NFS and ACLs in a Kerberos context on Rocky Linux 8.9

Question

We're running a Rocky Linux 8.9 (so, essentially RHEL 8.9) shop and I've been tasked with investigating ACLs on filesystems mounted via NFS. We're using FreeIPA/IdM as well.

I've set up a test machine, enrolled it in IdM, exported an NFS share, and mounted it locally, but the ACL part seems to be lacking:

[root@example ~]# cat /etc/exports
/export/ *(rw,acl,no_root_squash)
[root@example ~]# mount | grep /export
localhost:/export on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=::1,local_lock=none,addr=::1)
[root@example ~]# cd /mnt/
[root@example mnt]# touch testfile
[root@example mnt]# getfacl testfile
file: testfile
owner: root
group: root
user::rw-
group::r--
other::r--
[root@example mnt]# setfacl -m u:user:r testfile 
setfacl: testfile: Operation not supported

A couple of questions:

Is it correctly understood that I should be using getfacl and setfacl rather than their nfs4_ equivalents since both the client and server are Linux/POSIX?
Do I need idmapd? I have a service called nfs-idmapd running successfully.
I read somewhere that sec=sys should be replaced with seckrb5 when mounting.

UPDATE:

I investigated some more, and had a minor breakthrough: nfsv4_set*acl work fine on the NFS share as long as one uses numeric UIDs or GIDs. It's the coupling to IdM/Kerberos that's causing trouble.

score 2 · Answer 1 · answered Apr 30 '24 at 07:08

Support for POSIX ACLs over NFS v4.2 was added in RHEL 8.4. This is documented in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.4_release_notes/index#enhancement_file-systems-and-storage at the end of this section (bug https://bugzilla.redhat.com/show_bug.cgi?id=1888214):

Support for user extended attributes through the NFSv4.2 protocol

This update adds NFSv4.2 client-side and server-side support for user extended attributes (RFC 8276).

This includes the following protocol extensions:

New operations:
- GETXATTR - Get an extended attribute of a file
- SETXATTR - Set an extended attribute of a file
- LISTXATTRS - List extended attributes of a file
- REMOVEXATTR - Remove an extended attribute of a file
New error codes:
- NFS4ERR_NOXATTR - xattr does not exist
- NFS4ERR_XATTR2BIG - xattr value is too big
New attribute:
- xattr_support - Per-fs read-only attribute used to determine if xattrs are supported. When set to True, the object's file system supports extended attributes.

score 1 · Answer 2 · answered Apr 30 '24 at 11:36

The regular set/getfacl uses extended attributes, which are indeed part of NFSv4.2, as described in the answer from @abbra https://serverfault.com/a/1158690/127530. However, xattr support is not ACLs.

To use ACLs over NFSv4 you should use the nfs4_set/getfacl commands, which are part of the nfs4-acl-tools package.

Nasir Riley · Answer 3 · 2024-04-30T12:01:48.430

Rocky Linux (and Alma Linux) are continuations of CentOS which is forked from Red Hat Enterprise Linux where ACLs are not available for NFSv4. The same is true for your Rocky Linux 8 system and it is still true in RHEL, Rocky, Alma 9.

https://access.redhat.com/solutions/23230

There are utilities that can be installed via the nfs4-acl-tools package that work in a similar manner. The commands are called nfs4_setfacl and `nfs4_getfacl' and allow setting ACLs for groups. I have used the GID below.

df -h | grep export
192.168.1.100:/mnt/export  3.6T  3.1T  401G  89% /mnt/export
[root@rocky-linux export]# touch zfile
[root@rocky-linux export]# nfs4_getfacl zfile
file: zfile
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy
[root@rocky-linux export]# nfs4_setfacl -a A:g:1004:rw zfile
[root@rocky-linux export]# nfs4_getfacl zfile
file: zfile
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A:g:1004:rtcy
A::EVERYONE@:rtcy

More information is here: https://access.redhat.com/solutions/3426621

score 0 · Accepted Answer · answered May 06 '24 at 11:08

I cracked the nut. I'm not entirely sure what went wrong, but it could be a combination of configuration and firewall rules. The following script works:

#!/bin/bash
This script presumes a RL 8.4+ "Minimal Install" ready machine which has
been prepped for OTP install in IPA.
dnf upgrade -y
dnf install -y ipa-client
ipa-client-install -U -w myonetimepassword
dnf install -y nfs-utils
cat <<EOF > /etc/exports 
/export *(rw,sec=sys,no_subtree_check,root_squash,async)
EOF
systemctl enable --now nfs-idmapd.service
systemctl enable --now nfs-server.service
exportfs -arv
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --permanent --add-service=mountd
firewall-cmd --reload
echo "Now is a good time to reboot."

Then to mount (from the same machine, or another) simply

mount hostname.example.com:/export /mnt

And then use nfs4_setfacl and nfs4_getfacl on the client (make sure the nfs4-acl-tools package is installed):

$ nfs4_getfacl testfile 
# file: testfile
A::OWNER@:rwatTcCy
A::GROUP@:rwatcy
A::EVERYONE@:rtcy
$ nfs4_setfacl -a A::user@domain.local:rw testfile 
ls -l
total 0
-rw-rw-r--+ 1 bo bo 0 May  6 12:42 testfile
$ nfs4_getfacl testfile
file: testfile
A::OWNER@:rwatTcCy
D::1050400001:wa
A::1050400001:rtcy
A::GROUP@:rwatcy
A::EVERYONE@:rtcy

NFS and ACLs in a Kerberos context on Rocky Linux 8.9

file: testfile

owner: root

group: root

4 Answers4

Support for user extended attributes through the NFSv4.2 protocol

file: zfile

file: zfile

This script presumes a RL 8.4+ "Minimal Install" ready machine which has

been prepped for OTP install in IPA.

file: testfile