Results 1 to 10 of 10

Thread: NFSv4 and ACLs

  1. #1
    Join Date
    Nov 2017
    Location
    Busto Arsizio, Italy
    Posts
    13

    Unhappy NFSv4 and ACLs

    Hi
    I'm trying to setup a new NFSv4 server using ACLs, without centralized auth like kerberos.
    When I try to copy some files, and maintain the ACLs, from client to the server I got an "Operation not supported" error.

    Test on the client:
    Code:
    andrea@desktop:/mnt/andale.lcl/archive/data/test> getfacl /tmp/abc123 
    getfacl: Removing leading '/' from absolute path names
    # file: tmp/abc123
    # owner: andrea
    # group: users
    user::rw-
    user:andrea:rwx                 #effective:rw-
    group::rwx                      #effective:rw-
    mask::rw-
    other::---
    
    andrea@desktop:/mnt/andale.lcl/archive/data/test> getfacl -n /tmp/abc123 
    getfacl: Removing leading '/' from absolute path names
    # file: tmp/abc123
    # owner: 1000
    # group: 100
    user::rw-
    user:1000:rwx                   #effective:rw-
     group::rwx                      #effective:rw-
    mask::rw-
    other::---
    
    andrea@desktop:/mnt/andale.lcl/archive/data/test> cp -a /tmp/abc123 .
    cp: preservazione dei permessi per "./abc123": Operazione non supportata
    andrea@desktop:/mnt/andale.lcl/archive/data/test> getfacl ./abc123 
    # file: abc123
    # owner: andrea
    # group: users
    user::rw-
    group::rw-
    other::---
    
    andrea@desktop:/mnt/andale.lcl/archive/data/test> getfacl -n ./abc123 
    # file: abc123
    # owner: 1000
    # group: 100
    user::rw-
    group::rw-
    other::---
    Data disk on the server is Ext4, but also Btrfs doesn't make any difference:
    Code:
    /dev/sda1 on /mnt/localhost/data type ext4 (rw,relatime,data=ordered)
    And is exported in this way:
    Code:
    /mnt/localhost/ *(fsid=0,crossmnt,rw,no_root_squash,sync,no_subtree_check,acl,insecure)
    This is the mount on the client:
    Code:
    archive.andale.lcl:/data on /mnt/andale.lcl/archive/data type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,soft,proto=tcp,port=0,timeo=50,retrans=1,sec=sys,clientaddr=192.168.0.1,local_lock=none,addr=x.x.x.x)
    How can I solve?

  2. #2
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: NFSv4 and ACLs

    Quote Originally Posted by Silver_Hawk View Post
    How can I solve?
    POSIX ACLs are not supported on NFSv4 mounts. You need to either explicitly use NFSv3 or use nfs4-acl-tools to manage NFSv4 ACLs on the client. Server will attempt to map them to POSIX ACLs on local filesystem; do not forget that there is no way to map arbitrary NFSv4 ACLs to POSIX ACLs (NFSv4 is much more rich).

  3. #3
    Join Date
    Jun 2008
    Location
    West Yorkshire, UK
    Posts
    3,611

    Default Re: NFSv4 and ACLs

    NFSv4 ACLs are for user:<username>, group:<groupname>, owner@<nfs-domain>, group@<nfs-domain> or everyone@<nfs-domain> - so there are some clear syntax errors in your example. Also are you giving full explicit permissions for the operations you want to carry out and are you using port 2049 as required by NFSv4?

  4. #4
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: NFSv4 and ACLs

    Quote Originally Posted by john_hudson View Post
    NFSv4 ACLs
    You know what getfacl shows, do not you?
    there are some clear syntax errors in your example
    man 5 acl

  5. #5
    Join Date
    Nov 2017
    Location
    Busto Arsizio, Italy
    Posts
    13

    Default Re: NFSv4 and ACLs

    Quote Originally Posted by arvidjaar View Post
    POSIX ACLs are not supported on NFSv4 mounts. You need to either explicitly use NFSv3 or use nfs4-acl-tools to manage NFSv4 ACLs on the client.
    Ok, if NTFSv4 should is not used in this way, is there any way to use this in a desktop environment? To be more clear, with the v4 can I use a client without fix manually the ACLs with nfs4-acl-tools?
    In a real context, which could be at home or small office, I can't ask to a end user to open the console and write the command to fix the ACLs every time a file is copied / moved, mainly because is not his/her job and also because it's really frustrating...
    Which should the real application context for NFSv4?
    Sorry but I didn't catch this.

    Thanks for your kind reply
    Andrea

  6. #6
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: NFSv4 and ACLs

    Quote Originally Posted by Silver_Hawk View Post
    is there any way to use [NFS4 ACLs] in a desktop environment?
    This is too broad and vague question. What you probably mean - can you copy files between filesystem with POSIX and NFS4 ACLs while preserving ACLs. The generic answer is "no, you cannot" - as I already mentioned arbitrary NFS4 ACLs cannot be mapped to POSIX ACLs.

    So you need to define your goals and find most suitable workaround. The obvious available options (not in particular order) - use NFS3 (you never explained why you need
    NFS4 in the first place); do not use local filesystems at all (use diskless clients with NFS4 mounts); use local filesystem with NFS4 ACLs support (for now I'm aware only of ZFS).

    Or you can try to convince various developers and maintainers to either implement (best efforts) conversion in user space tools or add NFS4 ACLs support to local filesystems.

  7. #7
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    23,710
    Blog Entries
    1

    Default Re: NFSv4 and ACLs

    Just in case the following is useful to you
    http://wiki.linux-nfs.org/wiki/index.php/ACLs

  8. #8
    Join Date
    Nov 2017
    Location
    Busto Arsizio, Italy
    Posts
    13

    Default Re: NFSv4 and ACLs

    Quote Originally Posted by arvidjaar View Post
    This is too broad and vague question. What you probably mean - can you copy files between filesystem with POSIX and NFS4 ACLs while preserving ACLs.
    Exact.

    Quote Originally Posted by arvidjaar View Post
    So you need to define your goals and find most suitable workaround.
    You're right, maybe defining my goals could explain better what I'm trying to achieve.

    Let's say there is a group of linux hosts (small office, home), and I want to share data among the hosts (one of this could be one with the function of NAS).
    I wish to mount the shared data in only one mount point, so:
    1) every user that can access that host can use that, according to the ACLs
    2) every software can be setted up to use this mount point for any need, and is user independent
    3) every service can be setted up to use this mount point for any need, is user independent and doesn't require the user to login
    4) the ACLs (POSIX/NFSv4/whatever) are the same between client and server, and they control what the user can access and with which limitations.
    5) objects that are created/moved/copied maintain the right ACLs, and not necessarily follow the share configuration (like samba, user that do the mount or forced by config)

    I already know that Samba can be handy to share data, but FWIK doesn't allow what I'm trying to achieve.

    I hope that now the scenario is a bit more clear.
    Thanks again for you interest

    Andrea

  9. #9
    Join Date
    Nov 2017
    Location
    Busto Arsizio, Italy
    Posts
    13

    Default Re: NFSv4 and ACLs

    Quote Originally Posted by deano_ferrari View Post
    Just in case the following is useful to you
    http://wiki.linux-nfs.org/wiki/index.php/ACLs
    I already followed this link: I discarded it because the mapping between the ACLs can be done, but only patching libacl (also the patch seems to be not anymore updated for over 10 years) and it can be lossy.

    Thanks anyway

    Andrea

  10. #10
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: NFSv4 and ACLs

    Quote Originally Posted by Silver_Hawk View Post
    I hope that now the scenario is a bit more clear.
    And this can be achieved using NFS3 as I already told you more than once.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •