Return-Path: linux-nfs-owner@vger.kernel.org Received: from partagas.dragonet.es ([217.70.240.130]:54693 "EHLO partagas.dragonet.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755359Ab2CAWLn (ORCPT ); Thu, 1 Mar 2012 17:11:43 -0500 Message-ID: <4F4FF40C.4050905@steve-ss.com> Date: Thu, 01 Mar 2012 23:11:24 +0100 From: steve MIME-Version: 1.0 To: "J. Bruce Fields" CC: Jeff Layton , linux-nfs@vger.kernel.org Subject: Re: POSIX acls over nfs4 References: <4F466467.3030506@steve-ss.com> <4F489999.30909@steve-ss.com> <20120228200524.GE2723@fieldses.org> <4F4D61B6.5090304@steve-ss.com> <20120229124401.GA9160@fieldses.org> <4F4E306C.6030400@steve-ss.com> <20120229140903.GA3007@fieldses.org> <4F4E3599.2050209@steve-ss.com> <20120229143236.GB3007@fieldses.org> <4F4E38E7.6060308@steve-ss.com> <20120301205639.GC17433@fieldses.org> In-Reply-To: <20120301205639.GC17433@fieldses.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: linux-nfs-owner@vger.kernel.org List-ID: On 03/01/2012 09:56 PM, J. Bruce Fields wrote: > On Wed, Feb 29, 2012 at 03:40:39PM +0100, steve wrote: >> On 02/29/2012 03:32 PM, J. Bruce Fields wrote: >>> On Wed, Feb 29, 2012 at 03:26:33PM +0100, steve wrote: >>>> On 02/29/2012 03:09 PM, J. Bruce Fields wrote: >>>>> On Wed, Feb 29, 2012 at 03:04:28PM +0100, steve wrote: >>>>>> On 29/02/12 13:44, J. Bruce Fields wrote: >>>>>>> On Wed, Feb 29, 2012 at 12:22:30AM +0100, steve wrote: >>>>>>>> We are authenticating against Samba4, so our domain user accounts >>>>>>>> are under Kerberos. >>>>>>> Kerberos works fine with v3. >>>>>>> >>>>>>> --b. >>>>>> Hi >>>>>> Unfortunately, it doesn't seem to. We just tried it, and anyone >>>>>> (with or without a ticket) gets access:-( >>>>> Could you give any more detail about your test? >>>>> >>>>> --b. >>>> steve is a /etc/passwd user >>>> >>>> steve@hh3:~$ sudo su >>>> [sudo] password for steve: >>>> root@hh3:/home/steve# mount -t nfs4 hh3:/home /mnt -o sec=krb5 >>>> root@hh3:/home/steve# exit >>>> exit >>>> steve@hh3:~$ cd /mnt >>>> bash: cd: /mnt: Permission denied >>>> steve@hh3:~$ sudo su >>>> root@hh3:/home/steve# umount /mnt >>>> root@hh3:/home/steve# mount -t nfs hh3:/home /mnt -o sec=krb5 > Careful: a recent client will negotiate v4 if you leave this > unspecified. You want -onfsversion=3,sec=krb5. > >>>> root@hh3:/home/steve# exit >>>> exit >>>> steve@hh3:~$ cd /mnt >>>> steve@hh3:/mnt$ >>> Why is that a problem? You haven't actually accessed anything on the >>> filesystem. >>> >>> --b. >> Steve can access the mounted folder. I can live with that but the >> acl still isn't working: >> >> lynn2 has authinticated by Kerberos >> >> root@hh3:~# setfacl -d -m g::rw /home/CACTUS/dropbox >> root@hh3:~# mount -t nfs hh3:/home /mnt -o sec=krb5 >> lynn2@hh3:/mnt/CACTUS$ ls -la >> total 28 >> drwxr-xr-x 6 root root 4096 2012-02-27 14:24 . >> drwxr-xr-x 4 root root 4096 2012-02-18 18:52 .. >> drwxrws--- 3 root debusers 4096 2012-02-29 15:31 dropbox >> drwxr-xr-x 20 lynn2 debusers 4096 2012-02-26 16:43 lynn2 >> drwxrwxrwx 5 root root 4096 2012-02-29 14:19 profiles >> drwxr-xr-x 4 steve2 Domain Users 4096 2012-02-29 14:36 steve2 >> >> lynn2 then crates a file in the mount called l3: >> >> lynn2@hh3:/mnt/CACTUS$ ls -la /home/CACTUS/dropbox/ >> total 20 >> drwxrws---+ 3 root debusers 4096 2012-02-29 15:31 . >> drwxr-xr-x 6 root root 4096 2012-02-27 14:24 .. >> -rw-r----- 1 lynn2 debusers 0 2012-02-29 15:31 a >> drwxrwS---+ 2 root debusers 4096 2012-02-29 14:28 adminfolder >> -rw-rw---- 1 lynn2 debusers 0 2012-02-25 23:23 l2 >> -rw-r----- 1 lynn2 debusers 0 2012-02-29 15:24 l3 >> -rw-rw---- 1 lynn2 debusers 0 2012-02-26 16:20 lynn2-ubuntu.txt >> -rw-rw---- 1 lynn2 debusers 11 2012-02-26 00:46 lynnnautilus.txt >> >> ?? > I would have expected the default acl on the parent to override any > umask on v3. > > So if it's actually v3, then that looks like a bug to me. > > --b. Hi Your expectation helps a lot. mount -t nfs server:/folder /client -o vers=3,sec=krb5 1. On openSUSE 12.1 the mount is still nfs4 despite the -o vers=3 Fix: /etc/sysconfig/nfs needs to look like this: USE_KERNEL_NFSD_NUMBER="4" MOUNTD_PORT="" NFS_SECURITY_GSS="yes" ###this next one is a real gotcha!### NFS3_SERVER_SUPPORT="no" NFS4_SUPPORT="no" SM_NOTIFY_OPTIONS="" NFS_START_SERVICES="yes" STATD_OPTIONS="" NFSV4LEASETIME="" RPC_PIPEFS_DIR="" SVCGSSD_OPTIONS="" NFSD_OPTIONS="" 2. On Ubuntu, the -o vers=3 works with the same config as for nfs4: /etc/default/nfs-common NEED_STATD= STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes /etc/default/nfs-kernel-server RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS=--manage-gids NEED_SVCGSSD=yes RPCSVCGSSDOPTS= RPCNFSDOPTS= Unfortunately (still Ubuntu) it only does small files. A 3Mb jpg freezes us solid. But this must be Ubuntu (3.0.0-16-generic) as it's rock solid on openSUSE. On nfs4 however, the jpg is sent fine. I'll wireshark/syslog it 2moro. We've documented it here: http://linuxcostablanca.blogspot.com/2012/02/samba4-shares.html So at last, the acl + appears on an nfs mount. But what a pity we have had to fall back on nfs3. Qns: 1. Do we need to remove /etc/idmapd.conf for nfs3? 2. Could I take this opportunity to ask as a feature request that nfs4_setfacl be able to offer group rw from a 0022 umask? We really appreciate the time you have given us. Please let us know if there is anything we can do or test to help, acl or no acl. Cheers, Steve