NFSv4 and ACL

xri · 01-28-2011, 04:20 PM

Problem:

We have a directory to be shared amongst several users (all from different client hosts but some of them from the same client host) on a local network.
Some users should have read-only access and some should have full read-write access.

What I have done:

I have implemented ACLs on all the content of the shared directory. It works fine on the server.
I set up the share through NFSv4. It works fine.
However, having ACL work on the clients is not straightforward (I did not know that).

The bottleneck:

Now, the users who should be able to write on that folder can only read the files.

Questions:

What is the most reliable way to make ACL (on this simple setting) work for the clients? I found these options.
Is there a more efficient setup to accomplish the same goal without using NFS?
Maybe something like this or this?

Thank you for reading this.

stress_junkie · 01-28-2011, 06:57 PM

Quote:

Originally Posted by xri

However, having ACL work on the clients is not straightforward (I did not know that).

What specifically is not straightforward about it? Just provide a link to a web page if you want.

Do any of the user accounts belong to more than 16 user groups? That can cause problems.

Are you using the same NFS version on the clients and server? That can cause problems.

The first link that you provided, to the IBM web site, only lists three file system types that support NFS ACLs. Are you using one of these? I don't know the difference between Linux regular ACLs and NFS ACLs. I don't know if there is a difference. They talk about creating these NFS ACLs by using the normal ACL manipulation utilities. Maybe there is a difference depending on the file system type.

xri · 01-30-2011, 05:55 PM

Quote:

What specifically is not straightforward about it? Just provide a link to a web page if you want.

I meant that it does not work out of the box (by adding -o acl to the mount), but still is probably doable. I just have to choose the best method. Maybe the utility on the link?

Quote:

Do any of the user accounts belong to more than 16 user groups?

No.

Quote:

Are you using the same NFS version on the clients and server?

Yes: nfs-utils 1.2.2

Quote:

file system types that support NFS ACLs. Are you using one of these?

No, just ext3.

Here is /etc/exports

Quote:

/export -fsid=0,rw,no_subtree_check 192.168.2.4 192.168.2.6 192.168.2.7
/export/cons -nohide,rw,sync,no_wdelay,no_subtree_check 192.168.2.4 192.168.2.6 192.168.2.7

Here is the /etc/fstab entry on one of the clients:

Quote:

server:/cons /cons nfs4 auto,users,acl 0 0

stress_junkie · 01-30-2011, 06:30 PM

The article about NFSv4 ACLs mapping to a POSIX ACL structure is not encouraging. Is there a compelling reason that you want to use this? It seems that the normal POSIX ACLs used in Linux file systems can be made to implement very detailed security models.

xri · 02-02-2011, 12:55 PM

Thank you for following up.

I regularly use the usual Linux ACLs at work and it makes my life easier (considering the heterogeneous group that work at my little shop).
This is the first time I implement NFSv4, and it comes as a surprise that the mounts on the clients do not support the ACLs present on the server. Maybe I made a mistake? My configs are above.
Therefore, I'm looking for ways to make the acls work for the clients' mounts.

xri · 02-09-2011, 11:55 PM

Maybe a reason for this post not having received much attention could be that most people familiar with the tasks described may consider the problem too trivial to bother?
Maybe I'm overlooking something very simple?
In any case, when I'll figure it out (or give up), and I'll post on this thread again.