[OmniOS-discuss] nfsv4 acls wtf moment
Sigbjorn Lie
sigbjorn at nixtra.com
Fri May 10 12:01:08 EDT 2013
On 05/10/2013 05:08 PM, Natxo Asenjo wrote:
> On Fri, May 10, 2013 at 4:17 PM, Natxo Asenjo <natxo.asenjo at gmail.com
> <mailto:natxo.asenjo at gmail.com>> wrote:
>
> hi Siggi,
>
>
> On Fri, May 10, 2013 at 3:47 PM, Sigbjorn Lie <sigbjorn at nixtra.com
> <mailto:sigbjorn at nixtra.com>> wrote:
>
> Hi,
>
> Did you set aclmode to passthrough too?
>
>
> no but I just tried it and the linux nfsv4 client still ignores
> the inheritance:
>
> # zfs get all tank/testshare | grep acl
> tank/testshare aclmode passthrough local
> tank/testshare aclinherit passthrough local
>
>
> following up, I found this: https://www.illumos.org/issues/3571
>
> and setting
>
> # zfs set aclmode=restricted tank/testshare
>
> seems to do the trick from the linux client side.
>
> I need to test it a bit further.
>
Hi,
I was testing this a while back and had similiar issues to you. I ended
up setting both aclmode and aclinherit to passtrough, and setting a
different ACL than what you've done. I have pasted my setup below. This
allows access from both Linux and Windows to the same files, with access
mainly controlled by the LDAP group "ldap_group". Files created by nfs
clients also generate the owner@ group@ and everyone@, this has not been
an issue for me. Files can still be accessed from both Linux and Windows.
This is on NexentaStor, which is still not having support for
aclmode=restricted. It seem like aclmode=restricted would also do the
trick, from what I can read about aclmode=restricted.
NAME PROPERTY VALUE SOURCE
p00/public aclmode passthrough local
p00/public aclinherit passthrough local
ls -lvd p00/public/
drwx--S---+ 12 root root 21 May 10 17:38 p00/public/
0:group:ldap_group:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/read_attributes/write_attributes/delete/read_acl/synchronize
:file_inherit/dir_inherit:allow
1:user:root:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
2:user:nfs:read_attributes/synchronize:allow
/usr/sun/bin/ls -lvd p00/public/created_linux.txt
-rw-r--r--+ 1 sigbjorn root 0 May 10 17:40
p00/public/created_linux.txt
0:group:ldap_group:read_data/write_data/append_data/read_xattr
/write_xattr/execute/read_attributes/write_attributes/delete
/read_acl/synchronize:inherited:allow
1:user:root:read_data/write_data/append_data/read_xattr/write_xattr
/execute/delete_child/read_attributes/write_attributes/delete
/read_acl/write_acl/write_owner/synchronize:inherited:allow
2:owner@:read_data/write_data/append_data/read_xattr/write_xattr
/read_attributes/write_attributes/read_acl/write_acl/write_owner
/synchronize:allow
3:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
4:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
/ls -lvd p00/public/created_windows.txt
----------+ 1 sigbjorn root 0 May 10 17:41
p00/public/created_windows.txt
0:group:ldap_group:read_data/write_data/append_data/read_xattr
/write_xattr/execute/read_attributes/write_attributes/delete
/read_acl/synchronize:inherited:allow
1:user:root:read_data/write_data/append_data/read_xattr/write_xattr
/execute/delete_child/read_attributes/write_attributes/delete
/read_acl/write_acl/write_owner/synchronize:inherited:allow
Regards,
Siggi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20130510/20cf8c96/attachment.html>
More information about the OmniOS-discuss
mailing list