Re: POSIX acls over nfs4

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: steve <steve@steve-ss.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Jeff Layton <jlayton@poochiereds.net>, linux-nfs@vger.kernel.org
Subject: Re: POSIX acls over nfs4
Date: Thu, 01 Mar 2012 23:11:24 +0100	[thread overview]
Message-ID: <4F4FF40C.4050905@steve-ss.com> (raw)
In-Reply-To: <20120301205639.GC17433@fieldses.org>

On 03/01/2012 09:56 PM, J. Bruce Fields wrote:
> On Wed, Feb 29, 2012 at 03:40:39PM +0100, steve wrote:
>> On 02/29/2012 03:32 PM, J. Bruce Fields wrote:
>>> On Wed, Feb 29, 2012 at 03:26:33PM +0100, steve wrote:
>>>> On 02/29/2012 03:09 PM, J. Bruce Fields wrote:
>>>>> On Wed, Feb 29, 2012 at 03:04:28PM +0100, steve wrote:
>>>>>> On 29/02/12 13:44, J. Bruce Fields wrote:
>>>>>>> On Wed, Feb 29, 2012 at 12:22:30AM +0100, steve wrote:
>>>>>>>> We are authenticating against Samba4, so our domain user accounts
>>>>>>>> are under Kerberos.
>>>>>>> Kerberos works fine with v3.
>>>>>>>
>>>>>>> --b.
>>>>>> Hi
>>>>>> Unfortunately, it doesn't seem to. We just tried it, and anyone
>>>>>> (with or without a ticket) gets access:-(
>>>>> Could you give any more detail about your test?
>>>>>
>>>>> --b.
>>>> steve is a /etc/passwd user
>>>>
>>>> steve@hh3:~$ sudo su
>>>> [sudo] password for steve:
>>>> root@hh3:/home/steve# mount -t nfs4 hh3:/home /mnt -o sec=krb5
>>>> root@hh3:/home/steve# exit
>>>> exit
>>>> steve@hh3:~$ cd /mnt
>>>> bash: cd: /mnt: Permission denied
>>>> steve@hh3:~$ sudo su
>>>> root@hh3:/home/steve# umount /mnt
>>>> root@hh3:/home/steve# mount -t nfs hh3:/home /mnt -o sec=krb5
> Careful: a recent client will negotiate v4 if you leave this
> unspecified.  You want -onfsversion=3,sec=krb5.
>
>>>> root@hh3:/home/steve# exit
>>>> exit
>>>> steve@hh3:~$ cd /mnt
>>>> steve@hh3:/mnt$
>>> Why is that a problem?  You haven't actually accessed anything on the
>>> filesystem.
>>>
>>> --b.
>> Steve can access the mounted folder. I can live with that but the
>> acl still isn't working:
>>
>> lynn2 has authinticated by Kerberos
>>
>> root@hh3:~# setfacl -d -m g::rw /home/CACTUS/dropbox
>> root@hh3:~# mount -t nfs hh3:/home /mnt -o sec=krb5
>> lynn2@hh3:/mnt/CACTUS$ ls -la
>> total 28
>> drwxr-xr-x  6 root   root         4096 2012-02-27 14:24 .
>> drwxr-xr-x  4 root   root         4096 2012-02-18 18:52 ..
>> drwxrws---  3 root   debusers     4096 2012-02-29 15:31 dropbox
>> drwxr-xr-x 20 lynn2  debusers     4096 2012-02-26 16:43 lynn2
>> drwxrwxrwx  5 root   root         4096 2012-02-29 14:19 profiles
>> drwxr-xr-x  4 steve2 Domain Users 4096 2012-02-29 14:36 steve2
>>
>> lynn2 then crates a file in the mount called l3:
>>
>> lynn2@hh3:/mnt/CACTUS$ ls -la /home/CACTUS/dropbox/
>> total 20
>> drwxrws---+ 3 root  debusers 4096 2012-02-29 15:31 .
>> drwxr-xr-x  6 root  root     4096 2012-02-27 14:24 ..
>> -rw-r-----  1 lynn2 debusers    0 2012-02-29 15:31 a
>> drwxrwS---+ 2 root  debusers 4096 2012-02-29 14:28 adminfolder
>> -rw-rw----  1 lynn2 debusers    0 2012-02-25 23:23 l2
>> -rw-r-----  1 lynn2 debusers    0 2012-02-29 15:24 l3
>> -rw-rw----  1 lynn2 debusers    0 2012-02-26 16:20 lynn2-ubuntu.txt
>> -rw-rw----  1 lynn2 debusers   11 2012-02-26 00:46 lynnnautilus.txt
>>
>> ??
> I would have expected the default acl on the parent to override any
> umask on v3.
>
> So if it's actually v3, then that looks like a bug to me.
>
> --b.
Hi
Your expectation helps a lot.

mount -t nfs server:/folder /client -o vers=3,sec=krb5

1. On openSUSE 12.1
the mount is still nfs4 despite the -o vers=3

Fix: /etc/sysconfig/nfs needs to look like this:
USE_KERNEL_NFSD_NUMBER="4"
MOUNTD_PORT=""
NFS_SECURITY_GSS="yes"
###this next one is a real gotcha!###
NFS3_SERVER_SUPPORT="no"
NFS4_SUPPORT="no"
SM_NOTIFY_OPTIONS=""
NFS_START_SERVICES="yes"
STATD_OPTIONS=""
NFSV4LEASETIME=""
RPC_PIPEFS_DIR=""
SVCGSSD_OPTIONS=""
NFSD_OPTIONS=""

2. On Ubuntu, the -o vers=3 works with the same config as for nfs4:
/etc/default/nfs-common
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

/etc/default/nfs-kernel-server
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=
RPCNFSDOPTS=

Unfortunately (still Ubuntu) it only does small files. A 3Mb jpg freezes 
us solid. But this must be Ubuntu (3.0.0-16-generic) as it's rock solid 
on openSUSE. On nfs4 however, the jpg is sent fine. I'll 
wireshark/syslog it 2moro.

We've documented it here:
http://linuxcostablanca.blogspot.com/2012/02/samba4-shares.html

So at last, the acl + appears on an nfs mount. But what a pity we have 
had to fall back on nfs3.

Qns:
1. Do we need to remove /etc/idmapd.conf for nfs3?

2. Could I take this opportunity to ask as a feature request that 
nfs4_setfacl be able to offer group rw from a 0022 umask?

We really appreciate the time you have given us. Please let us know if 
there is anything we can do or test to help, acl or no acl.
Cheers,
Steve

next prev parent reply	other threads:[~2012-03-01 22:11 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-18 20:08 POSIX acls over nfs4 steve
2012-02-19 17:15 ` steve
2012-02-23  7:15   ` steve
2012-02-23  8:33     ` tao.peng
2012-02-23 12:50       ` steve
2012-02-23 11:39     ` Jeff Layton
2012-02-23 11:53       ` steve
2012-02-23 14:40         ` J. Bruce Fields
2012-02-23 15:33           ` steve
2012-02-23 15:42             ` J. Bruce Fields
2012-02-23 16:08               ` steve
2012-02-25  8:19                 ` steve
2012-02-28 20:05                   ` J. Bruce Fields
2012-02-28 23:22                     ` steve
2012-02-29 12:44                       ` J. Bruce Fields
2012-02-29 14:04                         ` steve
2012-02-29 14:09                           ` J. Bruce Fields
2012-02-29 14:26                             ` steve
2012-02-29 14:32                               ` J. Bruce Fields
2012-02-29 14:40                                 ` steve
2012-03-01 20:56                                   ` J. Bruce Fields
2012-03-01 22:11                                     ` steve [this message]
2012-03-02 18:03                                       ` J. Bruce Fields
2012-02-28 20:00                 ` J. Bruce Fields

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F4FF40C.4050905@steve-ss.com \
    --to=steve@steve-ss.com \
    --cc=bfields@fieldses.org \
    --cc=jlayton@poochiereds.net \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).