From nobody@FreeBSD.org  Fri May 25 12:54:51 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 681A7106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 May 2012 12:54:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 52A808FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 May 2012 12:54:51 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q4PCsonK074300
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 May 2012 12:54:50 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q4PCsoqh074299;
	Fri, 25 May 2012 12:54:50 GMT
	(envelope-from nobody)
Message-Id: <201205251254.q4PCsoqh074299@red.freebsd.org>
Date: Fri, 25 May 2012 12:54:50 GMT
From: Rune <u-fbmk4r@aetey.se>
To: freebsd-gnats-submit@FreeBSD.org
Subject: nfsv4 server with krb5 sec limits group number per uid to 16
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         168335
>Category:       kern
>Synopsis:       nfsv4 server with krb5 sec limits group number per uid to 16
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 25 13:00:08 UTC 2012
>Closed-Date:    
>Last-Modified:  Fri Aug  3 09:30:13 UTC 2012
>Originator:     Rune
>Release:        9.0
>Organization:
>Environment:
FreeBSD [hostname] 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
While accessing nfs shares exported with NFSv4 sec=krb5i,
no other export types,
vfs.nfsd.server_max_nfsvers: 4
vfs.nfsd.server_min_nfsvers: 4

access rights to be provided by some groups are not granted (permission denied).
A test reveals it to be the case with the groups not within the first 16 ones in the output of "id [-G] <account>" command (on the server).

A quick glance at the source suggests that it may have to do with

fs/nfs/rpcv2.h:#define    RPCAUTH_UNIXGIDS 16

which is being used in

./../rpc/rpcsec_gss/svc_rpcsec_gss.c:  gid_t cl_gid_storage[RPCAUTH_UNIXGIDS];
./../rpc/rpcsec_gss/svc_rpcsec_gss.c:  numgroups = RPCAUTH_UNIXGIDS;

This problem is a showstopper for a deployment (migrating from a *Solaris server) as we are using groups very extensively.

Regards,
Rune
>How-To-Repeat:
put an account in more than 16 unix groups
export a share over NFSv4 sec=krb5i  (well, any krb*)
create a directory not owned by the account, chgrp to the account's group with a highest gid (or otherwise "one of the later groups on its list"), chmod 770

access the share (e.g. from a RHEL5.6 Linux client) with the Kerberos credentials of the corresponding account

ls -ld <the-directory>   shows owner,group and the rwxrwx--- permissions
ls -l <the-directory>    yields "permission denied"

Note that the same test passes (no "permission denied") against both Solaris and Linux NFSv4 servers with the same Kerberos realm, passwd/group database, accounts and client hosts.
>Fix:


>Release-Note:
>Audit-Trail:

From: u-fbmk4r@aetey.se
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/168335: nfsv4 server with krb5 sec limits group number per
 uid to 16
Date: Mon, 23 Jul 2012 14:17:35 +0200

 Hello,
 
 The bug is a showstopper, is there anybody looking at it??
 
 Regards,
 Rune
 

From: u-fbv9mc@aetey.se
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/168335: nfsv4 server with krb5 sec limits group number per
 uid to 16
Date: Fri, 3 Aug 2012 11:11:25 +0200

 Looking forward to a fix.
 
 We will be forced to drop FreeBSD as a server platform if there will be
 no near fix.
 
 Pity, it does not help that the OS is "mostly very good" - a small but crucial
 deficiency makes the whole worthless.
 
 Regards,
 Rune
 

From: u-fbv9mc@aetey.se
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/168335: nfsv4 server with krb5 sec limits group number per
 uid to 16
Date: Fri, 3 Aug 2012 11:27:38 +0200

 Note that the lack of protection for the submitters addresses
 forces us to regularly disable/replace the addresses due to excessive spam.
 That's the reason why the original submitter mail address is no longer
 valid since today.
 
 This does not change the fact that we are interested in a fix and in
 the feedback. We are monitoring the issue web page.
 
 Note that we always post and repost from working addresses and that
 several months without a reply is a too long time to expect a single mail
 address to remain valid, given that _you_ publish it at once.
 
 The issue remains valid and crucial.
 
 Rune
 
>Unformatted:
