3

I have several RHEL6 machines. One is exporting an nfs mount to the rest. I have ACL's set on the server (set using setfacl -m), but none of the clients are seeing any of them.

Here is my export on server1:

/myexport    server2.example.com(rw,async,no_root_squash)

Here is my fstab on server2:

server1.example.com:/myexport  /mnt  nfs4  noatime,async,lock 0 0

I have tried adding acl to my fstab mount options with no luck. Anyone know why I cannot see the ACL's on the client?

Franklin Piat
  • 736
  • 6
  • 22
Marty
  • 149
  • 1
  • 1
  • 5
  • what command do you use to get acls on the client? – kofemann Sep 18 '13 at 06:25
  • 1
    I use getfacl, of course regardless of the commands I use, permission is denied to users who should have access. – Marty Sep 20 '13 at 16:24
  • for nfs, you have to use nfs4_getfacl/nfs4_setfacl from nfs4-acl-tools package – kofemann Sep 24 '13 at 14:15
  • OK, so when I use nfs4_getfacl I see the proper acl on the directories BUT the system gives permission denied no matter what so why are the acl's not being obeyed? – Marty Sep 24 '13 at 23:53

2 Answers2

6

The ACL are used and active over NFS. Use the command nfs4_getfacl to show the ACL on an NFSv4 mount:

$ nfs4_getfacl /tmp/test

A::OWNER@:rwatTnNcCy
A::alice@nfsdomain.org:rxtncy
A::bob@nfsdomain.org:rwadtTnNcCy
A:g:GROUP@:rtncy
D:g:GROUP@:waxTC
A::EVERYONE@:rtncy
D::EVERYONE@:waxTC

The reason why the ACL look so different compared to Linux ACL? Because NFSv4 ACL and Linux ACL acl(5) are completely different standard ! The Linux NFS server will translate the ACL back and forth.

It's very unfortunate that linux ls don't show + for file with NFSv ACL on the client.. that's misleading.

Franklin Piat
  • 736
  • 6
  • 22
  • 4
    FYI: On ubuntu, it may be necessary to install the "nfs4-acl-tools" package to see the the "nfs4_getfacl" and "nfs4_setfacl" commands. – Mike Robinson May 27 '16 at 13:13
  • Here's a link to a very good page that discusses ACLs and the differences between the various Linux implementation, in the context of NFSv4: http://www.eecs.utk.edu/resources/it/kb/nfsv4-acls – Mike Robinson May 27 '16 at 13:15
  • 2
    @MikeRobinson, FWIW that page was moved to [this place](http://www.eecs.utk.edu/resources/it/eecs-it-knowledge-base/nfsv4-acls/). Thanks for the link. – kostix Aug 19 '16 at 11:31
2

To use POSIX ACLs with NFS, you had to use NFSv3.

NFSv4 ACLs are way different that POSIX ACLs. The first one are set using the very specific nfs4_getacl and nfs4_setacl, while the latter are configured with the standard getfacl/setfacl binaries. In short, NFSv4 ACLs have nothing to do with POSIX ACLs (NFSv4 acls are much closer to the CIFS ACLs used in Windows environment, by the way).

Dan Pritts
  • 3,181
  • 25
  • 27
shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • 1
    This is true and in addition NFSv4 ACLs are overriden by the **umask**. The umask is often 022 (remove write bit for group and other), which makes it impossible to inherit e. g. group write access. In NFSv3 it works properly. – John May 25 '18 at 06:19