Red Hat Bugzilla – Bug 204013
permission problems communicating with FreeBSD-based NFS servers.
Last modified: 2008-04-25 10:27:11 EDT
Description of problem:
FC4 kernels after 2.6.15 have permissions issues when they attempt to connect to
FreeBSD-based NFS servers.
This has been verified on FreeBSD 5.4-RELEASE and Isilon Systems OneFS v3.0 and
v4.0. Both are heavily modified FreeBSD derivatives.
Given two users, usera and userb, both of whom are members of groupa.
Given a file mounted on an NFS share from a FreeBSD-based server with the
following ownership and permissions:
-rw-rw-r-- 1 usera groupa 23 Jul 14 17:12 filea
User userb will not be able to directly modify the file.
Please see reproduction scenario for details.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a user called user1. Create this user with the following
2. Create a user called user2. Create this user with the following
3. Verify user1 and user2's validity using id:
$ id user1
uid=501(user1) gid=100(users) groups=100(users)
$ id user2
uid=502(user2) gid=100(users) groups=100(users)
4. If it does not already exist, create a mount point on the FC4 box
if [ ! -d /mnt/nfsshare ]; then
5. Mount an NFS share from a FreeBSD box with read-write capability.
mount -t nfs -o rw freebsd1:/nfsshare /mnt/nfsshare
6. Create a file which is owned by user1, in the users group (100), with 664 perms.
chown user1:users /mnt/nffsshare/testfile
chmod 664 /mnt/nfsshare/testfile
7. Become user2
su - user2
8. Using your favorite editor (or vi), attempt to edit the file that was just
(insert random text)
9. Observe "Can't open file for writing" error.
10. If you like, force a write using :w!
11. Log out of user2 and become user1
su - user1
12. Repeat step 8.
13. Observe "can't open file for writing" error, again.
Demonstrated bidirectionally in above use case.
Also exists as Isilon Systems Case 00007787.
Changing to proper owner, kernel-maint.
A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.
Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.
This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.
Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.
In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed. See bug 207474 for further details.
If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.
If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.
Problem was reproduced under 2.6.17-1.2187_FC5.
1) editing a file owned by another user with kedit failed.
2) editing a file owned by another user with vi succeeded, but only by forcing a
write using :w!
3) (new) Appending a file owned by another user with cat >> succeeded.
The previous comment mentioned 2.6.18-1.2200.fc5.
Does that have the same problem ?
Sorry. First upgrade to 2.6.18-1.2200.fc5 was not sucessful.
Yes, this problem reproduces under 2.6.18-1.2200.fc5.
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.
If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
Thanks for your help, and we apologize again that we haven't handled
these issues to this point.
The process we are following is outlined here:
We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Please change the version to Fedora 8.
I'm having the same problem with my Fedora 8 clients (running 220.127.116.11-64) to my Mac OS X 10.4.11 NFS
I'm not having any problems using a F-8 kernel 18.104.22.168-64.fc8 kernel to
mount a Mac-OS 10.5 server... would be possible to get a binary bzip2 tshark
network trace? Something similar to:
tshark -w /tmp/bz204013.pcap host <MacServer>
Created attachment 303162 [details]
output from tshark
Here is the requested output from tshark.
Here is what the network trace shows, The MacOS server
is failing truncation of a file (see patcks 5 and 11 of the trace).
Both requests are coming from a user with the following credentials:
UID: 500 GID: 224
Auxiliary GIDs: 80, 220, 224, 360, 410, 414, 450, 620,
1000, 1003, 1004, 1005, 1006, 1011, 1012, 1013
So from you are saying,
are trying to write to
as user2 which fails.
Unfortunately, the above scenario does not jive with the network
What the network trace is saying a user with a GID of 500 and GID 224
who is *not* in group 100 (note the fact 100 is not in the auxiliary GIDs)
is being denied access to a file that owned by UID 2501, GID 224 and a
file mode of 0660, which makes sense...
So it appears to me that the uid/gid you think your using is not
the actual uid/gid are being used. Or maybe there is a mismatch of
ids between the server and client?
I'm sorry, there's a little confusion here. I'm not the original poster, so I'm not using the user1, user2
settings that the OP is. Here's my setup (and I'll attach a new tshark output with the output from this
% ls -lna
drwxrws--- 3 2501 224 102 2008-04-23 08:52 .
drwxr-xr-x 10 2501 10 340 2008-04-17 09:42 ..
-rw-rw---- 1 2501 224 9 2008-04-21 11:33 z
uid=1301(joeuser) gid=224(staff-computer) groups=224(staff-computer)
% echo hi >| z
-bash: z: Permission denied
I've run the same commands from a Mac OS X client and I notice a few 'minor' differences:
o The Fedora client sets the Machine Name in the Credentials part of the
packet, the Mac client does not.
o The Fedora client sends the primary GID as an Auxiliary GID, the Mac
client does not.
o The Fedora client sends a new attribute for 'mtime' ("set to server time")
while the Mac client does not.
Not knowing the NFS protocol, I don't know if those are 'normal' -- but an educated guess tells me that
they are and therefore it's probably the Mac NFS server that is broken, right?
Created attachment 303495 [details]
new output (from Fedora 8 client)
Created attachment 303496 [details]
new output (from Mac OS X client)
First of all, thank for such an excellent analysis of the problem!
It was definitely appreciated!
I have to agree with your findings that this appears to be a server
problem, so I pinged one of the NFS guys at Apple and here
is his response:
I remember I fixed one that caused ACCESS to return
incorrect access bits which I think went out in a Tiger update,
though I can't pin down which one. But it's possibly fixed in
a Tiger update - though it affected Mac clients too.
Sounds like the customer should now be motivated to
upgrade to 10.5 Leopard. It's not likely that we'll be putting
much effort into fixing 10.4 Tiger bugs now.
So it appears you'll need to update your MacOS to 10.5.
Note: I access a 10.5 exports (on my iMac) from RHEL and Fedora
clients all the time... w/out issue.