070ZxxVjeY2YYDobv/fG0Tjbqpdcu6o8xGULWTN5aG =33Mx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
25.10.2015 23:13, Carlos E. R. пишет:
In the exports file, I changed
/data/hoard 192.168.1.0/24(fsid=2456,rw,root_squash,sync,nohide,no_subtree_check)
to
/data/hoard 192.168.1.0/24(fsid=2457,rw,root_squash,sync,nohide,no_subtree_check)
...
I compared the output of "mount", and it is the same. Just the IP are different.
AmonLanc.valinor:/data/hoard on /data/hoard type nfs4 (rw,nosuid,nodev,noexec,relatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.2.X,local_lock=none,addr=192.168.2.Z,_netdev,user)
AmonLanc.valinor:/data/hoard on /data/hoard type nfs4 (rw,nosuid,nodev,noexec,relatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.2.Y,local_lock=none,addr=192.168.2.Z,_netdev,user)
Your exports is for subnet 192.168.1.0/24, but your mount is using subnet 192.168.2.X (I always find it amusing when people obfuscated private addresses; it does not add to protection but does make it harder to guess what happens). So we still do not know what actual permissions your client gets ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-26 04:26, Andrei Borzenkov wrote:
Your exports is for subnet 192.168.1.0/24, but your mount is using subnet 192.168.2.X (I always find it amusing when people obfuscated private addresses; it does not add to protection but does make it harder to guess what happens). So we still do not know what actual permissions your client gets ...
Sigh. Right. I don't know why I tried to obfuscate private addresses... Maybe because I don't trust my external firewall. No, everything is the same local network, 192.168.1.* That's not the problem. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYtpgYACgkQja8UbcUWM1wKrwD/dkh69SpQe/YEO8RAjjqXXfuT wM0ZZOA1mngDcvTt9L8A/igl/4eOT9mgvMBiRnxfYrHiYvs1DRa1VMO0sDMa+nf7 =XRVb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Oct 26, 2015 at 7:03 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-10-26 04:26, Andrei Borzenkov wrote:
Your exports is for subnet 192.168.1.0/24, but your mount is using subnet 192.168.2.X (I always find it amusing when people obfuscated private addresses; it does not add to protection but does make it harder to guess what happens). So we still do not know what actual permissions your client gets ...
Sigh. Right. I don't know why I tried to obfuscate private addresses... Maybe because I don't trust my external firewall.
No, everything is the same local network, 192.168.1.* That's not the problem.
Well, your usual answer on forums in such situation was "prove it" :) Did you try NFS v3 if it works? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-26 06:42, Andrei Borzenkov wrote:
On Mon, Oct 26, 2015 at 7:03 AM, Carlos E. R. <> wrote:
:-) It can not be a problem with IP ranges, or I would not be able to mount at all the share.
Did you try NFS v3 if it works?
Not yet... However, the funny thing is that it is working on one client machine, and not in another, with the same configuration as far as I can see. I'll have another look tomorrow. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYtvxwACgkQja8UbcUWM1z6QAD9GRFvcKszTmVYVssgqkv1jNyp S7kES9blFsVTZiN/68gA/RQIZGYICMPl8TWu9OIEmjUfObAuw++4pgT8UOpPJ6QT =GyY0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-26 06:50, Carlos E. R. wrote:
On 2015-10-26 06:42, Andrei Borzenkov wrote:
Did you try NFS v3 if it works?
Not yet...
Telcontar:~ # mount -v /data/hoard mount.nfs: timeout set for Mon Oct 26 07:17:28 2015 mount.nfs: trying text-based options 'vers=3,addr=192.168.1.15' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 192.168.1.15 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 192.168.1.15 prog 100005 vers 3 prot UDP port 20048 Telcontar:~ # ls /data/hoard/TheHoard/ ls: cannot open directory /data/hoard/TheHoard/: Permission denied Telcontar:~ # mount | grep /data/hoard AmonLanc.valinor:/data/hoard/ on /data/hoard type nfs (rw,nosuid,nodev,noexec,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.15,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=192.168.1.15,_netdev,user) Telcontar:~ # So, it is not that. (no obfuscation this time ;-) ) I can access other directories in the same mount: Telcontar:~ # ls /data/hoard/Downloads.cer/ Maria Videos isos other streamtuner2 Telcontar:~ # Different owner:group, though. But it proves connectivity. The share is mounted. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2015-10-26 07:20, Carlos E. R. wrote:
Telcontar:~ # ls /data/hoard/TheHoard/ ls: cannot open directory /data/hoard/TheHoard/: Permission denied
I can access that directory as the user that owns that directory, but not by the group, on one client. I can on another and in the server. It is something related to group permissions on the client. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Mon, Oct 26, 2015 at 9:20 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2015-10-26 06:50, Carlos E. R. wrote:
On 2015-10-26 06:42, Andrei Borzenkov wrote:
Did you try NFS v3 if it works?
Not yet...
Telcontar:~ # mount -v /data/hoard mount.nfs: timeout set for Mon Oct 26 07:17:28 2015 mount.nfs: trying text-based options 'vers=3,addr=192.168.1.15' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 192.168.1.15 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 192.168.1.15 prog 100005 vers 3 prot UDP port 20048 Telcontar:~ # ls /data/hoard/TheHoard/ ls: cannot open directory /data/hoard/TheHoard/: Permission denied
And what user/group owner does it show this time? "ls -l /data/hoard"?
Telcontar:~ # mount | grep /data/hoard AmonLanc.valinor:/data/hoard/ on /data/hoard type nfs (rw,nosuid,nodev,noexec,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.15,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=192.168.1.15,_netdev,user) Telcontar:~ #
So, it is not that.
(no obfuscation this time ;-) )
I can access other directories in the same mount:
Telcontar:~ # ls /data/hoard/Downloads.cer/ Maria Videos isos other streamtuner2 Telcontar:~ #
Different owner:group, though. But it proves connectivity. The share is mounted.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-26 07:33, Andrei Borzenkov wrote:
On Mon, Oct 26, 2015 at 9:20 AM, Carlos E. R. <> wrote:
And what user/group owner does it show this time? "ls -l /data/hoard"?
Unchanged: Telcontar:~ # mount -v /data/hoard mount.nfs: timeout set for Mon Oct 26 13:50:07 2015 mount.nfs: trying text-based options 'vers=3,addr=192.168.1.15' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 192.168.1.15 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 192.168.1.15 prog 100005 vers 3 prot UDP port 20048 Telcontar:~ # Telcontar:~ # l /data/hoard/ total 100 drwxr-xr-x 5 root root 94 Sep 26 2014 ./ drwxr-xr-x 21 root root 4096 Sep 9 2014 ../ drwxr-xr-x 7 cer users 97 Oct 24 2014 Downloads.cer/ drwxr-xr-x 5 cer users 4096 Jan 18 2015 Moria.cer/ drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ -rw-r--r-- 1 root root 86165 May 24 2014 remote_log Telcontar:~ # ls -ln /data/hoard/ total 96 drwxr-xr-x 7 1000 100 97 Oct 24 2014 Downloads.cer drwxr-xr-x 5 1000 100 4096 Jan 18 2015 Moria.cer drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard -rw-r--r-- 1 0 0 86165 May 24 2014 remote_log Telcontar:~ # Telcontar:~ # getfacl /data/hoard/TheHoard/ getfacl: Removing leading '/' from absolute path names # file: data/hoard/TheHoard/ # owner: john # group: cosas # flags: -s- user::rwx user:wwwrun:r-x group::rwx mask::rwx other::--- On the server: cer@AmonLanc:~> l /data/hoard/ total 100 drwxr-xr-x 5 root root 94 Sep 26 2014 ./ drwxr-xr-x 5 root root 4096 Oct 2 20:36 ../ drwxr-xr-x 7 cer users 97 Oct 24 2014 Downloads.cer/ drwxr-xr-x 5 cer users 4096 Jan 18 2015 Moria.cer/ drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ -rw-r--r-- 1 root root 86165 May 24 2014 remote_log cer@AmonLanc:~> ls -ln /data/hoard/ total 96 drwxr-xr-x 7 1000 100 97 Oct 24 2014 Downloads.cer drwxr-xr-x 5 1000 100 4096 Jan 18 2015 Moria.cer drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard -rw-r--r-- 1 0 0 86165 May 24 2014 remote_log cer@AmonLanc:~> getfacl /data/hoard/TheHoard/ getfacl: Removing leading '/' from absolute path names # file: data/hoard/TheHoard/ # owner: john # group: cosas # flags: -s- user::rwx user:wwwrun:r-x group::rwx mask::rwx other::--- cer@AmonLanc:~> I just created a new directory on the server: drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ drwxr-xr-x 2 john cosas 6 Oct 26 13:58 test/ AmonLanc:/data/hoard # drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard/ drwxr-xr-x 2 1011 1010 6 Oct 26 13:58 test/ john@AmonLanc:/data/hoard> getfacl test # file: test # owner: john # group: cosas # flags: -s- user::rwx group::r-x other::r-x john@AmonLanc:/data/hoard> I can access it just fine on the client: Telcontar:~ # ls -ln /data/hoard/test total 0 Telcontar:~ # Now I activate sticky bit: john@AmonLanc:/data/hoard> l -n total 100 drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard/ drwxr-sr-x 2 1011 1010 6 Oct 26 13:58 test/ john@AmonLanc:/data/hoard> On the client: Telcontar:~ # ls -ln /data/hoard/test total 0 Telcontar:~ # ls -ln /data/hoard/TheHoard/ ls: cannot open directory /data/hoard/TheHoard/: Permission denied Telcontar:~ # The only difference I see is the "mask" on the ACLS of directory "TheHoard" :-? Ah, no, "others" have access. Removing. john@AmonLanc:/data/hoard> chmod o-r-x test john@AmonLanc:/data/hoard> Telcontar:~ # ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied Telcontar:~ # That's it! Ok, Mr Root is not in the proper group. But my user is: cer@Telcontar:~> ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied cer@Telcontar:~> cer@Telcontar:~> grep cosas /etc/group cosas:x:1010:cer,moriarty,john cer@Telcontar:~> ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied cer@Telcontar:~> In the machine that this works, I changed the name of the group. I'll try that. [...] No difference. Oh, well... -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 10/26/2015 09:22 AM, Carlos E. R. wrote:
On 2015-10-26 07:33, Andrei Borzenkov wrote:
On Mon, Oct 26, 2015 at 9:20 AM, Carlos E. R. <> wrote:
And what user/group owner does it show this time? "ls -l /data/hoard"?
Unchanged:
Telcontar:~ # mount -v /data/hoard mount.nfs: timeout set for Mon Oct 26 13:50:07 2015 mount.nfs: trying text-based options 'vers=3,addr=192.168.1.15' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 192.168.1.15 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 192.168.1.15 prog 100005 vers 3 prot UDP port 20048 Telcontar:~ #
Telcontar:~ # l /data/hoard/ total 100 drwxr-xr-x 5 root root 94 Sep 26 2014 ./ drwxr-xr-x 21 root root 4096 Sep 9 2014 ../ drwxr-xr-x 7 cer users 97 Oct 24 2014 Downloads.cer/ drwxr-xr-x 5 cer users 4096 Jan 18 2015 Moria.cer/ drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ -rw-r--r-- 1 root root 86165 May 24 2014 remote_log Telcontar:~ # ls -ln /data/hoard/ total 96 drwxr-xr-x 7 1000 100 97 Oct 24 2014 Downloads.cer drwxr-xr-x 5 1000 100 4096 Jan 18 2015 Moria.cer drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard -rw-r--r-- 1 0 0 86165 May 24 2014 remote_log Telcontar:~ # Telcontar:~ # getfacl /data/hoard/TheHoard/ getfacl: Removing leading '/' from absolute path names # file: data/hoard/TheHoard/ # owner: john # group: cosas # flags: -s- user::rwx user:wwwrun:r-x group::rwx mask::rwx other::---
On the server:
cer@AmonLanc:~> l /data/hoard/ total 100 drwxr-xr-x 5 root root 94 Sep 26 2014 ./ drwxr-xr-x 5 root root 4096 Oct 2 20:36 ../ drwxr-xr-x 7 cer users 97 Oct 24 2014 Downloads.cer/ drwxr-xr-x 5 cer users 4096 Jan 18 2015 Moria.cer/ drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ -rw-r--r-- 1 root root 86165 May 24 2014 remote_log cer@AmonLanc:~> ls -ln /data/hoard/ total 96 drwxr-xr-x 7 1000 100 97 Oct 24 2014 Downloads.cer drwxr-xr-x 5 1000 100 4096 Jan 18 2015 Moria.cer drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard -rw-r--r-- 1 0 0 86165 May 24 2014 remote_log cer@AmonLanc:~> getfacl /data/hoard/TheHoard/ getfacl: Removing leading '/' from absolute path names # file: data/hoard/TheHoard/ # owner: john # group: cosas # flags: -s- user::rwx user:wwwrun:r-x group::rwx mask::rwx other::---
cer@AmonLanc:~>
I just created a new directory on the server:
drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ drwxr-xr-x 2 john cosas 6 Oct 26 13:58 test/ AmonLanc:/data/hoard #
drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard/ drwxr-xr-x 2 1011 1010 6 Oct 26 13:58 test/
john@AmonLanc:/data/hoard> getfacl test # file: test # owner: john # group: cosas # flags: -s- user::rwx group::r-x other::r-x
john@AmonLanc:/data/hoard>
I can access it just fine on the client:
Telcontar:~ # ls -ln /data/hoard/test total 0 Telcontar:~ #
Now I activate sticky bit:
john@AmonLanc:/data/hoard> l -n total 100
drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard/ drwxr-sr-x 2 1011 1010 6 Oct 26 13:58 test/ john@AmonLanc:/data/hoard>
On the client:
Telcontar:~ # ls -ln /data/hoard/test total 0 Telcontar:~ # ls -ln /data/hoard/TheHoard/ ls: cannot open directory /data/hoard/TheHoard/: Permission denied Telcontar:~ #
The only difference I see is the "mask" on the ACLS of directory "TheHoard" :-?
Ah, no, "others" have access. Removing.
john@AmonLanc:/data/hoard> chmod o-r-x test john@AmonLanc:/data/hoard>
Telcontar:~ # ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied Telcontar:~ #
That's it!
Ok, Mr Root is not in the proper group. But my user is:
cer@Telcontar:~> ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied cer@Telcontar:~>
cer@Telcontar:~> grep cosas /etc/group cosas:x:1010:cer,moriarty,john cer@Telcontar:~> ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied cer@Telcontar:~>
In the machine that this works, I changed the name of the group. I'll try that. [...] No difference.
Oh, well...
Check the value of the group "users" on both machines to see if they match. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-26 14:28, Ken Schneider - openSUSE wrote:
Check the value of the group "users" on both machines to see if they match.
They do. 100 in both. But it should not matter, that directory is owned by a different group. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
The only reason I can think of is root squash. What "id -a" on client show? Any change when exporting with no_root_squash? Отправлено с iPhone
26 окт. 2015 г., в 16:22, Carlos E. R. <robin.listas@telefonica.net> написал(а):
On 2015-10-26 07:33, Andrei Borzenkov wrote:
On Mon, Oct 26, 2015 at 9:20 AM, Carlos E. R. <> wrote:
And what user/group owner does it show this time? "ls -l /data/hoard"?
Unchanged:
Telcontar:~ # mount -v /data/hoard mount.nfs: timeout set for Mon Oct 26 13:50:07 2015 mount.nfs: trying text-based options 'vers=3,addr=192.168.1.15' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 192.168.1.15 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 192.168.1.15 prog 100005 vers 3 prot UDP port 20048 Telcontar:~ #
Telcontar:~ # l /data/hoard/ total 100 drwxr-xr-x 5 root root 94 Sep 26 2014 ./ drwxr-xr-x 21 root root 4096 Sep 9 2014 ../ drwxr-xr-x 7 cer users 97 Oct 24 2014 Downloads.cer/ drwxr-xr-x 5 cer users 4096 Jan 18 2015 Moria.cer/ drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ -rw-r--r-- 1 root root 86165 May 24 2014 remote_log Telcontar:~ # ls -ln /data/hoard/ total 96 drwxr-xr-x 7 1000 100 97 Oct 24 2014 Downloads.cer drwxr-xr-x 5 1000 100 4096 Jan 18 2015 Moria.cer drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard -rw-r--r-- 1 0 0 86165 May 24 2014 remote_log Telcontar:~ # Telcontar:~ # getfacl /data/hoard/TheHoard/ getfacl: Removing leading '/' from absolute path names # file: data/hoard/TheHoard/ # owner: john # group: cosas # flags: -s- user::rwx user:wwwrun:r-x group::rwx mask::rwx other::---
On the server:
cer@AmonLanc:~> l /data/hoard/ total 100 drwxr-xr-x 5 root root 94 Sep 26 2014 ./ drwxr-xr-x 5 root root 4096 Oct 2 20:36 ../ drwxr-xr-x 7 cer users 97 Oct 24 2014 Downloads.cer/ drwxr-xr-x 5 cer users 4096 Jan 18 2015 Moria.cer/ drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ -rw-r--r-- 1 root root 86165 May 24 2014 remote_log cer@AmonLanc:~> ls -ln /data/hoard/ total 96 drwxr-xr-x 7 1000 100 97 Oct 24 2014 Downloads.cer drwxr-xr-x 5 1000 100 4096 Jan 18 2015 Moria.cer drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard -rw-r--r-- 1 0 0 86165 May 24 2014 remote_log cer@AmonLanc:~> getfacl /data/hoard/TheHoard/ getfacl: Removing leading '/' from absolute path names # file: data/hoard/TheHoard/ # owner: john # group: cosas # flags: -s- user::rwx user:wwwrun:r-x group::rwx mask::rwx other::---
cer@AmonLanc:~>
I just created a new directory on the server:
drwxrws---+ 6 john cosas 4096 Nov 1 2014 TheHoard/ drwxr-xr-x 2 john cosas 6 Oct 26 13:58 test/ AmonLanc:/data/hoard #
drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard/ drwxr-xr-x 2 1011 1010 6 Oct 26 13:58 test/
john@AmonLanc:/data/hoard> getfacl test # file: test # owner: john # group: cosas # flags: -s- user::rwx group::r-x other::r-x
john@AmonLanc:/data/hoard>
I can access it just fine on the client:
Telcontar:~ # ls -ln /data/hoard/test total 0 Telcontar:~ #
Now I activate sticky bit:
john@AmonLanc:/data/hoard> l -n total 100
drwxrws---+ 6 1011 1010 4096 Nov 1 2014 TheHoard/ drwxr-sr-x 2 1011 1010 6 Oct 26 13:58 test/ john@AmonLanc:/data/hoard>
On the client:
Telcontar:~ # ls -ln /data/hoard/test total 0 Telcontar:~ # ls -ln /data/hoard/TheHoard/ ls: cannot open directory /data/hoard/TheHoard/: Permission denied Telcontar:~ #
The only difference I see is the "mask" on the ACLS of directory "TheHoard" :-?
Ah, no, "others" have access. Removing.
john@AmonLanc:/data/hoard> chmod o-r-x test john@AmonLanc:/data/hoard>
Telcontar:~ # ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied Telcontar:~ #
That's it!
Ok, Mr Root is not in the proper group. But my user is:
cer@Telcontar:~> ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied cer@Telcontar:~>
cer@Telcontar:~> grep cosas /etc/group cosas:x:1010:cer,moriarty,john cer@Telcontar:~> ls -ln /data/hoard/test ls: cannot open directory /data/hoard/test: Permission denied cer@Telcontar:~>
In the machine that this works, I changed the name of the group. I'll try that. [...] No difference.
Oh, well...
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-26 15:41, Andrei Borzenkov wrote:
The only reason I can think of is root squash.
Dunno :-?
What "id -a" on client show?
cer@Telcontar:~> id -a uid=1000(cer) gid=100(users) groups=100(users),0(root),10(wheel),13(news),16(dialout),17(audio),33(video),40(games),43(modem),68(snort),495(locate),504(xcdwrite),1000(crypta_old),1001(cer),1002(fido),1003(exptools),1009(moria),1010(medios),1100(vmware) cer@Telcontar:~> I just changed the group name to "medios"
Any change when exporting with no_root_squash?
Ok, will try. [...] No, no difference. Sigh. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Any difference in id -a output for both clients? Отправлено с iPhone
26 окт. 2015 г., в 18:21, Carlos E. R. <robin.listas@telefonica.net> написал(а):
On 2015-10-26 15:41, Andrei Borzenkov wrote: The only reason I can think of is root squash.
Dunno :-?
What "id -a" on client show?
cer@Telcontar:~> id -a uid=1000(cer) gid=100(users) groups=100(users),0(root),10(wheel),13(news),16(dialout),17(audio),33(video),40(games),43(modem),68(snort),495(locate),504(xcdwrite),1000(crypta_old),1001(cer),1002(fido),1003(exptools),1009(moria),1010(medios),1100(vmware) cer@Telcontar:~>
I just changed the group name to "medios"
Any change when exporting with no_root_squash?
Ok, will try. [...]
No, no difference. Sigh.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-26 17:01, Andrei Borzenkov wrote:
Any difference in id -a output for both clients?
Let me see. cer@minas-tirith:~> id -a uid=1000(cer) gid=100(users) groups=100(users),0(root),13(news),33(video),1001(cer),1010(medios) cer@minas-tirith:~
What "id -a" on client show?
cer@Telcontar:~> id -a uid=1000(cer) gid=100(users) groups=100(users),0(root),10(wheel),13(news),16(dialout),17(audio),33(video),40(games),43(modem),68(snort),495(locate),504(xcdwrite),1000(crypta_old),1001(cer),1002(fido),1003(exptools),1009(moria),1010(medios),1100(vmware)
cer@Telcontar:~>
Both have "1010(medios)" I will try updating and rebooting the server (current uptime 23 days). - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYuVEsACgkQja8UbcUWM1yQjAD/btn3Q/VIyvv0qpb9GrmjBtW/ JLByNgC0TmwSIhYhE4IA/RoA5RfCfNjonhA20diWjOqruHVbl+ukbvjt/jN4/GcV =oTBs -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Oh, sorry, I see. Your user belongs to more than 16 groups. In this case it is random which groups will be used to authenticate. Apparently group that is required is missing. There is an option for RPC on server to ignore groups that client sends and use local groups on server; I cannot check right now. Отправлено с iPhone
26 окт. 2015 г., в 19:26, Carlos E. R. <robin.listas@telefonica.net> написал(а):
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-10-26 17:01, Andrei Borzenkov wrote: Any difference in id -a output for both clients?
Let me see.
cer@minas-tirith:~> id -a uid=1000(cer) gid=100(users) groups=100(users),0(root),13(news),33(video),1001(cer),1010(medios) cer@minas-tirith:~
What "id -a" on client show?
cer@Telcontar:~> id -a uid=1000(cer) gid=100(users) groups=100(users),0(root),10(wheel),13(news),16(dialout),17(audio),33(video),40(games),43(modem),68(snort),495(locate),504(xcdwrite),1000(crypta_old),1001(cer),1002(fido),1003(exptools),1009(moria),1010(medios),1100(vmware) cer@Telcontar:~>
Both have "1010(medios)"
I will try updating and rebooting the server (current uptime 23 days).
- -- Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iF4EAREIAAYFAlYuVEsACgkQja8UbcUWM1yQjAD/btn3Q/VIyvv0qpb9GrmjBtW/ JLByNgC0TmwSIhYhE4IA/RoA5RfCfNjonhA20diWjOqruHVbl+ukbvjt/jN4/GcV =oTBs -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
See http://www.xkyle.com/solving-the-nfs-16-group-limit-problem/ for explanation and fix. I do not know if 13.1 already supports it. Отправлено с iPhone
26 окт. 2015 г., в 20:01, Andrei Borzenkov <arvidjaar@gmail.com> написал(а):
Oh, sorry, I see. Your user belongs to more than 16 groups. In this case it is random which groups will be used to authenticate. Apparently group that is required is missing. There is an option for RPC on server to ignore groups that client sends and use local groups on server; I cannot check right now.
Отправлено с iPhone
26 окт. 2015 г., в 19:26, Carlos E. R. <robin.listas@telefonica.net> написал(а):
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-10-26 17:01, Andrei Borzenkov wrote: Any difference in id -a output for both clients?
Let me see.
cer@minas-tirith:~> id -a uid=1000(cer) gid=100(users) groups=100(users),0(root),13(news),33(video),1001(cer),1010(medios) cer@minas-tirith:~
What "id -a" on client show?
cer@Telcontar:~> id -a uid=1000(cer) gid=100(users) groups=100(users),0(root),10(wheel),13(news),16(dialout),17(audio),33(video),40(games),43(modem),68(snort),495(locate),504(xcdwrite),1000(crypta_old),1001(cer),1002(fido),1003(exptools),1009(moria),1010(medios),1100(vmware) cer@Telcontar:~>
Both have "1010(medios)"
I will try updating and rebooting the server (current uptime 23 days).
- -- Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iF4EAREIAAYFAlYuVEsACgkQja8UbcUWM1yQjAD/btn3Q/VIyvv0qpb9GrmjBtW/ JLByNgC0TmwSIhYhE4IA/RoA5RfCfNjonhA20diWjOqruHVbl+ukbvjt/jN4/GcV =oTBs -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-26 18:39, Andrei Borzenkov wrote:
See http://www.xkyle.com/solving-the-nfs-16-group-limit-problem/ for explanation and fix. I do not know if 13.1 already supports it.
Thanks! I'll read and comment back :-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYueIUACgkQja8UbcUWM1zh8wEAg9z27xpqMF31CF9nrPG6ZX72 95FweWPwEpSTnYRcJrwA/1vx+5OHz24TKSbjPb8vNTYAdhHgbSGhpGiEpmQIeJ2U =5GdG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-26 20:01, Carlos E. R. wrote:
On 2015-10-26 18:39, Andrei Borzenkov wrote:
See http://www.xkyle.com/solving-the-nfs-16-group-limit-problem/ for explanation and fix. I do not know if 13.1 already supports it.
Thanks! I'll read and comment back :-)
It works :-))) I edited "/etc/sysconfig/nfs" ## Path: Network/File systems/NFS server ## Description: Extra options for mountd ## Type: string ## Default: "" # # This setting allows extra options to be specified for rpc.mountd, # such as --manage-gids. #CER: see http://www.xkyle.com/solving-the-nfs-16-group-limit-problem/ # http://lists.opensuse.org/opensuse/2015-10/msg00740.html MOUNTD_OPTIONS="--manage-gids" restarted the nfs server daemon, and it worked instantly :-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYutIMACgkQja8UbcUWM1zm3wD8CIgcbKvJqyFYlSSNT2DjSPyq VwLLQYD4FhEBbjTvJPoA/0Pk3YXhrz+GGPyUSL74lfN/pERUjXIcc/ajs6yDWZiM =gDHK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Carlos E. R. -
Carlos E. R. -
Ken Schneider - openSUSE