[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Red Hat - ACL Operation not supported error

Posted on 2013-06-26
20
Medium Priority
?
4,722 Views
Last Modified: 2013-07-01
I have an ACL file that I created and I'm trying to apply it against a directory. Below is what I ran and my error. Please help with this issue.

# setfacl -R --set-file=/ACL/acl.file.example /apps/datasec
setfacl:  /apps/datasec: Operation not supported.
0
Comment
Question by:AIX25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 10
20 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279755
Is the filesystem mounted with the "acl" option?

Is the acl package installed?
0
 

Author Comment

by:AIX25
ID: 39279776
yes, it is mounted with "acl" option and acl package is installed. I'm sorry but I left out a couple of important items.

Server is on NAS storage. So, we are using automounter to mount the FSs.

# mount |grep apps
xxxxx:/vol/xxxx_d_8/38783_apps_prd on /xxxxx/38783_apps_prd type nfs (rw,nosuid,nodev,vers=3,rsize=65536,wsize=65536,actimeo=0,hard,intr,acl,proto=tcp,timeo=600,retrans=2,sec=sys,sloppy,addr=xxx.xx.x.xx)
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279840
Should basically work.

Is your NAS from NetApp? I heard that NetApp only supports NFSv4 ACLs, but I can't confirm this because we don't have a NetApp.

Please consult the docs of your NAS system under this aspect.

The share is not accidentally exported with "no_acl", is it?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:AIX25
ID: 39279850
Yes, it is from NetApp. No, it was not exported with "no_acl". The the mount in the auto.master did not have the "acl" option. So we added the "acl" option and remounted. Yes, please confirm. Also, if it ends up only supporting NFSv4 ACLs, can you help explain what I need to do to make it work? How do I implement NFSv4 ACLs?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279876
First of all, you'll have to set up NFS version 4

Here is a nice tutorial:

http://www.cyberciti.biz/faq/centos-fedora-rhel-nfs-v4-configuration/

Next, you'll have to create NFSv4 ACLs, which look quite different from Posix ACLs.

Here is the manpage:
http://linux.die.net/man/5/nfs4_acl

As I said, I can't tell you whether NetApp supports only NFSv4 ACLs. I don't have such a machine, and I don't have the docs at hand.
0
 

Author Comment

by:AIX25
ID: 39279921
With NFSv4 ACLs, will I still be able to create ACL files (see below) and apply them in the same manner as regular ACLs?

# file: datasec
# owner: userA
# group: groupA
user::rwx
group:---
other::---
user:userB:rwx
user:userC:r--
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39280515
If your NAS supports only NFSv4 ACLs you must create and apply this sort of ACLs.

The v4 ACL format is described here:
http://linux.die.net/man/5/nfs4_acl

What you posted in the last comment is a Posix ACL and such ACLs cannot be applied, according to what you wrote in the original question.

The command to apply v4 ACLs is nfs4_setfacl
http://linux.die.net/man/1/nfs4_setfacl

Don't you have the NetApp docs at hand? I found several docs on the net, but one is not allowed to read them without registration, as it seems.
But I found lots of messages stating that NetAPP indeed does not support Posix ACLs!
0
 

Author Comment

by:AIX25
ID: 39281295
Does NFSv3 support POSIX ACL?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39281308
Generally, yes. But not NetApp's NFS implementation, as it seems.
0
 

Author Comment

by:AIX25
ID: 39282322
Do I have to install anything to get nfsv4_setfacl and getfacl commands? Also, can I run it like this?

# nfsv4_setfacl -R --set-file=/ACL/acl.file.example /apps/datase
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39282419
I think I told you multiple times that version 4 ACLs have a format very different to what you posted in 39279921 (that's Posix!)

You cannot run nfsv4_setfacl using an input file containing Posix ACLs.

Please check the links I posted in my previous comments.
They contain sufficient information about enabling NFSv4 and creating NFSv4 ACLs.
0
 

Author Comment

by:AIX25
ID: 39282498
We have converted our mounts to NFSv4.

Now I'm getting another error. When I run my command in "test mode", it works fine. But, when I run the command without "test mode", it gives me the error below. Any ideas? Please help.

# nfs4_setfacl -a A::username@:rwaDxtTnNcCy /apps/datasec --test
## Test mode only - the resulting ACL for "/volume/apps/datasec":
A::username@:rwaDxtTnNcCy
A::OWNER@:rwaDxtTnNcCy
D::OWNER@:
A:g:GROUP@:tc
D:g:GROUP@:rwaDxTCy
A::EVERYONE@:tc
D::EVERYONE@:rwaDxTCy

# nfs4_setfacl -a A::username@:rwaDxtTnNcCy /apps/datasec
Failed setxattr operations: Invalid argument
0
 

Author Comment

by:AIX25
ID: 39283641
I have made updates...please see my post above.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39283644
You should specify the NFSv4 domain:

nfs4_setfacl -a A::username@mynfsdomain:rwaDxtTnNcCy /apps/datasec
0
 

Author Comment

by:AIX25
ID: 39283654
"mynfsdomain"...is the the NFS server or client..or the server I'm logged on?
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 39283660
It's usually the hosts's fully qualified DNS domain name, if not set otherwise in /etc/idmapd.conf or with the "-d" option of rpc.idmapd.

If the NetApp and the clients are in different domains pick one to be the NFSv4 domain and set it on Linux (see above) and/or on NetApp (don't know how to do it there).
0
 

Author Comment

by:AIX25
ID: 39283673
I got the FQDN from nslookup and host commands. I ran the same command with username@FQDN and it still gives me the same error. I looked at the /etc/idmapd.conf file and looks to be default and not updated with any changes. I'm not exactly sure what is needed.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39283680
FQDN must not contain the host name itself, just the domain part.

Are NetApp and the client in the same DNS domain?
0
 

Author Comment

by:AIX25
ID: 39284366
Ok. Yes, they are. I have tried the command with now just @domainname. No luck.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39284396
Is "username" a user defined on the client machine?

If so, I'm running out of ideas....

You could try defining this user on the NetApp as well (same UID), but this should generally not be necessary.... who knows.

The biggest problem for me is that I don't have a NetApp and don't have access to the docs either.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question