Score:1

NFS: control file/folder access using groups on the server

il flag
hcr

I feel a bit stupid to ask as it feels to me to be a very basic question, but anyway I haven't found a solution yet:

I have a Linux dataserver and several workstations that mount folders on this dataserver using NFS. The system is set up in a way that users have the same uids on both, server and workstations. There is no centralized user management, but the accounts are local accounts on the according computers.

Now I would like to control the file access on the dataserver by creating groups for specific purposes and adding the according users to those groups on the server. However, when mounting the directories on the workstations, I am facing the problem that the groups only exist on the server and the workstations seem not know if a specific user is member of a group on the server. I would like to avoid creating all groups also on each of the workstations, but only manage them on the server. Is this possible?

Thanks in advance for any replies!

Score:2
de flag

As you are thinking about local accounts, I assume that you are using AUTH_SYS based rpc authentication. This means that client sends with each request uid and gids. IOW, the nfa server just uses group membership information provided by the clients.

There are two possibilities (that I know) to fix that:

complicated one

Use RPCSEC_GSS - the kerberized access and map user principals on the server side to desired uid and gids or query a LDAP server.

simple one

Configure the server (rpc.mountd) to start with --manage-gids option that will tell the server to ignore gids provided by the client and query it locally based on the uid.

hcr avatar
il flag
hcr
The simple way worked fine for me. Thanks for your answer!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.