NFS and ACLs in a Kerberos context on Rocky Linux 8.9


We're running a Rocky Linux 8.9 (so, essentially RHEL 8.9) shop and I've been tasked with investigating ACLs on filesystems mounted via NFS. We're using FreeIPA/IdM as well.

I've set up a test machine, enrolled it in IdM, exported an NFS share, and mounted it locally, but the ACL part seems to be lacking:

[root@example ~]# cat /etc/exports
/export/ *(rw,acl,no_root_squash)

[root@example ~]# mount | grep /export
localhost:/export on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=::1,local_lock=none,addr=::1)

[root@example ~]# cd /mnt/
[root@example mnt]# touch testfile
[root@example mnt]# getfacl testfile
# file: testfile
# owner: root
# group: root

[root@example mnt]# setfacl -m u:user:r testfile 
setfacl: testfile: Operation not supported

A couple of questions:

  1. Is it correctly understood that I should be using getfacl and setfacl rather than their nfs4_ equivalents since both the client and server are Linux/POSIX?
  2. Do I need idmapd? I have a service called nfs-idmapd running successfully.
  3. I read somewhere that sec=sys should be replaced with seckrb5 when mounting.


I investigated some more, and had a minor breakthrough: nfsv4_set*acl work fine on the NFS share as long as one uses numeric UIDs or GIDs. It's the coupling to IdM/Kerberos that's causing trouble.

Best Answer

Support for POSIX ACLs over NFS v4.2 was added in RHEL 8.4. This is documented in at the end of this section (bug

Support for user extended attributes through the NFSv4.2 protocol

This update adds NFSv4.2 client-side and server-side support for user extended attributes (RFC 8276).

This includes the following protocol extensions:

  • New operations:

    • GETXATTR - Get an extended attribute of a file
    • SETXATTR - Set an extended attribute of a file
    • LISTXATTRS - List extended attributes of a file
    • REMOVEXATTR - Remove an extended attribute of a file
  • New error codes:

    • NFS4ERR_NOXATTR - xattr does not exist
    • NFS4ERR_XATTR2BIG - xattr value is too big
  • New attribute:

    • xattr_support - Per-fs read-only attribute used to determine if xattrs are supported. When set to True, the object's file system supports extended attributes.
Related Topic