IBM Support

maxgroups setting of NFS mount

Question & Answer


Question

In complex NFS environment, we usually define different user and group to control the access to different NFS directory. Besides, a super user - who can access all the directories - need be defined for management. If the user is a member of 17 or more groups, and the user tries to access files owned by the 17th (or greater) group, the system does not allow the file to be read or copied.  The "permission denied" will be reported.

Cause

On systems that use NFS Version 2 or 3, users cannot be a member of more than 16 groups without complications.
Groups are defined by the groups command. To permit the user access to the files, rearrange the group order or set maxgroups option.

Answer

About the "maxgroups" option of mount command.
maxgroups=n
  •  Indicates that NFS RPC calls using AUTH_UNIX may include up to n member groups of information. Using this option to increase the number of member groups beyond the RPC protocol standard of 16 will only work against servers that support more than 16 member groups. Otherwise, the client will experience errors.
  •  Values below 16 or greater than 64 will be ignored. By default, the protocol standard maximum of 16 is adhered to. AIX NFS servers will accept and process AUTH_UNIX credentials with up to 64 groups starting with AIX 5L Version 5.2 with the 5200-01 Recommended Maintenance package. The actual number of member groups sent by the NFS client is dependent on the number of groups the involved user is a member of, and may be limited by the length of the NFS client's hostname (which is included in the AUTH_UNIX information).
Note:
  •  Default value is 16.
  • Range of tunning is from 16 to 64.
Below Please find a test of this problem.

$ mount aix72testos2:/gpfs2/nfstest /nfstest
$ mount
  node       mounted        mounted over    vfs       date        options
-------- ---------------  ---------------  ------ ------------ ---------------
aix72testos2 /gpfs2/nfstest /nfstest         nfs4    Mar  4 10:32 vers=4
 
We created an User "apple", belongs to 20 groups.
 
$ lsuser -f apple
apple:
        id=259
        pgrp=p
        groups=p,system,b,c,d,e,f,h,i,j,k,l,m,n,o,q,r,s,a,z
        home=/home/a
        shell=/usr/bin/ksh
        roles=
 
Note:
  • q is the 16th group.
  • r is the 17th group. "permission denied" reported, see below.
$ ls -al
total 88
drwxrwxr-x    3 nobody   nobody        16384  Mar  3 10:33 .
drwxr-xr-x   81 bin      bin           12288  Mar  4 10:24 ..
drwxrwx---    2 b        q             16384  Mar  3 13:37 testq
drwxrwx---    2 b        r             16384  Mar  3 13:37 a
 
$ cd testq
 
$ cd a
ksh: a: permission denied

When we mount the NFS using maxgroups option:
$ mount -o maxgroups=64 aix72testos2:/gpfs2/nfstest /nfstest
$ mount
  node       mounted        mounted over    vfs       date        options
-------- ---------------  ---------------  ------ ------------ ---------------
aix72testos2 /gpfs2/nfstest /nfstest         nfs4    Mar  4 10:50 maxgroups=64,vers=4
 
Then, we can access the file a (which owned by 17th group r) successfully.
 
$ ls -al
total 88
drwxrwxr-x    3 root     system        16384  Mar  3 10:33 .
drwxr-xr-x   81 bin      bin           12288  Mar  4 10:24 ..
drwxrwx---    2 b        q             16384  Mar  3 13:37 testq
drwxrwx---    2 b        r             16384  Mar  3 13:37 a
$ cd a

 

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvyTAAQ","label":"Communication Applications->NFS\/NFSV4\/PCNFS"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
29 December 2020

UID

ibm16394574

Page Feedback