Subscribe

NFSv4 ACLs on RHEL?

I'm having trouble using NFSv4 ACL's on RHEL6 from an exported volume with NFSv4+ACLs enabled.

On the client:

filer:/vol/vol4/share on /mnt/eportal type nfs4 (rw,rsize=65536,wsize=65536,hard,intr,proto=tcp,timeo=600,retrans=3,sec=sys,acl)

It is my understanding that I must use "nfs4_setfacl" on RHEL, because the POSIX enabled "setfacl" command does not work for NFSv4 ACLs.  Whenever I try to use nfs4_setfacl to configure an ACL on a file/directory on the exported filesystem, I get the following error:

$ nfs4_setfacl -a A::jbaird@:rwatTnNcCy hi

Failed setxattr operation: Invalid argument

The documentation on this matter is very sparse, and I can't really find much.  Can anyone offer some assistance?

Thanks!

Re: NFSv4 ACLs on RHEL?

Ok, this appears to be because the user that I am trying to configure the ACL with is a local user on the Linux system which is NOT on the Filer (in /etc/passwd, LDAP or NIS).

Re: NFSv4 ACLs on RHEL?

I still can't get ACL's to work with domain users (both the Filer and the Linux client have access to the same LDAP/AD directory).  I get the "Failed setxattr operation" error.  Anyone doing this?

Re: NFSv4 ACLs on RHEL?

So I know this is, like, 5 months after you wanted an answer, but in case you're still trying to get this to work, the issue is with the command syntax.

You did not specify your NFSv4 domain after your username.

When I run the command like you ran it, I get the same issue:

# nfs4_setfacl -a A::ldapuser@:rwatTnNcCy file

Failed setxattr operation: Invalid argument

When I run it with an nfsv4 domain specified, it works fine:

# nfs4_setfacl -a A::ldapuser@parisiwin2k3.netapp.com:rwatTnNcCy newkrb5 --test

## Test mode only - the resulting ACL for "/vfileralias/newkrb5":

A::ldapuser@parisiwin2k3.netapp.com:rwatTnNcCy

A::OWNER@:rwatTnNcCy

D::OWNER@:x

A:g:GROUP@:rtncy

D:g:GROUP@:waxTC

A::EVERYONE@:rtncy

D::EVERYONE@:waxTC

Re: NFSv4 ACLs on RHEL?

Hello Parisi

we have still the same problem - with the same syntax as in your example.

# nfs4_setfacl -a A::ldapuser@parisiwin2k3.netapp.com:rwatTnNcCy newkrb5 --test

with the parameter --test - at the end of the command - everything looks ok !

but without the --test parameter we get still the same problem

# nfs4_setfacl -a A::ldapuser@parisiwin2k3.netapp.com:rwatTnNcCy newkrb5

>> Failed setxattr operation: Invalid argument

we have used our own user and domain name!!!

any ideas ?

thanks a lot

christian

Re: NFSv4 ACLs on RHEL?

Can you post the output from your commands? And then tail the last 100 lines of /var/log/messages on the client?

Re: NFSv4 ACLs on RHEL?

Hello Parisi

Please see here our commands and the outputs.

root@pslab-deb1:~# mount

10.99.4.153:/vol/nfsv4 on /mnt/b2 type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.99.191.41,minorversion=0,local_lock=none,addr=10.99.4.153)

root@pslab-deb1:~#

root@pslab-deb1:~# nfs4_getfacl /mnt/b2

A::root@pslab.nfs:rw

A::root@pslab.nfs:rw

A::OWNER@:rwaDxtTnNcCy

D::OWNER@:

A:g:GROUP@:rwaDxtTnNcCy

D:g:GROUP@:

A::EVERYONE@:rwaDxtTnNcCy

D::EVERYONE@:

root@pslab-deb1:~#

root@pslab-deb1:~# cd /mnt/b2/

root@pslab-deb1:/mnt/b2# nfs4_setfacl -a A::peter@pslab.nfs:rwatTnNcCy /mnt/b2 test --test

    1. Test mode only - the resulting ACL for "/mnt/b2":

A::peter@pslab.nfs:rwatTnNcCy

A::root@pslab.nfs:rw

A::root@pslab.nfs:rw

A::OWNER@:rwaDxtTnNcCy

D::OWNER@:

A:g:GROUP@:rwaDxtTnNcCy

D:g:GROUP@:

A::EVERYONE@:rwaDxtTnNcCy

D::EVERYONE@:

    1. Test mode only - the resulting ACL for "/mnt/b2/test":

A::peter@pslab.nfs:rwatTnNcCy

A::root@pslab.nfs:rw

A::root@pslab.nfs:rwatTnNcCy

A::root@pslab.nfs:rwatTnNcCy

A::root@pslab.nfs:rwatTnNcCy

A::root@pslab.nfs:rwatTnNcCy

A::root@pslab.nfs:rwatTnNcCy

A::root@pslab.nfs:rwatTnNcCy

A::root@pslab.nfs:rw

A::OWNER@:rwatTnNcCy

D::OWNER@:x

A:g:GROUP@:rtncy

D:g:GROUP@:waxTC

A::EVERYONE@:rtncy

D::EVERYONE@:waxTC

root@pslab-deb1:/mnt/b2# nfs4_setfacl -a A::peter@pslab.nfs:rwatTnNcCy /mnt/b2 test

Failed setxattr operation: Invalid argument

For your Background:

The nfs storage is a netapp FAS – Data Ontap 7.3.7

swsbnap3> options nfs.v4

nfs.v4.acl.enable on

nfs.v4.enable on

nfs.v4.id.allow_numerics on

nfs.v4.id.domain pslab.nfs

nfs.v4.read_delegation off

nfs.v4.write_delegation off

Nfs : domain pslab.nfs

Active Directory : pslab.local

the /var/log/messages file is empty

I can provide a teamviewer session to the onlinesystems

Thanks a lot

Christian

Re: NFSv4 ACLs on RHEL?

Are you using LDAP on the AD server? Is AD the NFSv4 ID mapping domain?

If it's LDAP, can you run:

# getent passwd peter

Can you restart rpcidmapd service and retry?

Does anything show up in the filer messages?

Can you get a packet trace on the client of the failed ACL set?

Re: NFSv4 ACLs on RHEL?

Hi Parisi

I am Out oft the Office now and will be back tomorrow

I will Provide all the Infos for you.

Thanks

Re: NFSv4 ACLs on RHEL?

Hi,

today I changed the Name of my NFS Domain from PSLAB.NFS to PSLAB.LOCAL. So DNS, AD and NFS are using the same Name. Then I installed a Debian 6, because in Debian 7 are some Bugs with rpc.imapd.

It seems Idmapd on Debian is rpc.idmapd. There is no init.d script for the service. I think the only way to start and stop is "start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/rpc.idmapd" and "start-stop-daemon --stop --oknodo --quiet --exec /usr/sbin/rpc.idmapd".

But with "rpc.idmap -f -vvvvv" I can see that it is running now.

For your questions: I have no ldap connection from my debian host. I'm usin krb5. "kinit peter" shows no errors after I entered the Password and with kpasswd i can change the pass of my AD Users.

I can't see anything about my error in the Logfiles. Not on the Debian Host and not on my Filer.

Here are some of my config files and console outputs:

swsbnap3> options nfs.v4

nfs.v4.acl.enable            on

nfs.v4.enable                on

nfs.v4.id.allow_numerics     off

nfs.v4.id.domain             PSLAB.LOCAL                    <---- I changed this today

nfs.v4.read_delegation       off

nfs.v4.write_delegation      off

swsbnap3> rdfile /etc/exports

/vol/nfsv4      -sec=krb5:sys,rw,root=10.99.191.43

swsbnap3> rdfile /etc/nsswitch.conf

hosts:        files  dns   nis

passwd:       files  ldap

netgroup:     files  nis

group:        files  ldap

shadow:       files  ldap

swsbnap3> cifs testdc

Using Established configuration

Current Mode of NBT is B Mode

Netbios scope ""

Registered names...

        SWSBNAP3       < 0> Broadcast

        SWSBNAP3       < 3> Broadcast

        SWSBNAP3       <20> Broadcast

        PSLAB          < 0> Broadcast

Testing all Primary Domain Controllers

found 1 unique addresses

found PDC PSLAB-DC1 at 10.99.191.1

Testing all Domain Controllers

found 1 unique addresses

found DC PSLAB-DC1 at 10.99.191.1

root@pslab-deb3:~# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: peter@PSLAB.LOCAL

Valid starting     Expires            Service principal

08/09/13 17:14:34  08/09/13 23:54:34  krbtgt/PSLAB.LOCAL@PSLAB.LOCAL

root@pslab-deb3:~# cat /etc/idmapd.conf

[General]

# Verbosity = 0

# Pipefs-Directory = /var/lib/nfs/rpc_pipefs

Domain = PSLAB.LOCAL

root@pslab-deb3:~# cat /etc/nsswitch.conf

passwd:         files ldap compat

group:          compat

shadow:         files ldap compat

hosts:          files dns

networks:       files

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

netgroup:       nis

root@pslab-deb3:~# cat /etc/krb5.conf

[logging]

        Default = FILE:/var/log/krb5.log

[libdefaults]

        ticket_lifetime = 24000

        clock-skew = 300

        default_realm = PSLAB.LOCAL

[realms]

        PSALB.LOCAL = {

                kdc = pslab-dc1.pslab.local:88

                admin_server = pslab-dc1.pslab.local:464

                default_domain = pslab.local

        }

[domain_realm]

        .pslab.local = PSLAB.LOCAL

        pslab.local = PSLAB.LOCAL

root@pslab-deb3:~# ls -l /mnt/b2

insgesamt 4

drwxr-xr-x 2 4294967294 4294967294 4096  9. Aug 17:39 folder

-rw-r--r-- 1 4294967294 4294967294    0  2. Aug 15:57 test

root@pslab-deb3:~# mount

10.99.4.153:/vol/nfsv4 on /mnt/b2 type nfs4 (rw,addr=10.99.4.153,clientaddr=10.99.191.43)

Thanks for your Help