2

I have a fileserver with nfs exports on it. On the server, I have a media directory that I ran setfacl -m g:44000:rwx media on. The directory is exported with rw,sync,no_subtree_check.

On my client, I can run nfs4_getfacl media and it returns the expected A:g:44000:rwaDxtcy line.

Permissions on media are drwxrwxr-x

If I run mkdir media/foo on the client I get mkdir: cannot create directory ‘/mnt/share/media/foo’: Permission denied

I have verified that:

  • My client user belongs to a group with gid 44000 ($ id -> ...44000(media-write))

  • ACLs function as expected server side mounted locally

  • The acl option is present in the fstab mounting line for the share (this shouldn't be necessary but I added it just in case)

  • umask is 0002 on client and server

Improve this question

1 Answer 1

Reset to default
1

In order for secondary groups to work over NFS, assuming the --manage-gids flag is on, you must have a matching user on the host with the same secondary group assignment. In this case my UID on the server did not have the media-write secondary. In fact, a user with the matching ID did not even exist. In this case, the two possible fixes would be to add a matching user server-side and assign it the appropriate group, or to disable the --manage-gids flag and ensure you don't violate the 16 group limit for NFS.

This applies to both regular group ownership permissions and ACLs.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .