What is the maximum number of groups a user can belong to when using "-g" option of rpc.mountd?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • NFS

Issue

  • What's the maximum number of groups a user can belong to when using "-g" option?

Resolution

  • When the --manage-gids option for rpc.mountd being set on the NFS server in /etc/sysconfig/nfs, the maximum number of groups a user can belong to depends on the number of digits used to represent each GID, since char buffer employed on the kernel (see below) have a fixed size (8k). This 8K buffer does not exist anymore starting RHEL 8.4 since userland buffer (32k) is matched on the kernel and we will never report the error auth_unix_gid: error writing reply.

Root Cause

  • With -g option, rpc.mountd checks /proc/net/rpc/auth.unix.gid/channel to get a uid which is used as a credential by an NFS request, and searchs gids for the uid from /etc/group. The gids will be written to the channel by the rpc.mountd. The kernel replaces gids of NFS requests by the gids of /proc/net/rpc/auth.unix.gid/content, and authenticates the requests.
  • It will be failed if writing characters more than 8191 in write_buffer,so the maximum number depends on the digit of gid.
  • net/sunrpc/cache.c:
 853 static ssize_t cache_slow_downcall(const char __user *buf,
 854                                    size_t count, struct cache_detail *cd)
 855 {
 856         static char write_buf[8192]; /* protected by queue_io_mutex */
 857         ssize_t ret = -EINVAL;
 858 
 859         if (count >= sizeof(write_buf))
 860                 goto out;
 861         mutex_lock(&queue_io_mutex);
 862         ret = cache_do_downcall(write_buf, buf, count, cd);
 863         mutex_unlock(&queue_io_mutex);
 864 out:
 865         return ret;
 866 }

Diagnostic Steps

  • NFS Server:
# id test1
uid=1039(test1) gid=1039(test1) groups=1039(test1),60001(tgrp001),60002(tgrp002),60003(tgrp003),60004(tgrp004),60005(tgrp005),60006(tgrp006),60007(tgrp007),60008(tgrp008),60009(tgrp009),60010(tgrp010),60011(tgrp011),60012(tgrp012),60013(tgrp013),60014(tgrp014),60015(tgrp015),60016(tgrp016),60017(tgrp017),60018(tgrp018),60019(tgrp019),60020(tgrp020),60021(tgrp021),60022(tgrp022),60023(tgrp023),60024(tgrp024),60025(tgrp025),60026(tgrp026),60027(tgrp027),60028(tgrp028),60029(tgrp029),60030(tgrp030),60031(tgrp031),60032(tgrp032),60033(tgrp033),60034(tgrp034),60035(tgrp035),60036(tgrp036),60037(tgrp037),60038(tgrp038),60039(tgrp039),60040(tgrp040),60041(tgrp041),60042(tgrp042),60043(tgrp043),60044(tgrp044),60045(tgrp045),60046(tgrp046),60047(tgrp047), ... , 61360(tgrp1360)

# id test2
uid=1040(test2) gid=1040(test2) groups=1040(test2),60001(tgrp001),60002(tgrp002),60003(tgrp003),60004(tgrp004),60005(tgrp005),60006(tgrp006),60007(tgrp007),60008(tgrp008),60009(tgrp009),60010(tgrp010),60011(tgrp011),60012(tgrp012),60013(tgrp013),60014(tgrp014),60015(tgrp015),60016(tgrp016),60017(tgrp017),60018(tgrp018),60019(tgrp019),60020(tgrp020),60021(tgrp021),60022(tgrp022),60023(tgrp023),60024(tgrp024),60025(tgrp025),60026(tgrp026),60027(tgrp027),60028(tgrp028),60029(tgrp029),60030(tgrp030),60031(tgrp031),60032(tgrp032),60033(tgrp033),60034(tgrp034),60035(tgrp035),60036(tgrp036),60037(tgrp037),60038(tgrp038),60039(tgrp039),60040(tgrp040),60041(tgrp041),60042(tgrp042),60043(tgrp043),60044(tgrp044),60045(tgrp045),60046(tgrp046),60047(tgrp047), ... ,61361(tgrp)

# cat /proc/net/rpc/auth.unix.gid/content 
#uid cnt: gids...
0 1: 0
# 1039 0:
1040 1361: 1040 60001 60002 60003 60004 60005 60006 60007 60008 60009 60010 60011 60012 60013 60014 60015 60016 60017 60018 60019 60020 60021 60022 60023 60024 60025 60026 60027 60028 60029 60030 60031 60032 60033 60034 60035 60036 60037 60038 60039 60040 60041 60042 60043 60044 60045 60046 60047 60048 60049 60050 60051 60052 60053 60054 60055 60056 60057 60058 60059 60060 60061 60062 60063 60064 60065 60066 60067 60068 60069 60070 60071 60072 60073 60074 60075 60076 60077 60078 60079 60080 60081 60082 60083 60084 60085 60086 60087 60088 60089 60090 60091 60092 60093 60094 60095 ... 61359 61360
# strace -p <rpc.mountd  pid>
test1:
write(4, "1039 1472107980 1362 1039 60001 "..., 8193) = -1 EINVAL (Invalid argument)    <-- fail
test2:
write(4, "1040 1472108957 1361 1040 60001 "..., 8187) = 8187                                             <-- success
  • Also the following message appears on NFS server when rpc.mountd fails to write on RPC channel :
Oct 13 04:52:49 rhel73 rpc.mountd[11231]: auth_unix_gid: error writing reply

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments