From owner-freebsd-fs@FreeBSD.ORG Sat May 12 02:30:57 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C192C106566C; Sat, 12 May 2012 02:30:57 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 629888FC0A; Sat, 12 May 2012 02:30:57 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap4EAPzKrU+DaFvO/2dsb2JhbABEhXmufoIOBwEBBAEjVgUWDgoRGQIEVQYThUkHgjkFqEySSIsXFIRcgRgEjneHBpBAgwWBOwg X-IronPort-AV: E=Sophos;i="4.75,574,1330923600"; d="scan'208";a="171638749" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 11 May 2012 22:30:51 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 22663B3F86; Fri, 11 May 2012 22:30:51 -0400 (EDT) Date: Fri, 11 May 2012 22:30:51 -0400 (EDT) From: Rick Macklem To: Andrew Leonard Message-ID: <1831201709.296992.1336789851115.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_296991_491013469.1336789851113" X-Originating-IP: [172.17.91.201] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org Subject: Re: Unable to set ACLs on ZFS file system over NFSv4? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 May 2012 02:30:57 -0000 ------=_Part_296991_491013469.1336789851113 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Andrew Leonard wrote: > On Thu, May 10, 2012 at 2:23 PM, Rick Macklem > wrote: > > > I wrote: > > >> If you capture a packet trace from before you do the NFSv4 mount, I > >> can > >> take a look and see what the server is saying. (Basically, at mount > >> time > >> a reply to a Getattr should including the supported attributes and > >> that > >> should include the ACL bit. Then the setfacl becomes a Setattr of > >> the > >> ACL > >> attribute.) > >> # tcpdump -s 0 -w acl.pcap host > >> - run on the client should do it > >> > >> If you want to look at it, use wireshark. If you want me to look, > >> just > >> email acl.pcap as an attachment. > >> > >> rick > >> ps: Although I suspect it is the server that isn't behaving, please > >> use > >> the FreeBSD client for the above. > >> pss: I've cc'd trasz@ in case he can spot some reason why it > >> wouldn't > >> work. > >> > > Oh, and make sure "user1" isn't in more than 16 groups, because that > > is the > > limit for AUTH_SYS. (I'm not sure what the effect of user1 being in > > more > > than 16 groups would be, but might as well eliminate it as a cause.) > > Thanks, Rick - I'll send the pcap over private email, as I'm sure > $DAYJOB would consider it somewhat sensitive. > > Looking in wireshark, if I'm reading it correctly, I don't see > anything for FATTR4_ACL in any replies. On the final connection, I do > see NFS4ERR_IO set as the status for the reply to the setattr - but > from Googling, my understanding is that response is supposed to > indicate a hard error, such as a hardware problem. > Yep, it appears that ZFS returned an error that isn't in the list of replies for getattr, so it got mapped to EIO (the catch all for error codes not known to NFS). I took a quick look at the ZFS code and the problem looks pretty obvious. ZFS replies EOPNOTSUPP to the VOP_ACLCHECK() and that's as far as it gets. Please try the attached patch in the server (untested, but all it does is go ahead and try the VOP_SETACL() for the case where VOP_ACLCHECK() replies EOPNOTSUPP) and let me know if it helps. Thanks for reporting this and sending the packet trace, rick > Also, I have verified that "user1" is not a member of more than 16 > groups, so we can rule that out - that user is in only three groups. > > -Andy ------=_Part_296991_491013469.1336789851113 Content-Type: text/x-patch; name=zfs-acl.patch Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=zfs-acl.patch LS0tIGZzL25mcy9uZnNfY29tbW9uYWNsLmMub3JpZwkyMDEyLTA1LTExIDIyOjE5OjMyLjAwMDAw MDAwMCAtMDQwMAorKysgZnMvbmZzL25mc19jb21tb25hY2wuYwkyMDEyLTA1LTExIDIyOjIwOjA5 LjAwMDAwMDAwMCAtMDQwMApAQCAtNDY5LDcgKzQ2OSw3IEBAIG5mc3J2X3NldGFjbCh2bm9kZV90 IHZwLCBORlNBQ0xfVCAqYWNscCwKIAkJZ290byBvdXQ7CiAJfQogCWVycm9yID0gVk9QX0FDTENI RUNLKHZwLCBBQ0xfVFlQRV9ORlM0LCBhY2xwLCBjcmVkLCBwKTsKLQlpZiAoIWVycm9yKQorCWlm IChlcnJvciA9PSAwIHx8IGVycm9yID09IEVPUE5PVFNVUFApCiAJCWVycm9yID0gVk9QX1NFVEFD TCh2cCwgQUNMX1RZUEVfTkZTNCwgYWNscCwgY3JlZCwgcCk7CiAKIG91dDoK ------=_Part_296991_491013469.1336789851113--