Your client setfacl example did not error out. Where do you get the errors using setfacl?
$ ls -l
-rw-r--r--+ 1 mark domusers 78 2015-10-16 17:38 phoneMessages
-rw-r--r--+ 1 mark domusers 9216 2015-10-16 17:10 SURnoMember.xls
-rwxrwx---+ 1 3000026 domusers 27 2015-10-11 22:49 whatGIDUID.txt*
Notice the '+' sign.$ ls -l
-rw-r--r-- 1 mark domain users 78 Oct 16 17:38 phoneMessages
-rw-r--r-- 1 mark domain users 9216 Oct 16 17:10 SURnoMember.xls
-rwxrwx--- 1 3000026 domain users 27 Oct 11 22:49 whatGIDUID.txt
Here is a `getfacl` for the file phoneMessages on the NFS host (where the file actually lives):$ getfacl phoneMessages
# file: phoneMessages
# owner: mark
# group: domusers
user::rw-
user:3000002:rwx #effective:r--
user:3000003:rwx #effective:r--
user:3000008:rwx #effective:r--
user:3000026:rwx #effective:r--
group::---
group:users:---
group:3000002:rwx #effective:r--
group:3000003:rwx #effective:r--
group:3000008:rwx #effective:r--
mask::r--
other::r--
Here is the `getfacl` on the same file on the NFS client workstation:$ getfacl phoneMessages
# file: phoneMessages
# owner: mark
# group: domain\040users
user::rw-
group::r--
other::r--
Notice they are not the same. I do believe I have nfs4 enabled on both my server and client.$ setfacl -m user:10001:rwx phoneMessages
setfacl: phoneMessages: Operation not supported
So, as it stands, I am not getting the acl's from the server, nor can I set them on the client workstation.
When you ave the + reflecting the ACL is on the server?Yes, the '+' is the `ls -l` on the server.
On the workstation you use auto. To mount the location specifically for the user?Yes, I use autofs to mount the location on the client, but I have tried the same thing using a "permanent" mount in fstab too.
did you try to force nfs_version=4 in the mount options ?Yes. This is an autofs mount and the auto.misc entry looks like:
mail:/redirectedFolders/Users/mark on /home/HPRS/mark type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.99,local_lock=none,addr=192.168.0.2)
The "vers=4.0" indicates to me that it is mounting as NFS version 4. However, still no '+' signs on files indicating extended attributes:mark@labrat:~$ ls -l
total 80
drwxrwx--- 10 mark domain users 4096 Dec 16 12:24 Desktop
drwxr-x--- 2 mark domain users 4096 Oct 16 15:46 Documents
drwxr-x--- 2 mark domain users 4096 Oct 16 15:46 Downloads
drwxrwx--- 10 mark domain users 4096 Dec 16 12:24 Favorites
drwxr-x--- 2 mark domain users 4096 Oct 16 15:46 Music
drwxrwx--- 10 mark domain users 4096 Dec 16 12:24 My Documents
drwxr-x--- 2 mark domain users 4096 Nov 9 14:38 Pictures
drwxr-x--- 2 mark domain users 4096 Oct 16 15:46 Public
drwxr-x--- 2 mark domain users 4096 Oct 16 15:46 Templates
drwxr-x--- 2 mark domain users 4096 Oct 16 15:46 Videos
root@mail:/redirectedFolders/Users/mark
> ls -l
total 80
drwxrwx---+ 10 mark domusers 4096 2015-12-16 12:24 Desktop/
drwxr-x---+ 2 mark domusers 4096 2015-10-16 15:46 Documents/
drwxr-x---+ 2 mark domusers 4096 2015-10-16 15:46 Downloads/
drwxrwx---+ 10 mark domusers 4096 2015-12-16 12:24 Favorites/
drwxr-x---+ 2 mark domusers 4096 2015-10-16 15:46 Music/
drwxrwx---+ 10 mark domusers 4096 2015-12-16 12:24 My\ Documents/
drwxr-x---+ 2 mark domusers 4096 2015-11-09 14:38 Pictures/
drwxr-x---+ 2 mark domusers 4096 2015-10-16 15:46 Public/
drwxr-x---+ 2 mark domusers 4096 2015-10-16 15:46 Templates/
drwxr-x---+ 2 mark domusers 4096 2015-10-16 15:46 Videos/
I am uncertain why you are pursuing this, the autofs mount is solely for the individual user, this particular file/path is unavailable to a second user who logs inIn fact, I could care less about acls. But what I have is a dual-boot workstations WIN7 and Ubuntu. Booting either way, the workstation is part of a AD domain. Under Windows, the folders in question are part of the user's redirected folders and either the WIN7 workstation, or the AD/DC is setting these attributes. When booted Ubuntu, the same server folders are autofs-mounted and are also the Ubuntu user's desktop. My concern was to not lose the ACL settings when booted Ubuntu and the user modifies or creates files on this desktop ... but it's not a huge concern. At this point, my main motivation is academic - if nfs4 supports ACLs, why can I not see or set ACLs on these folders? I think I should be able to, so why not?
use nfs4_getfacl/nfs4-setfaclAre these commands? I don't have them if so. Settings?
NFS supports NFS ACL's on NFS volumes. Since these files are on a Windows Share it will use Windows File PermissionsNot sure I follow your reasoning. We're not talking a Windows Share per se. The volume having the ACL's is hosted on a Samba4 AD/DC and is the redirected folders directory for domain users. The Windows domain workstations set the ACLs. They are visible as such on the Samba4 AD/DC host, but not visible on the remote NFS client workstation. Seems to me that if NFS4 supports ACLs they should show regardless of which OS creates them.
> getfacl Desktop/putty.exe
# file: Desktop/putty.exe
# owner: mark
# group: domusers
user::rwx
user:mark:rwx
user:3000002:rwx
user:3000003:rwx
user:3000008:rwx
group::---
group:domusers:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
root@labrat:~# nfs4_getfacl /home/HPRS/mark/Desktop/putty.exe
A::OWNER@:rwaxtTcCy
A::10001:rwaxtcy
A::3000002:rwaxtcy
A::3000003:rwaxtcy
A::3000008:rwaxtcy
A::GROUP@:tcy
A:g:10000:tcy
A:g:3000002:rwaxtcy
A:g:3000003:rwaxtcy
A:g:3000008:rwaxtcy
A::EVERYONE@:tcy
On NFS client using standard getfacl:root@labrat:~# getfacl /home/HPRS/mark/Desktop/putty.exe
getfacl: Removing leading '/' from absolute path names
# file: home/HPRS/mark/Desktop/putty.exe
# owner: mark
# group: domain\040users
user::rwx
group::rwx
other::---
Should I just conclude that this doesn't work? Have any of you mounted a remote NFS volume, with ACL settings, and seen them on the NFS client?
does the access to the NFS share when mounted/accessed by user/users correspond to configured ACL on the server or not?Good question. These ACLs are set by the Win7 domain client which, as you can see, pretty much permit any user access. To test your comment I'd have to set up a file with my own custom ACLs -- which I'll confess I'm disinclined to do at the point.
Any last comments?
I am unclear what we are discussing.Maybe semantics, but ... the server is the Active Directory / Domain Controller and yes, it is also an NFS server. These directories are users' home directories, but are not mounted NFS by the client Windows users. The volume is ext4 and has ACLs enabled. /etc/fstab/fstab:
You have an NFS server on which you set NFS extended ACLs on shares.
You then mount the NFS share on a client system and when looking at the standard extended acl, the NFS extended ACL settings are not reflected unless you use the nfs4_getfacl.Yes, but with the understanding that the clients mounting the share NFS are NOT the Windows 7 clients. These are Linux/Ubuntu clients, so they are mounting NFS, not Samba.
In the case you are discussing, the NFS mount you are dealing with is a user home dir.True, in that they "each will have their own home dir mounted", but the permissions are such that they could have rw access if they had physical access to the folder -- something I might fix some day.
If you have two users logged into this system at the same time, each will have their own home dir mounted and I do not believe will have access to the other's.
meaning you have on the nfs server /export/home/users with NFS extended permissions to allow members of the domain\users group read/exec rights on this path with only the user have ownership rights to the $username folder within this path...Well, with the qualification I stated above that the Windows 7 domain user are not accessing via NFS but rather via Samba. My server-side exports are:
it might be worth a shot to use samba on the client machines as wellGood thought, but the client Linux machines are aping the way the Windows AD works meaning, any user can log onto any workstations and get his/her desktop there. With Samba, I'd have to mount all shares for all users on the same workstation ... just in case someone logs in there some day. With autofs, it will NFS mount on-demand when the directory is requested, then unmount it after some configurable length of inactivity. That way, I only have the current user's home directory mounted.
nfs permissions are based on user ids. using nfs permissions is globally meaningless if you do not have a centralised user management so users have consistent ids across all hosts. the fact that ids are shown by the nfs utilities either indicates otherwise or reveals a bug in the utilities or possibly your nsswitch configuration. you can check with the "id" command.The centralised user management is the Active Directory and yes, this gives consistent ids across all host. The domain user's ID is not even kept on the local workstation at all.
permissions are enforced by the server. the permissions you see in ls may be wrong for various reasons, but actually opening a file while not being allowed should not workI've not really had an issue with opening a file when not allowed as the files all seem to have r/w permission for all users in the domusers group anyway.
nfs mounts can be performed as one user and apply to all/other users on the machine. it seems reasonable to think that you could be in that case. this would explain why ls/getfacl and the nfs tools disagree since the tools probably directly use the nfs protocol. additionally, nfs has options to transform users into other users.I don't think I'm transforming users. My autofs config on the client is:
what ID does the user mark have? it looks like the extended acl merely reflects that mark with the group domusers having the has read/write/exec on the file.mark correctly has ID 10001. He originally had 3000002 when Samba4 was first provisioned and mark was first added. This was an error with the default settimg in Samba4. With the help of the samba gurus, I changed mark's UID to 10001, but that didn't really change the already set ACL setting. 300000[3,8] are other domain users -- not sure why they show up in the ACLs for those files.
which user and which group have the UID/GID of 3000002,3000003,3000008?
With autofs, it will NFS mount on-demand when the directory is requested, then unmount it after some configurable length of inactivity
i'm confused regarding what actually is your problem, now : it seems that the acls work fine, are properly enforced, and can be seen with nfs4_getfacl, so the only thing that does not really work as expected is the missing "+" in ls output.The missing "+" was an indicator to me that ACL's weren't really working as seen from the client Ubuntu workstation.
any actual other problem left ?I would have to make modifications to the ACL permission on the server to set up a definitive test. As this really doesn't seem all that critical at this point, I am disinclined to make the effort. Therefore, I'm going to consider there are no actual problems.
ls -l /redirectedFolders/Users/m
total 24
drwxrwx---+ Â 7 mark domusers 4096 2015-10-15 19:29 Desktop/
drwxrwx---+ 10 mark domusers 4096 2015-08-18 02:38 Favorites/
drwxrwx---+ 10 mark domusers 4096 2015-08-19 12:57 My\ Documents/
-rwxrwx---+ 1 mark domusers 214 2013-02-08 15:20 /redirectedFolders/Users/m
and can be viewed e.g.
Open in new window
When Is this same files from the NFS client host:$ ls -l Desktop/speedtest.txt
-rwxrwx--- 1 mark domain users 214 Feb  8  2013 Desktop/speedtest.txt
No '+' sign. getfacl:
$ getfacl Desktop/speedtest.txt
# file: Desktop/speedtest.txt
# owner: mark
# group: domain\040users
user::rwx
group::rwx
other::---
David Johnson, MVP: Trying to set acl in files on this mount fail:
$ setfacl --modify group:3000036:rwx Desktop/speedtest.txt
setfacl: Desktop/speedtest.txt: Operation not supported
But I can setfacl on other files on this host outside the nfs mount:
Open in new window
This is telling me that NFS is not dealing with ACLs