Issues with LDAP user/group permissions on NFS share

I can't seem to make sense of this.

[sshaun@upilampdev ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga)
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
upi-nasc:/vol/upilampdev/html on /var/www/html type nfs (rw,addr=192.168.43.9)
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ ls -ld /var/www/html/test-dir
drwxrwxr-x 2 apache web-developers 4096 Jul 16 2009 /var/www/html/test-dir
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ ls -ld /tmp/test-dir
drwxrwxr-x 2 apache web-developers 4096 Jul 16 16:07 /tmp/test-dir
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ id
uid=1010(sshaun) gid=2016(sshaun) groups=48(apache),1018(prod-ultradent),1022(prod-upijapan),1024(stage-distributornews),1032(stage-ultradent),1036(stage-upijapan),1052(stage-upiitaly),1066(stage-upibrazil),1067(stage-upispanish),1080(stage-upicroatia),1081(prod-upispanish),1084(prod-sfd),1085(stg-valo),1089(prod-scripts),1091(stg-upifrench),1092(stg-upidutch),1094(web-developers),1095(stg-upirussian),2016(sshaun)
[sshaun@upilampdev ~]$ getent group web-developers
web-developers:x:1094:aangela,wjonathan,sshaun
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ touch /tmp/test-dir/file
[sshaun@upilampdev ~]$
[sshaun@upilampdev ~]$ touch /var/www/html/test-dir/file
touch: cannot touch `/var/www/html/test-dir/file': Permission denied

What might be causing this? That NFS share is being mounted from a netapp and I don't believe it's being exported on there with any special options.

edit: and to make things even more weird this is only happening to 1 of the 4 users in the web-developers group

Thanks,
Dan

If this is being mounted using NFS V3 then NFS V3 will only honour the first 16 groups the user is a member of, the user sshaun has the web-developers group as their 18th group by my count.

that might explain why it's randomly happening for this user as well as other users. I don't think LDAP keeps the groups in the same order every time. I did mount this with the -t NFS4 option and it didn't seem to fix the problem. I'll look into remove some of the groups from that user.

On the ldap systems I have seen the groups are listed in the order the user was added to them, so you could try removing the user from all the secondary groups, adding the user back into the web-developers group first and then add them back into the other groups?

removing him from several groups fixed the issue.

Should this be fixed in NFS_V4? I mounted this same Netapp share with mount.nfs4 and it didn't seem to make a difference. Does the netapp have to be NFS4 aware?

NFS V4 will overcome the limit of 16 groups. The NetApp filer either needs to use the LDAP system or else replicate the users and groups in local files if it is not already so it "knows" who the users are and what groups they are in.

You can add --manage-group-gids to the server. It'll fix this problem. If you're not having the same problem as me (I can't find a solution to it).

Cut down the groups until you've only got 3-4 and then test... If it's the same, then we're in the same boat.