[SOLVED] NFS and ACL user access issues

brasas · 2017-10-31 23:02:11

Hello all,

I've created 3 new installs as follows, following the arch-wiki:

Machine 1 serves as a storage pool, and shares a folder via nfs (version 4) as follows:

/etc/exports
/mnt/nfs 10.0.1.0/24(rw,fsid=root,crossmnt)
/mnt/nfs/storage 10.0.1.0/24(rw)

Machine 2 has the following fstab:

...
10.0.1.10:/storage /mnt/storage nfs users,noauto,x-systemd.automount,x-systemd.device-timeout=10,timeo=14,x-systemd.idle-timeout=1min 0 0

Machine 3 has the same fstab.

All machines have the same users (and uid's) and groups (and gid's): Bob & John. Bob has read, write, and execute access, while John only has read access. Permissions, owners, and ACL's have all been set on Machine 1 so that Bob is the owner and group, and John has been granted read access via ACL.

On Bob's machine, all is working as expected, but on John's machine, he is not allowed access to the share, coming up as permission denied. John's machine does show the correct permission's and access via all the commands, such as ls, getfacl, and nfs_getfacl.

What am I doing wrong? Am I missing a setting somewhere? Please provide any guidance, tip, or direction of what to try next. I've been working on this for 3 days, everything seems like it should be working, but its not.Thanks!

Last edited by brasas (2017-11-05 15:33:21)

cfr · 2017-11-01 04:56:01

I'm not sure NFS is a good choice if you want to support ACLs, but it seems you might be able to enable it for a 'disk resource' using a mount option: https://wiki.archlinux.org/index.php/Ac … trol_Lists.

But note I know nothing about NFS. I just read the wiki is all.

Last edited by cfr (2017-11-01 04:57:40)

nesk · 2017-11-01 08:53:25

brasas wrote:

All machines have the same users (and uid's) and groups (and gid's)

Check if you are hitting idmap name-id mapping problem: https://serverfault.com/questions/14590 … ion-denied

On a more general point, relying on sameness of uids/guids across systems makes for a brittle authorization system. Kerberos is working fine (well, after a painful setup) with NFS4, but I couldn't find a way to use it for authorization (not just authentication) of different users. RedHat's manual on securing NFS makes a brief mention of NIS - maybe you could look into that.
Another research direction would be Kerberized authentication on all hosts and using curlftpfs for mounting FTP directories under different users.
Have fun And share your results please.

Painless · 2017-11-03 22:05:31

Make sure you have disabled NFSv4 ID mapping on the server if you want to use numeric UIDs and GIDs.

brasas · 2017-11-04 16:40:44

Wow .... This has been completely stumping me.

User has less than 16 groups, so GID mapping should not be an issue. I enable and disabled, so I could test it all ways, and it still did not resolve the issue.

Security at this point is not an issue. I just want to get it working and then add on necessary later.

To add, lets say I have folder named STORAGE that is owned by user STORAGE-RW and group STORAGE-RW. This user and group have full read write and execute on all the files and folders in that directory tree. Furthermore, through the magic of ACL, there is a another group called STORAGE-RO that can read and execute that folder and its contents. Bob is a member of STORAGE-RW, and from his computer can mount, read, write, etc from that folder. John is a member of STORAGE-RO. His computer, using either fstab or the CLI, can mount the folder, but all attempts to browse come up as permission denied. If I add John to the STORAGE-RW group, all works as expected with those permissions.

Two things. First, it seems to me that the secondary ACL group is causing the issue somewhere along the line. Using nfs4_getfacl from john's computer shows the correct permissions and memberships for the folder (shows both STORAGE-RW and STORAGE-RO). Again, the users, groups, and uid's are the same on all the computers.

Second, and this is where I am completely baffled, the same happens under nfs3. I expected that protocol would work, but it has the same problem.

I've read the wiki and ddg'd this all over the place and followed all it recommends a million times, to no avail.

Anybody please have anything to add as to what I'm missing or doing wrong?

progandy · 2017-11-04 16:52:15

Bob has read, write, and execute access, while John only has read access.

You need the execute permission on directories (not files) in order to access the contents

https://wiki.archlinux.org/index.php/Fi … attributes
The directory can be accessed with cd; this is the only permission bit that in practice can be considered to be "inherited" from the ancestor directories, in fact if any folder in the path does not have the x bit set, the final file or folder cannot be accessed either, regardless of its permissions; see path_resolution(7) for more information.

Last edited by progandy (2017-11-04 16:52:40)

brasas · 2017-11-04 17:17:38

Sorry, typo on my part. The exported directory, via ls on the clients computer, shows the group STORAGE-RW is set as "rws" (per the wiki: "the setgid bit when found in the group triad ... also implies that x is set). getfacl shows STORAGE-RO is set as "r-x" via acl's.

Question, does the setgid mess up the acl's somehow on the clients computer?

Last edited by brasas (2017-11-04 17:18:23)

nesk · 2017-11-04 18:39:52

brasas wrote:

Bob has read, write, and execute access, while John only has read access. Permissions, owners, and ACL's have all been set on Machine 1 so that Bob is the owner and group, and John has been granted read access via ACL.
John's machine does show the correct permission's and access via all the commands, such as ls, getfacl, and nfs_getfacl

More details on this: which commands did you use, outputs of ls, getfacl, nfs_getfacl.
Have you tried enabling verbose NFS logging on both client/server and checking logs?

brasas · 2017-11-05 15:32:07

I think I figured it out. I had a basic misunderstanding of ACL's and how unforgiving they are (which is the way they should be). For posterity, and anybody who is having similar issues, this is how I got it all working.

"setfacl -Rdm" and "setfacl -rm" are different. I had assumed, incorrectly, that doing the former also by extension did the latter. That's not true. Continuing the example from comment #5 above, if you run

setfacl -Rdm g:STORAGE-RO:rx /storage

A user belonging to the group STORAGE-RO will receive a permission denied error. To get it working, you ALSO need to run:

setfacl -Rm g:STORAGE-RO:rx /storage

The the user will then be granted access (YAY!).

Furthermore, and to add to this, remember that the the user must be a member of a group on the top folder if they are trying to mount a sub-folder.

For example, given:

/etc/exports
/mnt/nfs 10.0.1.0/24(rw,fsid=root,crossmnt)
/mnt/nfs/STORAGE 10.0.1.0/24(rw)
/mnt/nfs/STORAGE/john 10.0.1.0/24(rw)

If John is just trying to mount /STORAGE/john, he MUST be a member of a group that has read/execute permission on /STORAGE (note also that you don't have to make that recursive)!

Last edited by brasas (2017-11-05 15:39:43)

Arch Linux

#1 2017-10-31 23:02:11

[SOLVED] NFS and ACL user access issues

#2 2017-11-01 04:56:01

Re: [SOLVED] NFS and ACL user access issues

#3 2017-11-01 08:53:25

Re: [SOLVED] NFS and ACL user access issues

#4 2017-11-03 22:05:31

Re: [SOLVED] NFS and ACL user access issues

#5 2017-11-04 16:40:44

Re: [SOLVED] NFS and ACL user access issues

#6 2017-11-04 16:52:15

Re: [SOLVED] NFS and ACL user access issues

#7 2017-11-04 17:17:38

Re: [SOLVED] NFS and ACL user access issues

#8 2017-11-04 18:39:52

Re: [SOLVED] NFS and ACL user access issues

#9 2017-11-05 15:32:07

Re: [SOLVED] NFS and ACL user access issues

Board footer