From owner-freebsd-fs@FreeBSD.ORG Thu May 17 21:59:46 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 79857106564A; Thu, 17 May 2012 21:59:46 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 17B7D8FC14; Thu, 17 May 2012 21:59:45 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap4EAItztU+DaFvO/2dsb2JhbABEhTSvHYIOBwEBBAEjVgUWDgoCAg0ZAlkGE4VJB4I5Bakxkm2BJoleFIQigRUDlVqQGoMFgTsI X-IronPort-AV: E=Sophos;i="4.75,612,1330923600"; d="scan'208";a="172355194" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 17 May 2012 17:59:38 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 05FEAB3F85; Thu, 17 May 2012 17:59:38 -0400 (EDT) Date: Thu, 17 May 2012 17:59:37 -0400 (EDT) From: Rick Macklem To: Andrew Leonard Message-ID: <1959918893.562069.1337291977972.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.203] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org Subject: Re: Unable to set ACLs on ZFS file system over NFSv4? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 21:59:46 -0000 Andrew Leonard wrote: > On Fri, May 11, 2012 at 7:30 PM, Rick Macklem > wrote: > > Andrew Leonard wrote: > >> On Thu, May 10, 2012 at 2:23 PM, Rick Macklem > >> > >> wrote: > >> > >> > I wrote: > >> > >> >> If you capture a packet trace from before you do the NFSv4 > >> >> mount, I > >> >> can > >> >> take a look and see what the server is saying. (Basically, at > >> >> mount > >> >> time > >> >> a reply to a Getattr should including the supported attributes > >> >> and > >> >> that > >> >> should include the ACL bit. Then the setfacl becomes a Setattr > >> >> of > >> >> the > >> >> ACL > >> >> attribute.) > >> >> # tcpdump -s 0 -w acl.pcap host > >> >> - run on the client should do it > >> >> > >> >> If you want to look at it, use wireshark. If you want me to > >> >> look, > >> >> just > >> >> email acl.pcap as an attachment. > >> >> > >> >> rick > >> >> ps: Although I suspect it is the server that isn't behaving, > >> >> please > >> >> use > >> >> the FreeBSD client for the above. > >> >> pss: I've cc'd trasz@ in case he can spot some reason why it > >> >> wouldn't > >> >> work. > >> >> > >> > Oh, and make sure "user1" isn't in more than 16 groups, because > >> > that > >> > is the > >> > limit for AUTH_SYS. (I'm not sure what the effect of user1 being > >> > in > >> > more > >> > than 16 groups would be, but might as well eliminate it as a > >> > cause.) > >> > >> Thanks, Rick - I'll send the pcap over private email, as I'm sure > >> $DAYJOB would consider it somewhat sensitive. > >> > >> Looking in wireshark, if I'm reading it correctly, I don't see > >> anything for FATTR4_ACL in any replies. On the final connection, I > >> do > >> see NFS4ERR_IO set as the status for the reply to the setattr - but > >> from Googling, my understanding is that response is supposed to > >> indicate a hard error, such as a hardware problem. > >> > > Yep, it appears that ZFS returned an error that isn't in the list of > > replies for getattr, so it got mapped to EIO (the catch all for > > error > > codes not known to NFS). > > > > I took a quick look at the ZFS code and the problem looks pretty > > obvious. ZFS replies EOPNOTSUPP to the VOP_ACLCHECK() and that's > > as far as it gets. > > > > Please try the attached patch in the server (untested, but all it > > does is go ahead > > and try the VOP_SETACL() for the case where VOP_ACLCHECK() replies > > EOPNOTSUPP) and let me know if it helps. > > It took me a little while to get a test environment set up, but with > the patch applied, ACLs can be set on the ZFS file system over NFSv4. > Just fyi, a patch has just been committed to head and will be MFC'd in a week. It is slightly different, in that it just deletes the VOP_ACLCHECK() call, but should fix the problem. (The patch applies to the NFSv4 server, not client.) Thanks for testing this, rick > Thanks, > Andy > > > Thanks for reporting this and sending the packet trace, rick > > > >> Also, I have verified that "user1" is not a member of more than 16 > >> groups, so we can rule that out - that user is in only three > >> groups. > >> > >> -Andy