Krb5 auth and supplemental groups
Kevin Coffman
kwc at citi.umich.edu
Tue Sep 5 09:35:14 EDT 2006
On 9/5/06, Steve Gaarder <gaarder at math.cornell.edu> wrote:
> On Fri, 1 Sep 2006, J. Bruce Fields wrote:
>
> > On Fri, Sep 01, 2006 at 04:52:08PM -0400, Steve Gaarder wrote:
> >> I've got a client that mounts a filesystem with sec=krb5. Things work
> >> fine except for group permissions. Users' supplemental groups are
> >> ignored; only the primary group seems to be recognized. This is under Red
> >> Hat Enterprise 4. Any ideas?
> >
> > With sec=krb5, the supplemental groups are determined entirely by the
> > server. So I assume the list of groups should be essentially what you'd
> > see if you logged into the server and ran "id username".
>
> Yes, that's also my understanding. Logging in and running "id" on the
> server shows the groups I expect to see, but I get "permission denied" on
> the client when I try to write to a directory that is writable by one of
> those groups. Any further thoughts?
If you run svcgssd with "-vvv", its output should show what uid/gid
and supplemental groups it has mapped from the user's name. (You may
need to unmount/mount to make sure new contexts are created.) Could
you send that output?
K.C.
More information about the NFSv4
mailing list