Bug#240836: libc6: Duplicated group-id's breaks NFS-access
>>>>> "GM" == GOTO Masanori <gotom@debian.or.jp> writes:
GM> At Mon, 29 Mar 2004 16:51:36 +0200 (CEST),
GM> Anders Boström wrote:
>> I recently got problems accessing our NFS-server. Even if I was member
>> of the right groups was my accesses denied by the server. After some
>> investigation did I found out that the NFS-requests didn't contain all
>> groups I am a member of. Also, most of the group-id's was duplicated
>> in the NFS-requests.
>>
>> NFS has a limitation on the number of groups (16 I think) and as the
>> groups are duplicated was that limit exceeded, and I was denied
>> access.
GM> Yes, NFS has limitation up to 16 groups with basic unix authentication.
>> The normal system-utilities, like id gives this:
>>
>> >id
>> uid=1006(anders) gid=100(users) grupper=4(adm),4(adm),7(lp),7(lp),14(sysadmin),20(dialout),24(cdrom),24(cdrom),25(floppy),25(floppy),25(floppy),29(audio),29(audio),40(src),40(src),44(video),44(video),50(staff),50(staff),100(users),101(telnetd),1006(anders),2000(cad),2002(install),2002(install),2017(cvsadmin),10001(linux)
>> >
>>
>> For an example floppy is listed 3 times. A test-program using
>> getgroups gives the same result, making it a libc6-problem.
>>
>> My /etc/nsswitch.conf looks like this:
>>
>> group: files nis compat
>>
>> and floppy exists in both files and NIS.
GM> So this means that /etc/groups returned floppy entry, but even NIS
GM> looking up is continuing. Strange. Please check where "floppy" group
GM> is really come from.
I have investigated this, and one entry came from files, one from NIS
and one from compat. If I remove compat is only two floppy-entries
listed. And if I also remove myself from the floppy group in
/etc/groups is only one floppy-entry listed.
So the strange thing is that NIS look up, and compat look up, is
continuing even if floppy already is found.
GM> BTW, does your /etc/passwd have a entry with starting "+" and
GM> following ":"? If so, changing as follows:
GM> group: compat
Well, I don't use +-entries, so compat should be removed instead.
>> I don't know if it is OK to return the same group-id several times
>> from getgroups or not, BUT NFS (and system utilities like id) should
>> not duplicate group id's.
GM> The usual NFS implementation does not reject duplicated group ids
GM> (AUTH_UNIX module only checks each group ids), and IIRC NFS
GM> specification does not say anything about such ids.
Yes, the NFS-server is not rejecting the requests. The problem is
that groups are left out from the request, due to duplicating of
other groups, making the server respond with permission denied.
>> This problem is new, older versions of my system did not duplicate the
>> groups-id's in NFS-requests. I update testing almost every day, and
>> one month ago didn't the problem exist.
GM> So I suspect your environment. Glibc 2.3.2.ds1 series did not touch
GM> the original codebase these days.
OK, if it is my environment, what can cause this? How do I debug it?
/ Anders
Reply to: