>>>>> "GM" == GOTO Masanori <[EMAIL PROTECTED]> writes:
GM> At Mon, 29 Mar 2004 16:51:36 +0200 (CEST), GM> Anders Bostr�m wrote: >> I recently got problems accessing our NFS-server. Even if I was member >> of the right groups was my accesses denied by the server. After some >> investigation did I found out that the NFS-requests didn't contain all >> groups I am a member of. Also, most of the group-id's was duplicated >> in the NFS-requests. >> >> NFS has a limitation on the number of groups (16 I think) and as the >> groups are duplicated was that limit exceeded, and I was denied >> access. GM> Yes, NFS has limitation up to 16 groups with basic unix authentication. >> The normal system-utilities, like id gives this: >> >> >id >> uid=1006(anders) gid=100(users) >> grupper=4(adm),4(adm),7(lp),7(lp),14(sysadmin),20(dialout),24(cdrom),24(cdrom),25(floppy),25(floppy),25(floppy),29(audio),29(audio),40(src),40(src),44(video),44(video),50(staff),50(staff),100(users),101(telnetd),1006(anders),2000(cad),2002(install),2002(install),2017(cvsadmin),10001(linux) >> > >> >> For an example floppy is listed 3 times. A test-program using >> getgroups gives the same result, making it a libc6-problem. >> >> My /etc/nsswitch.conf looks like this: >> >> group: files nis compat >> >> and floppy exists in both files and NIS. GM> So this means that /etc/groups returned floppy entry, but even NIS GM> looking up is continuing. Strange. Please check where "floppy" group GM> is really come from. I have investigated this, and one entry came from files, one from NIS and one from compat. If I remove compat is only two floppy-entries listed. And if I also remove myself from the floppy group in /etc/groups is only one floppy-entry listed. So the strange thing is that NIS look up, and compat look up, is continuing even if floppy already is found. GM> BTW, does your /etc/passwd have a entry with starting "+" and GM> following ":"? If so, changing as follows: GM> group: compat Well, I don't use +-entries, so compat should be removed instead. >> I don't know if it is OK to return the same group-id several times >> from getgroups or not, BUT NFS (and system utilities like id) should >> not duplicate group id's. GM> The usual NFS implementation does not reject duplicated group ids GM> (AUTH_UNIX module only checks each group ids), and IIRC NFS GM> specification does not say anything about such ids. Yes, the NFS-server is not rejecting the requests. The problem is that groups are left out from the request, due to duplicating of other groups, making the server respond with permission denied. >> This problem is new, older versions of my system did not duplicate the >> groups-id's in NFS-requests. I update testing almost every day, and >> one month ago didn't the problem exist. GM> So I suspect your environment. Glibc 2.3.2.ds1 series did not touch GM> the original codebase these days. OK, if it is my environment, what can cause this? How do I debug it? / Anders
