NFSv4 and ACLs

Silver_Hawk · December 21, 2017, 1:08am

Hi
I’m trying to setup a new NFSv4 server using ACLs, without centralized auth like kerberos.
When I try to copy some files, and maintain the ACLs, from client to the server I got an “Operation not supported” error.

Test on the client:


andrea@desktop:/mnt/andale.lcl/archive/data/test> getfacl /tmp/abc123 
getfacl: Removing leading '/' from absolute path names
# file: tmp/abc123
# owner: andrea
# group: users
user::rw-**
user:andrea:rwx                 #effective:rw-
**group::rwx                      #effective:rw-
mask::rw-
other::---

andrea@desktop:/mnt/andale.lcl/archive/data/test> getfacl -n /tmp/abc123 
getfacl: Removing leading '/' from absolute path names
# file: tmp/abc123
# owner: 1000
# group: 100
user::rw-
**user:1000:rwx                   #effective:rw-
** group::rwx                      #effective:rw-
mask::rw-
other::---

andrea@desktop:/mnt/andale.lcl/archive/data/test> cp -a /tmp/abc123 .
**cp: preservazione dei permessi per "./abc123": Operazione non supportata**
andrea@desktop:/mnt/andale.lcl/archive/data/test> getfacl ./abc123 
# file: abc123
# owner: andrea
# group: users
user::rw-
group::rw-
other::---

andrea@desktop:/mnt/andale.lcl/archive/data/test> getfacl -n ./abc123 
# file: abc123
# owner: 1000
# group: 100
user::rw-
group::rw-
other::---

Data disk on the server is Ext4, but also Btrfs doesn’t make any difference:


/dev/sda1 on /mnt/localhost/data type ext4 (rw,relatime,data=ordered)

And is exported in this way:


/mnt/localhost/ *(fsid=0,crossmnt,rw,no_root_squash,sync,no_subtree_check,acl,insecure)

This is the mount on the client:


archive.andale.lcl:/data on /mnt/andale.lcl/archive/data type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,soft,proto=tcp,port=0,timeo=50,retrans=1,sec=sys,clientaddr=192.168.0.1,local_lock=none,addr=x.x.x.x)

How can I solve?

arvidjaar · December 23, 2017, 4:12pm

POSIX ACLs are not supported on NFSv4 mounts. You need to either explicitly use NFSv3 or use nfs4-acl-tools to manage NFSv4 ACLs on the client. Server will attempt to map them to POSIX ACLs on local filesystem; do not forget that there is no way to map arbitrary NFSv4 ACLs to POSIX ACLs (NFSv4 is much more rich).

john_hudson · December 23, 2017, 11:58pm

NFSv4 ACLs are for user:<username>, group:<groupname>, owner@<nfs-domain>, group@<nfs-domain> or everyone@<nfs-domain> - so there are some clear syntax errors in your example. Also are you giving full explicit permissions for the operations you want to carry out and are you using port 2049 as required by NFSv4?

arvidjaar · December 24, 2017, 6:40am

You know what getfacl shows, do not you?

there are some clear syntax errors in your example

man 5 acl

Silver_Hawk · January 4, 2018, 12:32am

Ok, if NTFSv4 should is not used in this way, is there any way to use this in a desktop environment? To be more clear, with the v4 can I use a client without fix manually the ACLs with nfs4-acl-tools?
In a real context, which could be at home or small office, I can’t ask to a end user to open the console and write the command to fix the ACLs every time a file is copied / moved, mainly because is not his/her job and also because it’s really frustrating…
Which should the real application context for NFSv4?
Sorry but I didn’t catch this.

Thanks for your kind reply
Andrea

arvidjaar · January 4, 2018, 9:15am

This is too broad and vague question. What you probably mean - can you copy files between filesystem with POSIX and NFS4 ACLs while preserving ACLs. The generic answer is “no, you cannot” - as I already mentioned arbitrary NFS4 ACLs cannot be mapped to POSIX ACLs.

So you need to define your goals and find most suitable workaround. The obvious available options (not in particular order) - use NFS3 (you never explained why you need
NFS4 in the first place); do not use local filesystems at all (use diskless clients with NFS4 mounts); use local filesystem with NFS4 ACLs support (for now I’m aware only of ZFS).

Or you can try to convince various developers and maintainers to either implement (best efforts) conversion in user space tools or add NFS4 ACLs support to local filesystems.

deano_ferrari · January 4, 2018, 11:01am

Just in case the following is useful to you
http://wiki.linux-nfs.org/wiki/index.php/ACLs

Silver_Hawk · January 5, 2018, 1:43pm

Exact.

You’re right, maybe defining my goals could explain better what I’m trying to achieve.

Let’s say there is a group of linux hosts (small office, home), and I want to share data among the hosts (one of this could be one with the function of NAS).
I wish to mount the shared data in only one mount point, so:

every user that can access that host can use that, according to the ACLs
every software can be setted up to use this mount point for any need, and is user independent
every service can be setted up to use this mount point for any need, is user independent and doesn’t require the user to login
the ACLs (POSIX/NFSv4/whatever) are the same between client and server, and they control what the user can access and with which limitations.
objects that are created/moved/copied maintain the right ACLs, and not necessarily follow the share configuration (like samba, user that do the mount or forced by config)

I already know that Samba can be handy to share data, but FWIK doesn’t allow what I’m trying to achieve.

I hope that now the scenario is a bit more clear.
Thanks again for you interest

Andrea

Silver_Hawk · January 5, 2018, 1:51pm

I already followed this link: I discarded it because the mapping between the ACLs can be done, but only patching libacl (also the patch seems to be not anymore updated for over 10 years) and it can be lossy.

Thanks anyway

Andrea

arvidjaar · January 5, 2018, 5:28pm

And this can be achieved using NFS3 as I already told you more than once.