Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
cancel
Showing results for 
Search instead for 
Did you mean: 

NFS

SOLVED
Go to solution
Qcheck
Super Advisor

NFS

Hi All,

Does any know is aware of work around for NFS group limit to have access more than 16 groups??

We have issues if a user have access in more than 16 groups. I am sure some one must have gone
through this. If so would be so kind to share??

Thanks for your time..
7 REPLIES
Dave Olker
HPE Pro
Solution

Re: NFS

Hi,

The 16 group limit is not an NFS limitation, it is a limitation of the RPC credential structure. The only ways to work around it are:

1) Remove the user from groups until they are members of less than 16 groups

2) Use an authentication method other than RPC, such as Kerberos.

3) Use ACL's on the server to restrict access instead of group permissions and then remove the user from more than 16 groups.

These are the methods I've used in the past to work around this problem.

Regards,

Dave

Qcheck
Super Advisor

Re: NFS

Morning Dave,

<<<< 1) Remove the user from groups until they are members of less than 16 groups >>>>

I knew we can do this, but most of the users have more than 16 groups. It is working like this till now, but now planned to move to NIS, and we were stuck @ NFS group limit. Temporarily we are removing users from groups.

<<<<< 2) Use an authentication method other than RPC, such as Kerberos. >>>>>

I am not sure what is RPC??? And how can I implement this??

<<<<< Use ACL's on the server to restrict access instead of group permissions and then remove the user from more than 16 groups. >>>>

How can create ACLs on server??? I did on web server but not on a server.

So basically you are saying other than limiting to 16 groups per user, there is no other way..

Really appreciate for your valuable time and assistance....Thank you
Dave Olker
HPE Pro

Re: NFS

Good morning,

> > 1) Remove the user from groups until they
> > are members of less than 16 groups
>
> I knew we can do this, but most of the
> users have more than 16 groups.

Yup, I knew this was a somewhat bogus answer, but you'd be surprised how many customers look at the alternatives and decide "I'll just take this user out of some groups".

> > 2) Use an authentication method other than
> > RPC, such as Kerberos.
>
> I am not sure what is RPC??? And how can I
> implement this??

You're already using it. RPC is Remote Procedure Call. It's the protocol NFS uses to send requests between systems. It is the RPC protocol that limits the number of group memberships to 16.

If you want to work around this limitation you need to use a different mechanism for authenticating users. Many flavors of Linux, and most flavors of UNIX - including HP-UX - support something called "Secure NFS", where you can define different authentication mechanisms for use with NFS.

From the nfs(5) man page on my Linux system:

sec=mode

Set the security flavor for this mount to "mode". The default setting is sec=sys, which uses local unix uids and gids to authenticate NFS operations (AUTH_SYS). Other currently supported settings are: sec=krb5, which uses Kerberos V5 instead of local unix uids and gids to authenticate users; sec=krb5i, which uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering; and sec=krb5p, which uses Kerberos V5 for user authentication and integrity checking, and encrypts NFS traffic to prevent traffic sniffing (this is the most secure setting). Note that there is a performance penalty when using integrity or privacy.


> > Use ACL's on the server to restrict access
> > instead of group permissions and then
> > remove the user from more than 16 groups.
>
> How can create ACLs on server??? I did on
> web server but not on a server.


It depends on the type of server you're using and the type of filesystem on the server you're exporting/sharing for NFS clients. Most implementations of Linux and UNIX offer commands for managing ACLs on files. See the acl(5) man page for details.


> So basically you are saying other than
> limiting to 16 groups per user, there is no
> other way..

No, I'm saying if you require a user be in more than 16 groups you'll have to use a different authentication mechanism. If you're not comfortable with implementing a different authentication mechanism then you can use a different security mechanism (ACLs) for restricting access to your shared resources.

Regards,

Dave
Qcheck
Super Advisor

Re: NFS

Thank you so much for all your detail explaination. Now I understand.

I know in AIX, I set the sec=sys while mounting the nfs f/s. But on Linux we use for an instance like # mount nodename:/test /share

How can I incorporate sec=mode??? Is this like;

# mount sec=mode nodename:/test /share

And when I do this, will it accept more than 16 groups??? If so I owe u a big one....:-)

Sorry to bother u too much, I want to learn and need to implement this Dave!

We have a suse Linux NFS server and NFS clients with flavors AIX, Linux and Hpux.

If you say so I want to test it...

THANK YOU SO MUCH AND REALLY APPRECIATE FOR UR HELP
Dave Olker
HPE Pro

Re: NFS

> Thank you so much for all your detail
> explaination. Now I understand.
>
> How can I incorporate sec=mode??? Is this
> like;
>
> # mount sec=mode nodename:/test /share
>
> And when I do this, will it accept more
> than 16 groups???

No, I'm afraid it's just a little bit more involved than that.

As I stated earlier, if you insist on having users in more than 16 groups you will need to use a different authentication mechanism. The most popular alternative at the moment is Kerberos v5. This authentication flavor is supported by most NFS implementations.

What this means is - yes - you will eventually use a command syntax like "mount -o sec=krb5 server:/directory" but that comes after you've setup a Kerberos v5 domain. That's where the work comes in.

Once you get a working Kerberos domain configured and all your systems are members of the domain, then you can begin using the "krb5" security mode for authenticating NFS requests.

Regards,

Dave
Huc_1
Honored Contributor

Re: NFS

For more generic help if you want to investigate kerberos have a look at
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

Hope this helps you decide.

Jean-Pierre Huc
Smile I will feel the difference
Qcheck
Super Advisor

Re: NFS

Morning Dave,

Thank you so much for the input. So I need to setup krb5, in order to test. You are so wonderful explaining things to me. I don't mind spending money to take classes from u, because you worth explaining to dummies like me....hahaha;) I am so desperate to make it work more than 16 groups. If this works, I owe u a big one, seriously...

I need to do research to download Krb5 and try to configure..

Thank you Huc, I will go thru the provided link and will bug u guys again with many other Q's..

Thanks again to both...