If a user belongs to more than 16 groups, group permissions for an NFS mounted directory may not work as expected.
A user might not be allowed access to files/directories their group list says they should.
It is noticed that the groups that give the access are listed at or after the 16th group entry.
Might work form some machines, and not from others.
NFS/RPC protocol comes with an associated group limit of 16. Not a VAS issue.
Use the newgrp command to change the user's primary group temporarily for accessing the needed dir/file.
ADDITIONAL INFORMATION:
Prior to version 4.0.3.175 vasd had no ordering when returning group memberships. The vasd daemon now returns a list of groups in alphabetical order. This includes group memerships. So '_first' will return before 'last' in most group membership requests. This change introduces a potential workaround for the NFS groups limitation by using group-override to change names, since on NFS only the GID matters.
The following is an example of how to test this:
For the purposes of potentially working around the NFS group limit issue the group-override file can be used.
/etc/opt/quest/vas/group-override
For example if the group name that is required to be one of the 16 groups is named engineering then the following could set in the group-override file where DOMAIN is your domain name:
DOMAIN\engineering:_engineering::
Check that it is working with, this should resolve the group:
vastool list group _engineering
This will list the override:
vastool list -o group _engineering
Use this command to check that the GID of _engineering is in the first 16 groups listed for the user:
vastool nss getgroups <username>
Test functionality.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center