[Samba] Group permission problems with winbind & NFS

Don Meyer dlmeyer at uiuc.edu
Thu May 3 17:34:01 GMT 2007

At 08:30 AM 5/3/2007, simo wrote:
>On Mon, 2007-04-30 at 23:35 -0500, Don Meyer wrote:
> > This system NFS mounts the remote file storage resource on a backend
> > RHEL4 server.   The public facing web frontends also mount these same
> > resources.   Here is where things get hinky -- some users can write
> > to the directories on the NFS mount, and some cannot.   If the
> > directory in question is owned by the user, then no problems
> > writing.   If not, but the directory's owning group contains the user
> > as a member, then only sometimes can the user add/change/remove files
> > in the directory.
>First, re-exporting NFS mounts via samba is really not a good practice,
>and we usually discourage it completely.

Sorry, I wasn't clear enough to avoid the assumption:  This is not a 
samba resource writing issue -- not a samba re-exporting an NFS 
mount.   The "writing" I am referring to are file operations within 
an ssh shell or sftp session to the NFS mounted resource.  In this 
instance, winbind is the only real operative function of the samba 
installation, in that it instantiates the AD-based users and groups.

> > I also thought it might have something to do with nested groups, but
> > even simple groups with only users as members exhibit the failure
> > over NFS.   I have had the thought that it could be the length of
> > some of the groupnames, as some of them are pretty long:  the longest
> > is 64 bytes.  The one I did most testing with is only 10 bytes 
> long, however.
>The NFS protocol limits the number of groups per user to 16 and truncate
>all others, so you are not really able to tell the server you are in
>group #17 or #18 and so on. I am 99.9% sure this is the problem you are
>That's why approximately you can have it working with older groups as
>they are probably just reported first and result in the first 16.

Ouch!   I thought the 16 group problem was a problem with older Sun 
NFS only, and that the modern implementations had done away with 
this.   (Or at least raised the bar...)

I guess I need to consider re-architecting with a different network 
file system that doesn't have these ... limitations...

Thanks much for the info and theory/diagnosis.   I'll see if I can 
verify that as the root cause...


Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 

More information about the samba mailing list