Unable to set ACLs on ZFS file system over NFSv4?

Rick Macklem rmacklem at uoguelph.ca
Sat May 12 02:30:57 UTC 2012


Andrew Leonard wrote:
> On Thu, May 10, 2012 at 2:23 PM, Rick Macklem <rmacklem at uoguelph.ca>
> wrote:
> 
> > I wrote:
> 
> >> If you capture a packet trace from before you do the NFSv4 mount, I
> >> can
> >> take a look and see what the server is saying. (Basically, at mount
> >> time
> >> a reply to a Getattr should including the supported attributes and
> >> that
> >> should include the ACL bit. Then the setfacl becomes a Setattr of
> >> the
> >> ACL
> >> attribute.)
> >> # tcpdump -s 0 -w acl.pcap host <server>
> >> - run on the client should do it
> >>
> >> If you want to look at it, use wireshark. If you want me to look,
> >> just
> >> email acl.pcap as an attachment.
> >>
> >> rick
> >> ps: Although I suspect it is the server that isn't behaving, please
> >> use
> >> the FreeBSD client for the above.
> >> pss: I've cc'd trasz@ in case he can spot some reason why it
> >> wouldn't
> >> work.
> >>
> > Oh, and make sure "user1" isn't in more than 16 groups, because that
> > is the
> > limit for AUTH_SYS. (I'm not sure what the effect of user1 being in
> > more
> > than 16 groups would be, but might as well eliminate it as a cause.)
> 
> Thanks, Rick - I'll send the pcap over private email, as I'm sure
> $DAYJOB would consider it somewhat sensitive.
> 
> Looking in wireshark, if I'm reading it correctly, I don't see
> anything for FATTR4_ACL in any replies. On the final connection, I do
> see NFS4ERR_IO set as the status for the reply to the setattr - but
> from Googling, my understanding is that response is supposed to
> indicate a hard error, such as a hardware problem.
> 
Yep, it appears that ZFS returned an error that isn't in the list of
replies for getattr, so it got mapped to EIO (the catch all for error
codes not known to NFS).

I took a quick look at the ZFS code and the problem looks pretty
obvious. ZFS replies EOPNOTSUPP to the VOP_ACLCHECK() and that's
as far as it gets.

Please try the attached patch in the server (untested, but all it does is go ahead
and try the VOP_SETACL() for the case where VOP_ACLCHECK() replies
EOPNOTSUPP) and let me know if it helps.

Thanks for reporting this and sending the packet trace, rick

> Also, I have verified that "user1" is not a member of more than 16
> groups, so we can rule that out - that user is in only three groups.
> 
> -Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zfs-acl.patch
Type: text/x-patch
Size: 386 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20120512/8d4ab192/zfs-acl.bin


More information about the freebsd-fs mailing list