From owner-freebsd-fs@FreeBSD.ORG Wed May 16 21:49:30 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 02AE41065676 for ; Wed, 16 May 2012 21:49:30 +0000 (UTC) (envelope-from lists@hurricane-ridge.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id C671E8FC17 for ; Wed, 16 May 2012 21:49:29 +0000 (UTC) Received: by pbbro2 with SMTP id ro2so1860805pbb.13 for ; Wed, 16 May 2012 14:49:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=GTV9N7/MLEPXxYo5BWaUngKmoJb/W4PBX/S/EjFTOqc=; b=i0b2zoYqwit4EvVV7Ug3l8lu/sb5Pv7QCE7Cv8PTzBsj4zVrjSoWK6ii5EjRg+z59e Y2zsPgQZJxkqQ6XM9peOJ7PDuyiSb7BvsnUnNGwXKQP83DUTLNVuIA5JQABw5IzBBQiB vS2afRFnBG2sLCozEYnHkoHJQ3e8sr3KiLgMI67CE7XTeImZ4xH69Ywn7Wc0gNtHbeTp 19n4JiLRB9JOz4DbXFZBdVvIFvtSJ7scwr/+Dz47poX7cP2/5im2QytQwT/M1S2R7jeQ YfNp2+jZcgenXjebUPWYPuA7kccopir8adPfjEwQ2XqfkGjvaN2DqiecvCmdTAdGZoiU KOfA== MIME-Version: 1.0 Received: by 10.68.231.195 with SMTP id ti3mr20439746pbc.96.1337204969288; Wed, 16 May 2012 14:49:29 -0700 (PDT) Received: by 10.68.195.166 with HTTP; Wed, 16 May 2012 14:49:29 -0700 (PDT) X-Originating-IP: [98.247.224.125] In-Reply-To: <1831201709.296992.1336789851115.JavaMail.root@erie.cs.uoguelph.ca> References: <1831201709.296992.1336789851115.JavaMail.root@erie.cs.uoguelph.ca> Date: Wed, 16 May 2012 14:49:29 -0700 Message-ID: From: Andrew Leonard To: Rick Macklem Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQlKsA99ePKtf4W4U0w/kpHdPKfLsRrdOvHHbH76V7K/floDusP7Q0ABKr8T1gP0TcrYyeT7 Cc: freebsd-fs@freebsd.org Subject: Re: Unable to set ACLs on ZFS file system over NFSv4? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 21:49:30 -0000 On Fri, May 11, 2012 at 7:30 PM, Rick Macklem wrote: > Andrew Leonard wrote: >> On Thu, May 10, 2012 at 2:23 PM, Rick Macklem >> wrote: >> >> > I wrote: >> >> >> If you capture a packet trace from before you do the NFSv4 mount, I >> >> can >> >> take a look and see what the server is saying. (Basically, at mount >> >> time >> >> a reply to a Getattr should including the supported attributes and >> >> that >> >> should include the ACL bit. Then the setfacl becomes a Setattr of >> >> the >> >> ACL >> >> attribute.) >> >> # tcpdump -s 0 -w acl.pcap host >> >> - run on the client should do it >> >> >> >> If you want to look at it, use wireshark. If you want me to look, >> >> just >> >> email acl.pcap as an attachment. >> >> >> >> rick >> >> ps: Although I suspect it is the server that isn't behaving, please >> >> use >> >> the FreeBSD client for the above. >> >> pss: I've cc'd trasz@ in case he can spot some reason why it >> >> wouldn't >> >> work. >> >> >> > Oh, and make sure "user1" isn't in more than 16 groups, because that >> > is the >> > limit for AUTH_SYS. (I'm not sure what the effect of user1 being in >> > more >> > than 16 groups would be, but might as well eliminate it as a cause.) >> >> Thanks, Rick - I'll send the pcap over private email, as I'm sure >> $DAYJOB would consider it somewhat sensitive. >> >> Looking in wireshark, if I'm reading it correctly, I don't see >> anything for FATTR4_ACL in any replies. On the final connection, I do >> see NFS4ERR_IO set as the status for the reply to the setattr - but >> from Googling, my understanding is that response is supposed to >> indicate a hard error, such as a hardware problem. >> > Yep, it appears that ZFS returned an error that isn't in the list of > replies for getattr, so it got mapped to EIO (the catch all for error > codes not known to NFS). > > I took a quick look at the ZFS code and the problem looks pretty > obvious. ZFS replies EOPNOTSUPP to the VOP_ACLCHECK() and that's > as far as it gets. > > Please try the attached patch in the server (untested, but all it does is go ahead > and try the VOP_SETACL() for the case where VOP_ACLCHECK() replies > EOPNOTSUPP) and let me know if it helps. It took me a little while to get a test environment set up, but with the patch applied, ACLs can be set on the ZFS file system over NFSv4. Thanks, Andy > Thanks for reporting this and sending the packet trace, rick > >> Also, I have verified that "user1" is not a member of more than 16 >> groups, so we can rule that out - that user is in only three groups. >> >> -Andy