Solved

Red Hat - ACL Operation not supported error

Posted on 2013-06-26
20
4,034 Views
Last Modified: 2013-07-01
I have an ACL file that I created and I'm trying to apply it against a directory. Below is what I ran and my error. Please help with this issue.

# setfacl -R --set-file=/ACL/acl.file.example /apps/datasec
setfacl:  /apps/datasec: Operation not supported.
0
Comment
Question by:AIX25
  • 10
  • 10
20 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279755
Is the filesystem mounted with the "acl" option?

Is the acl package installed?
0
 

Author Comment

by:AIX25
ID: 39279776
yes, it is mounted with "acl" option and acl package is installed. I'm sorry but I left out a couple of important items.

Server is on NAS storage. So, we are using automounter to mount the FSs.

# mount |grep apps
xxxxx:/vol/xxxx_d_8/38783_apps_prd on /xxxxx/38783_apps_prd type nfs (rw,nosuid,nodev,vers=3,rsize=65536,wsize=65536,actimeo=0,hard,intr,acl,proto=tcp,timeo=600,retrans=2,sec=sys,sloppy,addr=xxx.xx.x.xx)
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279840
Should basically work.

Is your NAS from NetApp? I heard that NetApp only supports NFSv4 ACLs, but I can't confirm this because we don't have a NetApp.

Please consult the docs of your NAS system under this aspect.

The share is not accidentally exported with "no_acl", is it?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:AIX25
ID: 39279850
Yes, it is from NetApp. No, it was not exported with "no_acl". The the mount in the auto.master did not have the "acl" option. So we added the "acl" option and remounted. Yes, please confirm. Also, if it ends up only supporting NFSv4 ACLs, can you help explain what I need to do to make it work? How do I implement NFSv4 ACLs?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39279876
First of all, you'll have to set up NFS version 4

Here is a nice tutorial:

http://www.cyberciti.biz/faq/centos-fedora-rhel-nfs-v4-configuration/

Next, you'll have to create NFSv4 ACLs, which look quite different from Posix ACLs.

Here is the manpage:
http://linux.die.net/man/5/nfs4_acl

As I said, I can't tell you whether NetApp supports only NFSv4 ACLs. I don't have such a machine, and I don't have the docs at hand.
0
 

Author Comment

by:AIX25
ID: 39279921
With NFSv4 ACLs, will I still be able to create ACL files (see below) and apply them in the same manner as regular ACLs?

# file: datasec
# owner: userA
# group: groupA
user::rwx
group:---
other::---
user:userB:rwx
user:userC:r--
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39280515
If your NAS supports only NFSv4 ACLs you must create and apply this sort of ACLs.

The v4 ACL format is described here:
http://linux.die.net/man/5/nfs4_acl

What you posted in the last comment is a Posix ACL and such ACLs cannot be applied, according to what you wrote in the original question.

The command to apply v4 ACLs is nfs4_setfacl
http://linux.die.net/man/1/nfs4_setfacl

Don't you have the NetApp docs at hand? I found several docs on the net, but one is not allowed to read them without registration, as it seems.
But I found lots of messages stating that NetAPP indeed does not support Posix ACLs!
0
 

Author Comment

by:AIX25
ID: 39281295
Does NFSv3 support POSIX ACL?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39281308
Generally, yes. But not NetApp's NFS implementation, as it seems.
0
 

Author Comment

by:AIX25
ID: 39282322
Do I have to install anything to get nfsv4_setfacl and getfacl commands? Also, can I run it like this?

# nfsv4_setfacl -R --set-file=/ACL/acl.file.example /apps/datase
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39282419
I think I told you multiple times that version 4 ACLs have a format very different to what you posted in 39279921 (that's Posix!)

You cannot run nfsv4_setfacl using an input file containing Posix ACLs.

Please check the links I posted in my previous comments.
They contain sufficient information about enabling NFSv4 and creating NFSv4 ACLs.
0
 

Author Comment

by:AIX25
ID: 39282498
We have converted our mounts to NFSv4.

Now I'm getting another error. When I run my command in "test mode", it works fine. But, when I run the command without "test mode", it gives me the error below. Any ideas? Please help.

# nfs4_setfacl -a A::username@:rwaDxtTnNcCy /apps/datasec --test
## Test mode only - the resulting ACL for "/volume/apps/datasec":
A::username@:rwaDxtTnNcCy
A::OWNER@:rwaDxtTnNcCy
D::OWNER@:
A:g:GROUP@:tc
D:g:GROUP@:rwaDxTCy
A::EVERYONE@:tc
D::EVERYONE@:rwaDxTCy

# nfs4_setfacl -a A::username@:rwaDxtTnNcCy /apps/datasec
Failed setxattr operations: Invalid argument
0
 

Author Comment

by:AIX25
ID: 39283641
I have made updates...please see my post above.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39283644
You should specify the NFSv4 domain:

nfs4_setfacl -a A::username@mynfsdomain:rwaDxtTnNcCy /apps/datasec
0
 

Author Comment

by:AIX25
ID: 39283654
"mynfsdomain"...is the the NFS server or client..or the server I'm logged on?
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 39283660
It's usually the hosts's fully qualified DNS domain name, if not set otherwise in /etc/idmapd.conf or with the "-d" option of rpc.idmapd.

If the NetApp and the clients are in different domains pick one to be the NFSv4 domain and set it on Linux (see above) and/or on NetApp (don't know how to do it there).
0
 

Author Comment

by:AIX25
ID: 39283673
I got the FQDN from nslookup and host commands. I ran the same command with username@FQDN and it still gives me the same error. I looked at the /etc/idmapd.conf file and looks to be default and not updated with any changes. I'm not exactly sure what is needed.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39283680
FQDN must not contain the host name itself, just the domain part.

Are NetApp and the client in the same DNS domain?
0
 

Author Comment

by:AIX25
ID: 39284366
Ok. Yes, they are. I have tried the command with now just @domainname. No luck.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39284396
Is "username" a user defined on the client machine?

If so, I'm running out of ideas....

You could try defining this user on the NetApp as well (same UID), but this should generally not be necessary.... who knows.

The biggest problem for me is that I don't have a NetApp and don't have access to the docs either.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Centos 7 User to Start Apache, MariaDB, LDAP 5 41
linux redhat 7.2 10 75
awk sed 8 47
AWS Central Authentication 1 69
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question