- Integrated Systems
- About Us
- Integrated Systems
- About Us
06-12-2007 07:04 AM
Does any know is aware of work around for NFS group limit to have access more than 16 groups??
We have issues if a user have access in more than 16 groups. I am sure some one must have gone
through this. If so would be so kind to share??
Thanks for your time..
Solved! Go to Solution.
06-12-2007 02:28 PMSolution
The 16 group limit is not an NFS limitation, it is a limitation of the RPC credential structure. The only ways to work around it are:
1) Remove the user from groups until they are members of less than 16 groups
2) Use an authentication method other than RPC, such as Kerberos.
3) Use ACL's on the server to restrict access instead of group permissions and then remove the user from more than 16 groups.
These are the methods I've used in the past to work around this problem.
06-13-2007 12:22 AM
<<<< 1) Remove the user from groups until they are members of less than 16 groups >>>>
I knew we can do this, but most of the users have more than 16 groups. It is working like this till now, but now planned to move to NIS, and we were stuck @ NFS group limit. Temporarily we are removing users from groups.
<<<<< 2) Use an authentication method other than RPC, such as Kerberos. >>>>>
I am not sure what is RPC??? And how can I implement this??
<<<<< Use ACL's on the server to restrict access instead of group permissions and then remove the user from more than 16 groups. >>>>
How can create ACLs on server??? I did on web server but not on a server.
So basically you are saying other than limiting to 16 groups per user, there is no other way..
Really appreciate for your valuable time and assistance....Thank you
06-13-2007 03:57 AM
> > 1) Remove the user from groups until they
> > are members of less than 16 groups
> I knew we can do this, but most of the
> users have more than 16 groups.
Yup, I knew this was a somewhat bogus answer, but you'd be surprised how many customers look at the alternatives and decide "I'll just take this user out of some groups".
> > 2) Use an authentication method other than
> > RPC, such as Kerberos.
> I am not sure what is RPC??? And how can I
> implement this??
You're already using it. RPC is Remote Procedure Call. It's the protocol NFS uses to send requests between systems. It is the RPC protocol that limits the number of group memberships to 16.
If you want to work around this limitation you need to use a different mechanism for authenticating users. Many flavors of Linux, and most flavors of UNIX - including HP-UX - support something called "Secure NFS", where you can define different authentication mechanisms for use with NFS.
From the nfs(5) man page on my Linux system:
Set the security flavor for this mount to "mode". The default setting is sec=sys, which uses local unix uids and gids to authenticate NFS operations (AUTH_SYS). Other currently supported settings are: sec=krb5, which uses Kerberos V5 instead of local unix uids and gids to authenticate users; sec=krb5i, which uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering; and sec=krb5p, which uses Kerberos V5 for user authentication and integrity checking, and encrypts NFS traffic to prevent traffic sniffing (this is the most secure setting). Note that there is a performance penalty when using integrity or privacy.
> > Use ACL's on the server to restrict access
> > instead of group permissions and then
> > remove the user from more than 16 groups.
> How can create ACLs on server??? I did on
> web server but not on a server.
It depends on the type of server you're using and the type of filesystem on the server you're exporting/sharing for NFS clients. Most implementations of Linux and UNIX offer commands for managing ACLs on files. See the acl(5) man page for details.
> So basically you are saying other than
> limiting to 16 groups per user, there is no
> other way..
No, I'm saying if you require a user be in more than 16 groups you'll have to use a different authentication mechanism. If you're not comfortable with implementing a different authentication mechanism then you can use a different security mechanism (ACLs) for restricting access to your shared resources.
06-13-2007 05:40 AM
I know in AIX, I set the sec=sys while mounting the nfs f/s. But on Linux we use for an instance like # mount nodename:/test /share
How can I incorporate sec=mode??? Is this like;
# mount sec=mode nodename:/test /share
And when I do this, will it accept more than 16 groups??? If so I owe u a big one....:-)
Sorry to bother u too much, I want to learn and need to implement this Dave!
We have a suse Linux NFS server and NFS clients with flavors AIX, Linux and Hpux.
If you say so I want to test it...
THANK YOU SO MUCH AND REALLY APPRECIATE FOR UR HELP
06-13-2007 09:28 AM
> explaination. Now I understand.
> How can I incorporate sec=mode??? Is this
> # mount sec=mode nodename:/test /share
> And when I do this, will it accept more
> than 16 groups???
No, I'm afraid it's just a little bit more involved than that.
As I stated earlier, if you insist on having users in more than 16 groups you will need to use a different authentication mechanism. The most popular alternative at the moment is Kerberos v5. This authentication flavor is supported by most NFS implementations.
What this means is - yes - you will eventually use a command syntax like "mount -o sec=krb5 server:/directory" but that comes after you've setup a Kerberos v5 domain. That's where the work comes in.
Once you get a working Kerberos domain configured and all your systems are members of the domain, then you can begin using the "krb5" security mode for authenticating NFS requests.
06-13-2007 10:34 AM
Hope this helps you decide.
06-14-2007 03:03 AM
Thank you so much for the input. So I need to setup krb5, in order to test. You are so wonderful explaining things to me. I don't mind spending money to take classes from u, because you worth explaining to dummies like me....hahaha;) I am so desperate to make it work more than 16 groups. If this works, I owe u a big one, seriously...
I need to do research to download Krb5 and try to configure..
Thank you Huc, I will go thru the provided link and will bug u guys again with many other Q's..
Thanks again to both...