Return-Path: linux-nfs-owner@vger.kernel.org
Received: from partagas.dragonet.es ([217.70.240.130]:40035 "EHLO
	partagas.dragonet.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754232Ab2BSRPh (ORCPT
	<rfc822;linux-nfs@vger.kernel.org>); Sun, 19 Feb 2012 12:15:37 -0500
Received: from [192.168.1.3] (217-70-247-131.dragonet.es [217.70.247.131] (may be forged))
	(authenticated bits=0)
	by partagas.dragonet.es (8.12.11/8.12.11) with ESMTP id q1JHFsWs013961
	for <linux-nfs@vger.kernel.org>; Sun, 19 Feb 2012 18:15:57 +0100
Message-ID: <4F412E2F.9070200@steve-ss.com>
Date: Sun, 19 Feb 2012 18:15:27 +0100
From: steve <steve@steve-ss.com>
MIME-Version: 1.0
To: linux-nfs@vger.kernel.org
Subject: Re: POSIX acls over nfs4
References: <4F40053A.3090301@steve-ss.com>
In-Reply-To: <4F40053A.3090301@steve-ss.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sender: linux-nfs-owner@vger.kernel.org
List-ID: <linux-nfs.vger.kernel.org>

On 18/02/12 21:08, steve wrote:
> Hi
> Is it possible for nfs4 to respect the acls I have setup on an ext4 
> export?
> Thanks,
> Steve
>
> openSUSE 12.1
> -- 
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Sorry, this is what I've tried so far:
  cat /etc/exports
/home 
*(rw,no_root_squash,sec=none:sys:krb5:krb5i:krb5p,no_subtree_check,insecure)

1. Make a folder to share:
hh3:/home/CACTUS # mkdir -m 770 dropbox
hh3:/home/CACTUS # chown root:suseusers dropbox

2. Mount the share:
hh3:/home/CACTUS # mount -t nfs4 hh3:/home /mnt

3. Look at the acls:
nfs4_getfacl /mnt/CACTUS/dropbox
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy

Set an acl so that members of suseusers have rw on the share:
hh3:/home/CACTUS # nfs4_setfacl -a A:g:suseusers@hh3.site:RW 
/mnt/CACTUS/dropbox

hh3:/home/CACTUS # nfs4_getfacl /mnt/CACTUS/dropbox/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A:g:suseusers@hh3.site:rwaDtcy
A::EVERYONE@:tcy

4. Yes. Back in the unmounted directory, the acl + has appeared:
hh3:/home/CACTUS # ls -la dropbox/
total 8
drwxrwx---+ 2 root suseusers 4096 Feb 19 10:55 .
drwxr-xr-x  9 root root      4096 Feb 19 10:55 ..

5. On the mounted share, the acl is not visible. steve6 can create a 
file but it is _not_ group rw:
steve6@hh3:~> cd /mnt/CACTUS/dropbox/
steve6@hh3:/mnt/CACTUS/dropbox> touch hola.txt
steve6@hh3:/mnt/CACTUS/dropbox> ls -la
total 8
drwxrwx--- 2 root   suseusers 4096 Feb 19 11:02 .
drwxr-xr-x 9 root   root      4096 Feb 19 10:55 ..
-rw-r--r-- 1 steve6 suseusers    0 Feb 19 11:02 hola.txt

6. Recreate the share but this time with a posix acl:
setfacl -d -m g::rw /home/CACTUS/dropbox
steve6@hh3:/home/CACTUS> touch dropbox/h
steve6@hh3:/home/CACTUS> ls -la dropbox/
total 8
drwxrws---+ 2 root   suseusers 4096 Feb 19 11:13 .
drwxr-xr-x  9 root   root      4096 Feb 19 11:11 ..
-rw-rw----  1 steve6 suseusers    0 Feb 19 11:13 h

Yes. Now when steve6 creates a file it _is_ group rw. = posix acl is 
working.

7. Mount the new posix share and test again:
hh3:/home/CACTUS #chmod g+s /home/CACTUS/dropbox
hh3:/home/CACTUS # mount -t nfs4 hh3:/home /mnt
hh3:/home/CACTUS # nfs4_getfacl /mnt/CACTUS/dropbox/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rwaDtcy
A:fdi:EVERYONE@:tcy

steve6@hh3:/mnt/CACTUS/dropbox> touch h2
steve6@hh3:/mnt/CACTUS/dropbox> ls -la
total 8
drwxrws--- 2 root   suseusers 4096 Feb 19 11:19 .
drwxr-xr-x 9 root   root      4096 Feb 19 11:11 ..
-rw-rw---- 1 steve6 suseusers    0 Feb 19 11:13 h
-rw-r----- 1 steve6 suseusers    0 Feb 19 11:19 h2
hh3:/home/CACTUS # nfs4_getfacl /mnt/CACTUS/dropbox/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rwaDtcy
A:fdi:EVERYONE@:tcy
hh3:/home/CACTUS # nfs4_setfacl -a A:fdi:GROUP@:RWX 
/mnt/CACTUS/dropboxhh3:/home/CACTUS # nfs4_getfacl /mnt/CACTUS/dropbox/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rwaDxtcy
A:fdi:EVERYONE@:tcy

steve6@hh3:/mnt/CACTUS/dropbox> touch h3
steve6@hh3:/mnt/CACTUS/dropbox> ls -la
total 8
drwxrws--- 2 root   suseusers 4096 Feb 19 11:21 .
drwxr-xr-x 9 root   root      4096 Feb 19 11:11 ..
-rw-rw---- 1 steve6 suseusers    0 Feb 19 11:13 h
-rw-r----- 1 steve6 suseusers    0 Feb 19 11:19 h2
-rw-r----- 1 steve6 suseusers    0 Feb 19 11:21 h3

Still no group rw on created files. = nfs4 acl is not working as expected.

Workaround. Get the out the big hammer:
#!/bin/sh
while true; do $(chmod -R g+w /home/CACTUS/dropbox); sleep 2; done

Question:
What am I missing? How do I set files created on an nfs4 share to take 
group rw?

Thanks,
Steve