nfsv4 server with ACL's for RHEL clients

Marty J. Sullivan marty.sullivan at cornell.edu
Wed May 7 17:58:04 UTC 2014 

I am testing FreeBSD 10.0 for use as a ZFS storage server. Currently I am testing Active Directory integration and serving files via AFP, SMB/CIFS, and NFSv4. My current production environment contains mostly Linux (CentOS/RHEL) and OSX machines all bound to the same Active Directory domain.

So far, I have gotten the Active Directory authentication set up via Samba4.1+Winbind and it is working nicely as are the related CIFS shares. I also have AFP set up via afpd and it is also working great. ACL's a treated the same way as they are on other systems in my production environment.

Where I am having trouble is getting NFSv4 to work with ACL's. First off, I am very used to NFS on Linux and so the /etc/exports syntax is almost certainly what is causing my troubles. On RHEL, here is what my /etc/exports might look like:

  /data   mycomputer.mydomain.com(rw,no_root_squash)

And I start mountd with the option "--manage-gids" so that gid's are not managed by the client (since they would then be limited to 16 groups). This works great and ACL's work fine across all of my Linux systems.



On FreeBSD, this is what I have for my /etc/exports at the current time:

  V4: / mycomputer.mydomain.com
  /data -maproot=root -network xxx.xxx.xxx.xxx -mask xxx.xxx.xxx.xxx

Now, I've read many posts about this syntax and I can't seem to find a straight answer as to whether the "/data" entry below the "V4:" entry applies to NFSv4 or NFSv3. Either way, it doesn't really work. I've tried tinkering with these exports in many permutations and I just can't get it to work. Most of the time the machine will be denied access (due to bad exports file). Other times, it will mount but will just say "Input/Output error" when I try to read from the share. And finally, sometimes I can mount the share on an RHEL system, but when I use nfs4_getfacl, it says that the operation is not supported by the server.

My other concern is, even if I get the ACL's to work, mountd on the FreeBSD server doesn't have a similar option to --manage-gids so the NFS group limitation will apply to the RHEL clients. I've read about gssd and kerberizing, but I don't feel like that's possible on the RHEL clients. So how do I solve this problem??

Any help with this is appreciated.

More information about the freebsd-fs mailing list