Hello, We’ve been using nfs4_get/setfacl to manage nfs4 acls as an alternative to the mm commands for a few months. It mostly works pretty well – in particular it’s simple to set permissions with inheritance flags recursively on a directory structure and it’s easy to add an ace for a user/group without affecting existing permissions.
We’ve noticed though that when permissions have been changed via SMB they get these DACL ACL flags set: # mmgetacl NewTest #NFSv4 ACL #owner:ICR\rhorton #group:ICR\infotech #ACL flags: # DACL_PRESENT # DACL_AUTO_INHERITED # SACL_AUTO_INHERITED # NULL_SACL user:ICR\rhorton:r-x-:allow:FileInherit:DirInherit (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED …which upsets nfs4_getfacl: # nfs4_getfacl NewTest # file: NewTest A::bin:C Bad Ace Type:768 Error while printing ACE. It gets worse if someone does a nfs4_getfacl -R -a <new ace> as it sometimes ends up replacing the existing ACEs with one for a ‘bin’ user. I’m guessing that with ACL flags present the presented system.nfs4_acl extended attribute isn’t in a form that nfs4-acl-tools expects..? So… 1. What do the DACL flags actually do? Where are they stored? Is there a way to check for / modify them? I can see them referenced in https://www.ibm.com/docs/en/storage-scale/5.1.9?topic=users-authorizing-file-protocol but still not entirely clear. Is it possible to get the Samba gpfs module to not set them? I’m guessing not from https://www.samba.org/samba/docs/current/man-html/vfs_gpfs.8.html 2. Am I right in thinking this is a Scale bug? If so is it possible to get it fixed 😉 ? 3. How do other people manage ACLs? Background: It’s an ESS5000. Client access is via a remote mount to an HPC system, a large number of Windows/Mac/few Linux SMB clients and a handful of NFS (4) clients via CES. We’re on 5.1.9, although the cluster and fs versions are a bit behind. -k is nfs4. Any thoughts appreciated! Thanks, Rob Robert Horton | Scientific Computing Infrastructure Lead The Institute of Cancer Research | 237 Fulham Road, London, SW3 6JB T +44 (0) 20 7153 5350 | E robert.hor...@icr.ac.uk<mailto:robert.hor...@icr.ac.uk> | W www.icr.ac.uk<http://www.icr.ac.uk/> | Twitter @ICR_London<https://twitter.com/ICR_London> Facebook www.facebook.com/theinstituteofcancerresearch<http://www.facebook.com/theinstituteofcancerresearch> Making the discoveries that defeat cancer [ICR Logo]<http://www.icr.ac.uk/> The Institute of Cancer Research: Royal Cancer Hospital, a charitable Company Limited by Guarantee, Registered in England under Company No. 534147 with its Registered Office at 123 Old Brompton Road, London SW7 3RP. This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer and network.
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
