Hi, as is implied by my username i am fairly new in the role i occupy so this might be obvious to someone else but i have been working on this issue for days with no joy.
In short i am having difficulty with a specific user permissions on a dataset, this user happens to predate the introduction of AD within our system. This dataset is shared through both SMB and NFS ( it has been set as multi-protocol and the ACL has been stripped). The SMB share is not causing any issue as the user in question (and every other user) is able to rwx onto the share when mounted on a client machine. The NFS share has a very different behaviour.
Here’s a quick anonymized example.
[foo_admin@client:~]$ groups foo
share_access_group [...]
[foo_admin@client:~]$ groups legacy_user
share_access_group [... several more groups]
The /etc/fstab mount line
# testing share
host_machine.domain.local:/mnt/pool/Share /mnt/share nfs defaults 0 0
Using ls to check partitions in /mnt
[foo_admin@client:~]$ ls -l /mnt
total 24
[ non_related_shares ]
drwxrwx--- 4 root share_access_group 6 Feb 4 15:09 share
But testing the permissions shows that legacy_user ignores the share_access_group permission.
[foo_admin@client:~]$ sudo -u foo@domain.local test -r /mnt/share/; echo $?
0
[foo_admin@client:~]$ sudo -u legacy_user@domain.local test -r /mnt/share/; echo $?
1
As we can see, even if legacy_user is a member of the group share_access_group he cannot have access to the share’s data.
Now for the twist, logging onto the server who hosts the share and testing permissions for the same users. We get the expected behaviour.
[foo_admin@host_machine:~]$ sudo -u foo@domain.local test -r /mnt/pool/Share; echo $?
0
[foo_amin@host_machine:~]$ sudo -u legacy_user@domain.local test -r /mnt/pool/Share; echo $?
0
Checking that the UID’s and GID’s gives the expected result.
[foo_admin@host_machine:~]$ id foo@domain.local
uid=348401214(DOMAIN\foo) gid=348400513(DOMAIN\domain_users) groups=348400513(DOMAIN\domain_users), 348401286(DOMAIN\share_access_group)
[foo_admin@host_machine:~]$ id legacy_user@domain.local
uid=348401153(DOMAIN\legacy_user) gid=348400513(DOMAIN\domain_users) groups=348400513(DOMAIN\domain_users), 348401286(DOMAIN\share_access_group)
[foo_admin@client:~]$ id foo@domain.local
uid=348401214(foo) gid=348400513(domain_users), 348401286(share_access_group)
[foo_admin@client:~]$ id legacy_user@domain.local
uid=348401153(foo) gid=348400513(domain_users), 348401153(share_access_group)
So here it is, it seems like the nfs mount is disregarding the GID of that legacy user even if the filesystem of the share allows the legacy user to read locally.
Thanks for anyone that spends the time reading this.