[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Sandeep Nashikkar snashikkar at commvault.com
Thu Jul 26 06:42:13 UTC 2018 

On Thurs, Jul 26, 2018 Volker Lendecke via samba-technical wrote:
> >On Wed, Jul 25, 2018 at 03:08:04PM -0700, Jeremy Allison via samba-technical wrote:
> > > On Wed, Jul 25, 2018 at 12:24:04PM +0000, Sandeep Nashikkar via samba-technical wrote:
> > > 
> > > Please find attached the updated patch and kindly review it. I added 
> > > code for handling those cases where security principals are converted to string identifiers by nfs-ganesha after restart.
> > 
> > FYI - what platform are you testing this on ?
> > 
> > If I do the following as my own user on Linux/Debian:
> > 
> > $ touch foo
> > $ setfattr -n system.nfs4_acl -v testme foo
> > setfattr: foo: Operation not supported

> Do you have a proper NFSv4 mount on "foo" including ACLs? There that precise syscall works for me, albeit using nfs4_setacl:

> strace -o /tmp/x nfs4_setfacl  -a 'A::1005:rtncy' /data/baz

> stat("/data/baz", {st_mode=S_IFREG|0666, st_size=0, ...}) = 0 stat("/data/baz", {st_mode=S_IFREG|0666, st_size=0, ...}) = 0 getxattr("/data/baz", "system.nfs4_acl", NULL, 0) = 160 getxattr("/data/baz", "system.nfs4_acl", "\0\0\0\7\0\0\0\0\0\0\0\0\0\22\0\211\0\0\0\0041004\0\0\0\0\0\0\0\0\0\
22\0\211\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\211\0\0\0\0041003\0\0\0\0\0\0\0\0\0\22\0\211\0\0\0\0041002\0\0\0
\0\0\0\0\0\0\36\1\237\0\0\0\6OWNER@\0\0\0\0\0\0\0\0\0@\0\22\0\211\0\0\0\6GROUP@\0\0\0\0\0\0\0\0\0\0\0\22\0\213
\0\0\0\tEVERYONE@\0\0", 160) = 160
setxattr("/data/baz", "system.nfs4_acl", "\0\0\0\10\0\0\0\0\0\0\0\0\0\22\0\211\0\0\0\0041005\0\0\0\0\0\0\0\0\0\22\0\211\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\211\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\211\0\0\0\0041003\0\0\0\0\0\0\0\0\0\22\0\211\0\0\0\0041002\0\0\0\0\0\0\0\0\0\36\1\237\0\0\0\6OWNER@\0\0\0\0\0\0\0\0\0@\0\22\0\211\0\0\0\6GROUP@\0\0\0\0\0\0\0\0\0\0\0\22\0\213\0\0\0\tEVERYONE@\0\0",
180, XATTR_REPLACE) = 0

> > - in other words, the 'system' namespace isn't accessible on Linux. I 
> > don't think we can hardcode the 'system' namespace here.

> root at vl-jessie:~# uname -a
> Linux vl-jessie 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64 GNU/Linux

> Volker

Yes, as Volker described, with nfs4_setfacl I could access the system namespace without any problem. Samba process with domain user context can also access it without any error. I am working on x86_64 Linux. 
[root at sandeep ~]# uname -a
Linux sandeep 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Sandeep
***************************Legal Disclaimer***************************
"This communication may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message by mistake,
please advise the sender by reply email and delete the message. Thank you."
**********************************************************************

More information about the samba-technical mailing list