NFSv4 with ACL, the default permissions are not obeyed

3

1. The question

I have a directory dir, which has (NFS) ACL default permissions, so that every file and folder created in it can be written by the user 1001too by default. This directory is shared on NFS v4.

How do I make sure, that every file and folder I create through NFS inherits this permission?

2. Commands I ran exactly

I ran the following commands on the NFS client side.

client@nfsclient $ nfs4_getfacl dir

# file: dir
A::OWNER@:rwaDxtTcCy
A::1001:rwaDxtcy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:1001:rwaDxtcy
A:fdi:GROUP@:rxtcy
A:fdi:EVERYONE@:rxtcy

However, when I create a new file in it, it's permissions don't allow user 1001 to write this file.

client@nfsclient $ touch dir/file
client@nfsclient $ nfs4_getfacl dir/file

# file: dir/file
A::OWNER@:rwatTcCy
A::1001:rtcy
A::GROUP@:rtcy
A::EVERYONE@:rtcy

Why don't the user 1001 have write permission to dir/file in this case?

When I look at this same dir/file on the NFS server, the permissions somehow don't allow it to write because of the mask.

server@nfsserver $ getfacl dir/file
# file: dir/file
# owner: client
# group: client
user::rw-
user:1001:rwx                   #effective:r--
group::r-x                      #effective:r--
mask::r--
other::r--

Is there a way to make sure that on file creation the mask is correct?

3. It works on serverside

When I run the same exact commands on serverside, the default permissions are obeyed.

server@nfsserver $ getfacl dir
# file: dir
# owner: client
# group: client
user::rwx
user:1001:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:1001:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

And it creates the permissions just right.

server@nfsserver $ touch dir/file
server@nfsserver $ getfacl dir/file
# file: dir/file
# owner: server
# group: server
user::rw-
user:1001:rwx                   #effective:rw-
group::r-x                      #effective:r--
mask::rw-
other::r--

I'm using NFS v4, and ext4 filesystem.

Gabor

Posted 2019-05-06T18:34:32.090

Reputation: 31

Answers

0

For this to work you need identical UIDs and GIDs on both systems. Ideally, you should run some sort of domain software to accomplish this (LDAP, NIS, NISplus, etc.)

There are a number of other Q&A threads on these topics if you look at https://serverfault.com or https://unix.stackexchange.com/

If you don't have a system like that in place it might be easier for you to make identical GIDs on each system. Set group permissions. Then put the proper users in to the proper groups. That way the users can change but the group based permissions stay. This makes administration of ACLs much easier than specifying per-user permissions all over the place.

HackSlash

Posted 2019-05-06T18:34:32.090

Reputation: 3 174

I have modified the nfsclient and 1001's users uids and gids to be the same on both machines, and the issue still persists. Maybe I missed some groups or user that was relevant? – Gabor – 2019-05-07T10:30:56.647

Is the umask setting also identical on each system? (That's what defines the permissions of new objects, not NFS) – HackSlash – 2019-05-07T15:37:05.123

Yes, they are identical. However, you are probably right, that the users and mappings need to be adjusted, probably in /etc/idmapd.conf. It still doesn't work, but I'm working on it.= – Gabor – 2019-05-07T19:48:07.233

I have configured now both the server and client to use username@domain format. But, the mask is still r-- by default for a newly created file. The user/group configuration didn't help. – Gabor – 2019-05-12T06:39:39.590

Both the text and the UID numbers in /etc/passwd are identical? As well as the text and GUID numbers in /etc/groups. All have to match on all systems. – HackSlash – 2019-05-13T15:13:01.817

I tried this now, and unfortunately nothing happens. Yes, they all match, I manually modified all the uids and gids and all the files that are owned by those. And everything matches in those files, but the same thing happens. – Gabor – 2019-05-17T18:15:24.483

Somehow setting umask to 0 on the client system solves it. I tried setting the umask several times, lots of ways, but only on the host system. Still trying to figure out why and how this works exactly. – Gabor – 2019-05-17T21:09:11.110

Please answer your own question and document what you did. Then mark your answer with the green checkmark. This will close out the question and help others in the future. – HackSlash – 2019-05-17T23:03:57.750

0

Unfortunately, I was not able to find any good solution. The only thing I could do is the following.

Set umask to at most 002 on the client.

client@nfsclient $ umask 002

This will set the mask on the server properly, so it will make any default permissions correctly too. However, this will create writable files for the group by default.

I also tried sshfs, and the exact same thing happens there too.

See also https://serverfault.com/questions/544194/nfs-v4-acl-inheritance-problems-i-flag-set-but-not-wanted/544771.

Gabor

Posted 2019-05-06T18:34:32.090

Reputation: 31