Return-Path: linux-nfs-owner@vger.kernel.org Received: from fieldses.org ([174.143.236.118]:54409 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757339Ab2CAU4l (ORCPT ); Thu, 1 Mar 2012 15:56:41 -0500 Date: Thu, 1 Mar 2012 15:56:39 -0500 From: "J. Bruce Fields" To: steve Cc: Jeff Layton , linux-nfs@vger.kernel.org Subject: Re: POSIX acls over nfs4 Message-ID: <20120301205639.GC17433@fieldses.org> References: <4F466467.3030506@steve-ss.com> <4F489999.30909@steve-ss.com> <20120228200524.GE2723@fieldses.org> <4F4D61B6.5090304@steve-ss.com> <20120229124401.GA9160@fieldses.org> <4F4E306C.6030400@steve-ss.com> <20120229140903.GA3007@fieldses.org> <4F4E3599.2050209@steve-ss.com> <20120229143236.GB3007@fieldses.org> <4F4E38E7.6060308@steve-ss.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <4F4E38E7.6060308@steve-ss.com> Sender: linux-nfs-owner@vger.kernel.org List-ID: On Wed, Feb 29, 2012 at 03:40:39PM +0100, steve wrote: > On 02/29/2012 03:32 PM, J. Bruce Fields wrote: > >On Wed, Feb 29, 2012 at 03:26:33PM +0100, steve wrote: > >>On 02/29/2012 03:09 PM, J. Bruce Fields wrote: > >>>On Wed, Feb 29, 2012 at 03:04:28PM +0100, steve wrote: > >>>>On 29/02/12 13:44, J. Bruce Fields wrote: > >>>>>On Wed, Feb 29, 2012 at 12:22:30AM +0100, steve wrote: > >>>>>>We are authenticating against Samba4, so our domain user accounts > >>>>>>are under Kerberos. > >>>>>Kerberos works fine with v3. > >>>>> > >>>>>--b. > >>>>Hi > >>>>Unfortunately, it doesn't seem to. We just tried it, and anyone > >>>>(with or without a ticket) gets access:-( > >>>Could you give any more detail about your test? > >>> > >>>--b. > >>steve is a /etc/passwd user > >> > >>steve@hh3:~$ sudo su > >>[sudo] password for steve: > >>root@hh3:/home/steve# mount -t nfs4 hh3:/home /mnt -o sec=krb5 > >>root@hh3:/home/steve# exit > >>exit > >>steve@hh3:~$ cd /mnt > >>bash: cd: /mnt: Permission denied > >>steve@hh3:~$ sudo su > >>root@hh3:/home/steve# umount /mnt > >>root@hh3:/home/steve# mount -t nfs hh3:/home /mnt -o sec=krb5 Careful: a recent client will negotiate v4 if you leave this unspecified. You want -onfsversion=3,sec=krb5. > >>root@hh3:/home/steve# exit > >>exit > >>steve@hh3:~$ cd /mnt > >>steve@hh3:/mnt$ > >Why is that a problem? You haven't actually accessed anything on the > >filesystem. > > > >--b. > Steve can access the mounted folder. I can live with that but the > acl still isn't working: > > lynn2 has authinticated by Kerberos > > root@hh3:~# setfacl -d -m g::rw /home/CACTUS/dropbox > root@hh3:~# mount -t nfs hh3:/home /mnt -o sec=krb5 > lynn2@hh3:/mnt/CACTUS$ ls -la > total 28 > drwxr-xr-x 6 root root 4096 2012-02-27 14:24 . > drwxr-xr-x 4 root root 4096 2012-02-18 18:52 .. > drwxrws--- 3 root debusers 4096 2012-02-29 15:31 dropbox > drwxr-xr-x 20 lynn2 debusers 4096 2012-02-26 16:43 lynn2 > drwxrwxrwx 5 root root 4096 2012-02-29 14:19 profiles > drwxr-xr-x 4 steve2 Domain Users 4096 2012-02-29 14:36 steve2 > > lynn2 then crates a file in the mount called l3: > > lynn2@hh3:/mnt/CACTUS$ ls -la /home/CACTUS/dropbox/ > total 20 > drwxrws---+ 3 root debusers 4096 2012-02-29 15:31 . > drwxr-xr-x 6 root root 4096 2012-02-27 14:24 .. > -rw-r----- 1 lynn2 debusers 0 2012-02-29 15:31 a > drwxrwS---+ 2 root debusers 4096 2012-02-29 14:28 adminfolder > -rw-rw---- 1 lynn2 debusers 0 2012-02-25 23:23 l2 > -rw-r----- 1 lynn2 debusers 0 2012-02-29 15:24 l3 > -rw-rw---- 1 lynn2 debusers 0 2012-02-26 16:20 lynn2-ubuntu.txt > -rw-rw---- 1 lynn2 debusers 11 2012-02-26 00:46 lynnnautilus.txt > > ?? I would have expected the default acl on the parent to override any umask on v3. So if it's actually v3, then that looks like a bug to me. --b.