We're running a Rocky Linux 8.9 (so, essentially RHEL 8.9) shop and I've been tasked with investigating ACLs on filesystems mounted via NFS. We're using FreeIPA/IdM as well.
I've set up a test machine, enrolled it in IdM, exported an NFS share, and mounted it locally, but the ACL part seems to be lacking:
[root@example ~]# cat /etc/exports
/export/ *(rw,acl,no_root_squash)
[root@example ~]# mount | grep /export
localhost:/export on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=::1,local_lock=none,addr=::1)
[root@example ~]# cd /mnt/
[root@example mnt]# touch testfile
[root@example mnt]# getfacl testfile
# file: testfile
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@example mnt]# setfacl -m u:user:r testfile
setfacl: testfile: Operation not supported
A couple of questions:
- Is it correctly understood that I should be using
getfacl
andsetfacl
rather than their nfs4_ equivalents since both the client and server are Linux/POSIX? - Do I need idmapd? I have a service called nfs-idmapd running successfully.
- I read somewhere that
sec=sys
should be replaced withseckrb5
when mounting.
UPDATE:
I investigated some more, and had a minor breakthrough: nfsv4_set*acl
work fine on the NFS share as long as one uses numeric UIDs or GIDs. It's the coupling to IdM/Kerberos that's causing trouble.
Best Answer
Support for POSIX ACLs over NFS v4.2 was added in RHEL 8.4. This is documented in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.4_release_notes/index#enhancement_file-systems-and-storage at the end of this section (bug https://bugzilla.redhat.com/show_bug.cgi?id=1888214):
Support for user extended attributes through the NFSv4.2 protocol
This update adds NFSv4.2 client-side and server-side support for user extended attributes (RFC 8276).
This includes the following protocol extensions:
New operations:
New error codes:
New attribute: