1753956
Members
7503
Online
108811
Solutions
SOLVED
Hi,
The 16 group limit is not an NFS limitation, it is a limitation of the RPC credential structure. The only ways to work around it are:
1) Remove the user from groups until they are members of less than 16 groups
2) Use an authentication method other than RPC, such as Kerberos.
3) Use ACL's on the server to restrict access instead of group permissions and then remove the user from more than 16 groups.
These are the methods I've used in the past to work around this problem.
Regards,
Dave
The 16 group limit is not an NFS limitation, it is a limitation of the RPC credential structure. The only ways to work around it are:
1) Remove the user from groups until they are members of less than 16 groups
2) Use an authentication method other than RPC, such as Kerberos.
3) Use ACL's on the server to restrict access instead of group permissions and then remove the user from more than 16 groups.
These are the methods I've used in the past to work around this problem.
Regards,
Dave
I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Good morning,
> > 1) Remove the user from groups until they
> > are members of less than 16 groups
>
> I knew we can do this, but most of the
> users have more than 16 groups.
Yup, I knew this was a somewhat bogus answer, but you'd be surprised how many customers look at the alternatives and decide "I'll just take this user out of some groups".
> > 2) Use an authentication method other than
> > RPC, such as Kerberos.
>
> I am not sure what is RPC??? And how can I
> implement this??
You're already using it. RPC is Remote Procedure Call. It's the protocol NFS uses to send requests between systems. It is the RPC protocol that limits the number of group memberships to 16.
If you want to work around this limitation you need to use a different mechanism for authenticating users. Many flavors of Linux, and most flavors of UNIX - including HP-UX - support something called "Secure NFS", where you can define different authentication mechanisms for use with NFS.
From the nfs(5) man page on my Linux system:
sec=mode
Set the security flavor for this mount to "mode". The default setting is sec=sys, which uses local unix uids and gids to authenticate NFS operations (AUTH_SYS). Other currently supported settings are: sec=krb5, which uses Kerberos V5 instead of local unix uids and gids to authenticate users; sec=krb5i, which uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering; and sec=krb5p, which uses Kerberos V5 for user authentication and integrity checking, and encrypts NFS traffic to prevent traffic sniffing (this is the most secure setting). Note that there is a performance penalty when using integrity or privacy.
> > Use ACL's on the server to restrict access
> > instead of group permissions and then
> > remove the user from more than 16 groups.
>
> How can create ACLs on server??? I did on
> web server but not on a server.
It depends on the type of server you're using and the type of filesystem on the server you're exporting/sharing for NFS clients. Most implementations of Linux and UNIX offer commands for managing ACLs on files. See the acl(5) man page for details.
> So basically you are saying other than
> limiting to 16 groups per user, there is no
> other way..
No, I'm saying if you require a user be in more than 16 groups you'll have to use a different authentication mechanism. If you're not comfortable with implementing a different authentication mechanism then you can use a different security mechanism (ACLs) for restricting access to your shared resources.
Regards,
Dave
> > 1) Remove the user from groups until they
> > are members of less than 16 groups
>
> I knew we can do this, but most of the
> users have more than 16 groups.
Yup, I knew this was a somewhat bogus answer, but you'd be surprised how many customers look at the alternatives and decide "I'll just take this user out of some groups".
> > 2) Use an authentication method other than
> > RPC, such as Kerberos.
>
> I am not sure what is RPC??? And how can I
> implement this??
You're already using it. RPC is Remote Procedure Call. It's the protocol NFS uses to send requests between systems. It is the RPC protocol that limits the number of group memberships to 16.
If you want to work around this limitation you need to use a different mechanism for authenticating users. Many flavors of Linux, and most flavors of UNIX - including HP-UX - support something called "Secure NFS", where you can define different authentication mechanisms for use with NFS.
From the nfs(5) man page on my Linux system:
sec=mode
Set the security flavor for this mount to "mode". The default setting is sec=sys, which uses local unix uids and gids to authenticate NFS operations (AUTH_SYS). Other currently supported settings are: sec=krb5, which uses Kerberos V5 instead of local unix uids and gids to authenticate users; sec=krb5i, which uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering; and sec=krb5p, which uses Kerberos V5 for user authentication and integrity checking, and encrypts NFS traffic to prevent traffic sniffing (this is the most secure setting). Note that there is a performance penalty when using integrity or privacy.
> > Use ACL's on the server to restrict access
> > instead of group permissions and then
> > remove the user from more than 16 groups.
>
> How can create ACLs on server??? I did on
> web server but not on a server.
It depends on the type of server you're using and the type of filesystem on the server you're exporting/sharing for NFS clients. Most implementations of Linux and UNIX offer commands for managing ACLs on files. See the acl(5) man page for details.
> So basically you are saying other than
> limiting to 16 groups per user, there is no
> other way..
No, I'm saying if you require a user be in more than 16 groups you'll have to use a different authentication mechanism. If you're not comfortable with implementing a different authentication mechanism then you can use a different security mechanism (ACLs) for restricting access to your shared resources.
Regards,
Dave
I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
> Thank you so much for all your detail
> explaination. Now I understand.
>
> How can I incorporate sec=mode??? Is this
> like;
>
> # mount sec=mode nodename:/test /share
>
> And when I do this, will it accept more
> than 16 groups???
No, I'm afraid it's just a little bit more involved than that.
As I stated earlier, if you insist on having users in more than 16 groups you will need to use a different authentication mechanism. The most popular alternative at the moment is Kerberos v5. This authentication flavor is supported by most NFS implementations.
What this means is - yes - you will eventually use a command syntax like "mount -o sec=krb5 server:/directory" but that comes after you've setup a Kerberos v5 domain. That's where the work comes in.
Once you get a working Kerberos domain configured and all your systems are members of the domain, then you can begin using the "krb5" security mode for authenticating NFS requests.
Regards,
Dave
> explaination. Now I understand.
>
> How can I incorporate sec=mode??? Is this
> like;
>
> # mount sec=mode nodename:/test /share
>
> And when I do this, will it accept more
> than 16 groups???
No, I'm afraid it's just a little bit more involved than that.
As I stated earlier, if you insist on having users in more than 16 groups you will need to use a different authentication mechanism. The most popular alternative at the moment is Kerberos v5. This authentication flavor is supported by most NFS implementations.
What this means is - yes - you will eventually use a command syntax like "mount -o sec=krb5 server:/directory" but that comes after you've setup a Kerberos v5 domain. That's where the work comes in.
Once you get a working Kerberos domain configured and all your systems are members of the domain, then you can begin using the "krb5" security mode for authenticating NFS requests.
Regards,
Dave
I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
