It’s not just the nfs4_setfacl tool. Also cp and rsync will fail to cooy such ACLs.
I have an RFE for this : https://ideas.ibm.com/ideas/GPFS-I-986 -jf man. 26. feb. 2024 kl. 18:27 skrev Robert Horton <[email protected]>: > Hello, > > > > We’ve been using nfs4_get/setfacl to manage nfs4 acls as an alternative to > the mm commands for a few months. It mostly works pretty well – in > particular it’s simple to set permissions with inheritance flags > recursively on a directory structure and it’s easy to add an ace for a > user/group without affecting existing permissions. > > > > We’ve noticed though that when permissions have been changed via SMB they > get these DACL ACL flags set: > > > > # mmgetacl NewTest > > #NFSv4 ACL > > #owner:ICR\rhorton > > #group:ICR\infotech > > #ACL flags: > > # DACL_PRESENT > > # DACL_AUTO_INHERITED > > # SACL_AUTO_INHERITED > > # NULL_SACL > > user:ICR\rhorton:r-x-:allow:FileInherit:DirInherit > > (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL > (X)READ_ATTR (X)READ_NAMED > > (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL > (-)WRITE_ATTR (-)WRITE_NAMED > > > > …which upsets nfs4_getfacl: > > > > # nfs4_getfacl NewTest > > # file: NewTest > > A::bin:C > > Bad Ace Type:768 > > Error while printing ACE. > > > > It gets worse if someone does a nfs4_getfacl -R -a <new ace> as it > sometimes ends up replacing the existing ACEs with one for a ‘bin’ user. > > > > I’m guessing that with ACL flags present the presented system.nfs4_acl > extended attribute isn’t in a form that nfs4-acl-tools expects..? > > > > So… > > 1. What do the DACL flags actually do? Where are they stored? Is there > a way to check for / modify them? I can see them referenced in > > https://www.ibm.com/docs/en/storage-scale/5.1.9?topic=users-authorizing-file-protocol > but still not entirely clear. Is it possible to get the Samba gpfs module > to not set them? I’m guessing not from > https://www.samba.org/samba/docs/current/man-html/vfs_gpfs.8.html > 2. Am I right in thinking this is a Scale bug? If so is it possible to > get it fixed 😉 ? > 3. How do other people manage ACLs? > > > > Background: It’s an ESS5000. Client access is via a remote mount to an HPC > system, a large number of Windows/Mac/few Linux SMB clients and a handful > of NFS (4) clients via CES. We’re on 5.1.9, although the cluster and fs > versions are a bit behind. -k is nfs4. > > > > Any thoughts appreciated! > > > > Thanks, > > Rob > > > > *Robert Horton* | Scientific Computing Infrastructure Lead > > The Institute of Cancer Research | 237 Fulham Road, London, SW3 6JB > <https://www.google.com/maps/search/237+Fulham+Road,+London,+SW3+6JB?entry=gmail&source=g> > > *T* +44 (0) 20 7153 5350 | *E* [email protected] | *W* www.icr.ac.uk > | *Twitter* @ICR_London <https://twitter.com/ICR_London> > > *Facebook* www.facebook.com/theinstituteofcancerresearch > > *Making the discoveries that defeat cancer* > > [image: ICR Logo] <http://www.icr.ac.uk/> > > > > The Institute of Cancer Research: Royal Cancer Hospital, a charitable > Company Limited by Guarantee, Registered in England under Company No. > 534147 with its Registered Office at 123 Old Brompton Road, London SW7 3RP > <https://www.google.com/maps/search/123+Old+Brompton+Road,+London+SW7+3RP?entry=gmail&source=g>. > > > This e-mail message is confidential and for use by the addressee only. If > the message is received by anyone other than the addressee, please return > the message to the sender by replying to it and then delete the message > from your computer and network. > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at gpfsug.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org >
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
