Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 May 2012 22:30:51 -0400 (EDT)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Andrew Leonard <lists@hurricane-ridge.com>
Cc:        freebsd-fs@freebsd.org
Subject:   Re: Unable to set ACLs on ZFS file system over NFSv4?
Message-ID:  <1831201709.296992.1336789851115.JavaMail.root@erie.cs.uoguelph.ca>
In-Reply-To: <CADUQDp-QHqXtRtTQfm4y7sEZhZeesR0=WBiUWP39XUzr92gUXg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_296991_491013469.1336789851113
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Andrew Leonard wrote:
> On Thu, May 10, 2012 at 2:23 PM, Rick Macklem <rmacklem@uoguelph.ca>
> wrote:
> 
> > I wrote:
> 
> >> If you capture a packet trace from before you do the NFSv4 mount, I
> >> can
> >> take a look and see what the server is saying. (Basically, at mount
> >> time
> >> a reply to a Getattr should including the supported attributes and
> >> that
> >> should include the ACL bit. Then the setfacl becomes a Setattr of
> >> the
> >> ACL
> >> attribute.)
> >> # tcpdump -s 0 -w acl.pcap host <server>
> >> - run on the client should do it
> >>
> >> If you want to look at it, use wireshark. If you want me to look,
> >> just
> >> email acl.pcap as an attachment.
> >>
> >> rick
> >> ps: Although I suspect it is the server that isn't behaving, please
> >> use
> >> the FreeBSD client for the above.
> >> pss: I've cc'd trasz@ in case he can spot some reason why it
> >> wouldn't
> >> work.
> >>
> > Oh, and make sure "user1" isn't in more than 16 groups, because that
> > is the
> > limit for AUTH_SYS. (I'm not sure what the effect of user1 being in
> > more
> > than 16 groups would be, but might as well eliminate it as a cause.)
> 
> Thanks, Rick - I'll send the pcap over private email, as I'm sure
> $DAYJOB would consider it somewhat sensitive.
> 
> Looking in wireshark, if I'm reading it correctly, I don't see
> anything for FATTR4_ACL in any replies. On the final connection, I do
> see NFS4ERR_IO set as the status for the reply to the setattr - but
> from Googling, my understanding is that response is supposed to
> indicate a hard error, such as a hardware problem.
> 
Yep, it appears that ZFS returned an error that isn't in the list of
replies for getattr, so it got mapped to EIO (the catch all for error
codes not known to NFS).

I took a quick look at the ZFS code and the problem looks pretty
obvious. ZFS replies EOPNOTSUPP to the VOP_ACLCHECK() and that's
as far as it gets.

Please try the attached patch in the server (untested, but all it does is go ahead
and try the VOP_SETACL() for the case where VOP_ACLCHECK() replies
EOPNOTSUPP) and let me know if it helps.

Thanks for reporting this and sending the packet trace, rick

> Also, I have verified that "user1" is not a member of more than 16
> groups, so we can rule that out - that user is in only three groups.
> 
> -Andy

------=_Part_296991_491013469.1336789851113
Content-Type: text/x-patch; name=zfs-acl.patch
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=zfs-acl.patch

LS0tIGZzL25mcy9uZnNfY29tbW9uYWNsLmMub3JpZwkyMDEyLTA1LTExIDIyOjE5OjMyLjAwMDAw
MDAwMCAtMDQwMAorKysgZnMvbmZzL25mc19jb21tb25hY2wuYwkyMDEyLTA1LTExIDIyOjIwOjA5
LjAwMDAwMDAwMCAtMDQwMApAQCAtNDY5LDcgKzQ2OSw3IEBAIG5mc3J2X3NldGFjbCh2bm9kZV90
IHZwLCBORlNBQ0xfVCAqYWNscCwKIAkJZ290byBvdXQ7CiAJfQogCWVycm9yID0gVk9QX0FDTENI
RUNLKHZwLCBBQ0xfVFlQRV9ORlM0LCBhY2xwLCBjcmVkLCBwKTsKLQlpZiAoIWVycm9yKQorCWlm
IChlcnJvciA9PSAwIHx8IGVycm9yID09IEVPUE5PVFNVUFApCiAJCWVycm9yID0gVk9QX1NFVEFD
TCh2cCwgQUNMX1RZUEVfTkZTNCwgYWNscCwgY3JlZCwgcCk7CiAKIG91dDoK
------=_Part_296991_491013469.1336789851113--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1831201709.296992.1336789851115.JavaMail.root>