Solved

Red Hat - ACL Operation not supported error

Posted on 2013-06-26
20
3,807 Views
Last Modified: 2013-07-01
I have an ACL file that I created and I'm trying to apply it against a directory. Below is what I ran and my error. Please help with this issue.

# setfacl -R --set-file=/ACL/acl.file.example /apps/datasec
setfacl:  /apps/datasec: Operation not supported.
0
Comment
Question by:AIX25
  • 10
  • 10
20 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279755
Is the filesystem mounted with the "acl" option?

Is the acl package installed?
0
 

Author Comment

by:AIX25
ID: 39279776
yes, it is mounted with "acl" option and acl package is installed. I'm sorry but I left out a couple of important items.

Server is on NAS storage. So, we are using automounter to mount the FSs.

# mount |grep apps
xxxxx:/vol/xxxx_d_8/38783_apps_prd on /xxxxx/38783_apps_prd type nfs (rw,nosuid,nodev,vers=3,rsize=65536,wsize=65536,actimeo=0,hard,intr,acl,proto=tcp,timeo=600,retrans=2,sec=sys,sloppy,addr=xxx.xx.x.xx)
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279840
Should basically work.

Is your NAS from NetApp? I heard that NetApp only supports NFSv4 ACLs, but I can't confirm this because we don't have a NetApp.

Please consult the docs of your NAS system under this aspect.

The share is not accidentally exported with "no_acl", is it?
0
 

Author Comment

by:AIX25
ID: 39279850
Yes, it is from NetApp. No, it was not exported with "no_acl". The the mount in the auto.master did not have the "acl" option. So we added the "acl" option and remounted. Yes, please confirm. Also, if it ends up only supporting NFSv4 ACLs, can you help explain what I need to do to make it work? How do I implement NFSv4 ACLs?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279876
First of all, you'll have to set up NFS version 4

Here is a nice tutorial:

http://www.cyberciti.biz/faq/centos-fedora-rhel-nfs-v4-configuration/

Next, you'll have to create NFSv4 ACLs, which look quite different from Posix ACLs.

Here is the manpage:
http://linux.die.net/man/5/nfs4_acl

As I said, I can't tell you whether NetApp supports only NFSv4 ACLs. I don't have such a machine, and I don't have the docs at hand.
0
 

Author Comment

by:AIX25
ID: 39279921
With NFSv4 ACLs, will I still be able to create ACL files (see below) and apply them in the same manner as regular ACLs?

# file: datasec
# owner: userA
# group: groupA
user::rwx
group:---
other::---
user:userB:rwx
user:userC:r--
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39280515
If your NAS supports only NFSv4 ACLs you must create and apply this sort of ACLs.

The v4 ACL format is described here:
http://linux.die.net/man/5/nfs4_acl

What you posted in the last comment is a Posix ACL and such ACLs cannot be applied, according to what you wrote in the original question.

The command to apply v4 ACLs is nfs4_setfacl
http://linux.die.net/man/1/nfs4_setfacl

Don't you have the NetApp docs at hand? I found several docs on the net, but one is not allowed to read them without registration, as it seems.
But I found lots of messages stating that NetAPP indeed does not support Posix ACLs!
0
 

Author Comment

by:AIX25
ID: 39281295
Does NFSv3 support POSIX ACL?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39281308
Generally, yes. But not NetApp's NFS implementation, as it seems.
0
 

Author Comment

by:AIX25
ID: 39282322
Do I have to install anything to get nfsv4_setfacl and getfacl commands? Also, can I run it like this?

# nfsv4_setfacl -R --set-file=/ACL/acl.file.example /apps/datase
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39282419
I think I told you multiple times that version 4 ACLs have a format very different to what you posted in 39279921 (that's Posix!)

You cannot run nfsv4_setfacl using an input file containing Posix ACLs.

Please check the links I posted in my previous comments.
They contain sufficient information about enabling NFSv4 and creating NFSv4 ACLs.
0
 

Author Comment

by:AIX25
ID: 39282498
We have converted our mounts to NFSv4.

Now I'm getting another error. When I run my command in "test mode", it works fine. But, when I run the command without "test mode", it gives me the error below. Any ideas? Please help.

# nfs4_setfacl -a A::username@:rwaDxtTnNcCy /apps/datasec --test
## Test mode only - the resulting ACL for "/volume/apps/datasec":
A::username@:rwaDxtTnNcCy
A::OWNER@:rwaDxtTnNcCy
D::OWNER@:
A:g:GROUP@:tc
D:g:GROUP@:rwaDxTCy
A::EVERYONE@:tc
D::EVERYONE@:rwaDxTCy

# nfs4_setfacl -a A::username@:rwaDxtTnNcCy /apps/datasec
Failed setxattr operations: Invalid argument
0
 

Author Comment

by:AIX25
ID: 39283641
I have made updates...please see my post above.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39283644
You should specify the NFSv4 domain:

nfs4_setfacl -a A::username@mynfsdomain:rwaDxtTnNcCy /apps/datasec
0
 

Author Comment

by:AIX25
ID: 39283654
"mynfsdomain"...is the the NFS server or client..or the server I'm logged on?
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 39283660
It's usually the hosts's fully qualified DNS domain name, if not set otherwise in /etc/idmapd.conf or with the "-d" option of rpc.idmapd.

If the NetApp and the clients are in different domains pick one to be the NFSv4 domain and set it on Linux (see above) and/or on NetApp (don't know how to do it there).
0
 

Author Comment

by:AIX25
ID: 39283673
I got the FQDN from nslookup and host commands. I ran the same command with username@FQDN and it still gives me the same error. I looked at the /etc/idmapd.conf file and looks to be default and not updated with any changes. I'm not exactly sure what is needed.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39283680
FQDN must not contain the host name itself, just the domain part.

Are NetApp and the client in the same DNS domain?
0
 

Author Comment

by:AIX25
ID: 39284366
Ok. Yes, they are. I have tried the command with now just @domainname. No luck.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39284396
Is "username" a user defined on the client machine?

If so, I'm running out of ideas....

You could try defining this user on the NetApp as well (same UID), but this should generally not be necessary.... who knows.

The biggest problem for me is that I don't have a NetApp and don't have access to the docs either.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now