[Samba] Linux & NFSv4 ACLs

Fri Dec 4 02:31:36 UTC 2015

----- Original Message -----
> From: "Jeremy Allison" <jra at samba.org>
> To: "Nick E Couchman" <nick.couchman at seakr.com>
> Cc: samba at lists.samba.org
> Sent: Thursday, December 3, 2015 6:13:51 PM
> Subject: Re: [Samba] Linux & NFSv4 ACLs

> On Thu, Dec 03, 2015 at 06:03:39PM -0700, Nick Couchman wrote:
>> 
>> > On Dec 3, 2015, at 17:24, Jeremy Allison <jra at samba.org> wrote:
>> > 
>> >> On Thu, Dec 03, 2015 at 03:54:21PM -0700, Nick Couchman wrote:
>> >> I have a situation where I need to share, via Samba, a filesystem mounted via
>> >> NFSv4.  I'm struggling with the best way to make Samba see the NFSv4 ACLs and
>> >> enumerate them to provide the proper SMB/CIFS access to the files, instead of
>> >> "Access Denied" errors that I currently get.
>> >> 
>> >> Looking at the Samba source, the only obvious NFSv4 stuff appears to be the
>> >> following:
>> >> - zfsacl, available only on Solaris or FreeBSD, which provides NFSv4 ACL support
>> >> simply because that's what ZFS uses.  Don't see a way to use this on Linux.
>> >> - gpfs, available only if you happen to have the GPFS code/headers installed
>> >> (gpfs_gpl.h), and I cannot find an obvious place to get those, or if they are
>> >> even freely-available.
>> >> - aixacl/aixacl2, looks like it only works on AIX.
>> >> 
>> >> First, am I correct in the above findings - that there is no way to operate any
>> >> of these three modules on Linux out of the box?  Second, am I missing something
>> >> obvious related to NFSv4 ACLs on Linux, or is there some other VFS module
>> >> somewhere that supports NFSv4 ACLs?
>> >> 
>> >> Also, no, it is not an option to mount the filesystems in question with NFSv3 +
>> >> ACLs - due to NFS referrals, automatic mounting of sub-filesystems, etc., I
>> >> really need it to use NFSv4.
>> >> 
>> >> Any advice?
>> > 
>> > How are the NFSv4 ACL exposed to Linux command-line
>> > tools ? Are there such ?
>> 
>> Yeah, CentOS 7 has nfs4_getfacl and nfs4_setfacl.  Will send example output.
> 
> OK, what I need is access to the source code of
> these to see how they're getting programatic
> access to the ACL data.
> 
> Given that it shouldn't be too hard to adapt
> source3/modules/vfs_nfs4acl_xattr.c to use the
> underlying API these tools use.

Try these pages (U Michigan):
http://www.citi.umich.edu/projects/nfsv4/linux/nfs4-acl-tools/
http://www.citi.umich.edu/projects/nfsv4/linux/

and here:
http://wiki.linux-nfs.org/wiki/index.php/ACLs

I'm pretty sure that first link is the source that the RHEL/CentOS tools comes from.  Here's output from YUM on CentOS

[root at snapshots ~]# yum whatprovies *bin/nfs4_getfacl
Loaded plugins: fastestmirror
No such command: whatprovies. Please use /usr/bin/yum --help
[root at snapshots ~]# yum whatprovides *bin/nfs4_getfacl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * extras: linux.mirrors.es.net
nfs4-acl-tools-0.3.3-13.el7.x86_64 : The nfs4 ACL tools
Repo        : base
Matched from:
Filename    : /usr/bin/nfs4_getfacl

-Nick

==
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly.