Does NFS support ACLs?

mfoley · 10-15-2015, 06:58 PM

Does NFS support ACLs? I've put the following in my /etc/exports file:

/redirectedFolders/Users/mark 192.168.0.0/24(rw,acl)

and it didn't complain. And I put the following in my /etc/auto.misc file on the client:

Desktop -fstype=nfs,nfsvers=3,acl,rw mail:/redirectedFolders/Users/mark/Desktop

and it didn't complain either, but when I examine the files so mounted there are no '+' signs at the end of the permissions, so it must not be that simple.

Does anyone have any insight?

jpollard · 10-15-2015, 08:51 PM

NFSv4 does, but I'm not sure about 3 (your "nfsvers=3")

mfoley · 10-16-2015, 09:52 AM

It appears that my server-side nfsd does support version 4. Do you know how I set that? If I have

mail:/redirectedFolders/Users/mark /home/HPRS/mark nfs noauto,nfsvers=4,rw,acl 0 0

in my /etc/fstab on the client, I get the following error when I try to mount:

$ mount /home/HPRS/mark
mount.nfs: access denied by server while mounting mail:/redirectedFolders/Users/mark

If I change back the "nfsver=3" it mounts OK.

jpollard · 10-16-2015, 09:57 AM

There are some additional ports that have to be open for v4 (2049), and both server and client have to support NFSv4 (most do, but sometimes..)

https://www.centos.org/docs/5/html/D...US/ch-nfs.html

mfoley · 10-16-2015, 10:02 AM

A bit of web searching turns up this about the nsfver= option: "If no version is specified, NFS uses the highest supported version by the kernel and mount command. This option is not supported with NFSv4 and should not be used."

So, I tried removing the option altogether, but got the same "access denied" message.

I also tried

mount -t nfs4 mail:/redirectedFolders/Users/mark /home/HPRS/mark

same error.

Any ideas on why?

mfoley · 10-16-2015, 10:08 AM

Ah ah! I added no_root_squash to the server /etc/exports:

/redirectedFolders/Users/mark 192.168.0.0/24(rw,no_root_squash,acl)

and it mounted!!

mount -t nfs4 mail:/redirectedFolders/Users/mark /home/HPRS/mark

Still not showing the ACLs that exist on the server files.

jpollard · 10-17-2015, 04:27 AM

Are you sure? The + only shows if there are ACLs added to a file. Normally, mail directories are owned by the user, with group mail access for the mail transfer agent to write to them. Files with no added ACL get a "." instead.

mfoley · 10-18-2015, 03:03 PM

Here ls the `ls -l` of the several files in a folder on the NFS host:

Code:

$ ls -l
-rw-r--r--+ 1 mark    domusers         78 2015-10-16 17:38 phoneMessages
-rw-r--r--+ 1 mark    domusers       9216 2015-10-16 17:10 SURnoMember.xls
-rwxrwx---+ 1 3000026 domusers         27 2015-10-11 22:49 whatGIDUID.txt*

Notice the '+' sign.

Here is the `ls -l` of that same folder mounted on the client workstation. Notice no '+' signs:

Code:

$ ls -l
-rw-r--r-- 1 mark    domain users         78 Oct 16 17:38 phoneMessages
-rw-r--r-- 1 mark    domain users       9216 Oct 16 17:10 SURnoMember.xls
-rwxrwx--- 1 3000026 domain users         27 Oct 11 22:49 whatGIDUID.txt

Here is a `getfacl` for the file phoneMessages on the NFS host (where the file actually lives):

Code:

$ getfacl phoneMessages
# file: phoneMessages
# owner: mark
# group: domusers
user::rw-
user:3000002:rwx                #effective:r--
user:3000003:rwx                #effective:r--
user:3000008:rwx                #effective:r--
user:3000026:rwx                #effective:r--
group::---
group:users:---
group:3000002:rwx               #effective:r--
group:3000003:rwx               #effective:r--
group:3000008:rwx               #effective:r--
mask::r--
other::r--

Here is the `getfacl` on the same file on the NFS client workstation:

Code:

$ getfacl phoneMessages
# file: phoneMessages
# owner: mark
# group: domain\040users
user::rw-
group::r--
other::r--

Notice they are not the same. I do believe I have nfs4 enabled on both my server and client.

Now, here is the error I get on the client when I try to setfacl:

Code:

$ setfacl -m user:10001:rwx phoneMessages
setfacl: phoneMessages: Operation not supported

So, as it stands, I am not getting the acl's from the server, nor can I set them on the client workstation.

Ideas?

jpollard · 10-18-2015, 05:50 PM

Do you have the utility nfs4_getfacl?
The package name should be "nfs4-acl-tools".

It appears that NFSv4 doesn't use the same ACLs as most of Linux filesystems: http://wiki.linux-nfs.org/wiki/index.php/ACLs
so they don't show up in the usual way (I didn't that - sorry).

It also appears that NFSv3 should support ACLs too: https://access.redhat.com/documentat...e/ch-acls.html, but it depends on both server and client having ACLS, and the NFS server has to support it for NFS.

I'll keep looking.

mfoley · 10-19-2015, 12:59 PM

Quote:

Originally Posted by jpollard

It appears that NFSv4 doesn't use the same ACLs as most of Linux filesystems: http://wiki.linux-nfs.org/wiki/index.php/ACLs so they don't show up in the usual way ...

Hmmm, that link you gave has the following:

"The NFSv4 protocol includes integrated support for ACLs which are similar to those used by Windows. NFSv4 ACLs are richer than POSIX draft ACLs--any POSIX ACL can be represented by an NFSv4 ACL with almost the same semantics ..."

The ACLs on my server were, in fact, created by Windows, so one would think this would work nicely with NFS4.

Quote:

Do you have the utility nfs4_getfacl? The package name should be "nfs4-acl-tools".

No, but I'll check it out.