20.2.12

POSIX <--> nfs4 acls

The Scenario
ACL's. We want group read/write for a shared folder. Nice work if you can get it.
Our test domain
Windows - ntacl - Samba4: works
LINUX - nfs4_acl - Samba4: square peg, round hole

The workaround
Create a share:
hh3:/tmp # mkdir -m 0770 /home/CACTUS/dropbox
hh3:/tmp # chown root:suseusers /home/CACTUS/dropbox/
hh3:/tmp # chmod g+s /home/CACTUS/dropbox/
hh3:/tmp # setfacl -d -m g::rw /home/CACTUS/dropbox

drwxrws---+  2 root    suseusers 4096 Feb 20 17:24 dropbox 



hh3:/tmp # touch /home/CACTUS/dropbox/lynn.txt

-rw-rw---- 1 root suseusers 0 Feb 20 17:30 lynn.txt

YEAH! The file is created with group rw:-) The acl looks like this:

getfacl /home/CACTUS/dropbox/
getfacl: Removing leading '/' from absolute path names
# file: home/CACTUS/dropbox/
# owner: root
# group: suseusers
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rw-
default:other::---


Now we mount the share.

hh3:/tmp # mount -t nfs4 hh3:/home /mnt
The acl has been translated to this:

hh3:/tmp # nfs4_getfacl /mnt/CACTUS/dropbox/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rwaDtcy
A:fdi:EVERYONE@:tcy


We create a file in the mounted share:

hh3:/tmp # touch /mnt/CACTUS/dropbox/lynn2.txt
hh3:/tmp # ls -la /mnt/CACTUS/dropbox/
total 8
drwxrws--- 2 root suseusers 4096 Feb 20 17:38 .
drwxr-xr-x 9 root root      4096 Feb 20 17:24 ..
-rw-r----- 1 root suseusers    0 Feb 20 17:34 lynn2.txt
-rw-rw---- 1 root suseusers    0 Feb 20 17:30 lynn.txt

The file created on the mount does not have group rw:-(

Setting the acl on the mount and remounting:
nfs4_setfacl -a A:gfdi:GROUP@:rwaDxtTcCy /mnt/CACTUS/dropbox/
makes no difference. 



The big hammer
We treat it with the contempt it deserves:
#!/bin/sh
share=/home/CACTUS/dropbox/
cd $share
while true
do
 if [ -N $share ]; then
for a in *
do
listing=$(ls -l $a)
perm=$(echo $listing | cut -d "-" -f 3)
if [ $perm != "rw" ]; then
echo $(chmod g+w $a)
fi
done 
 fi
sleep 4
done

The guys over on the openSUSE list got involved:
 #!/bin/sh
share=/home/CACTUS/dropbox/
while true
do
find "$share" ! -perm -g=w  -print0 | xargs -r -0 chmod g+w
sleep 4
done
Neat!