I have some trouble getting the proper access right to work for a folder shared through samba and nfs. Connected like this:
┌────────────┐ ┌──────────────┐ ┌──────────────┐
│ NFS-Server ├────┤ NFS Client ├────┤ Samba Client │
│ │ │ Samba Server │ │ │
└────────────┘ └──────────────┘ └──────────────┘
The machine in the middle is a shared development machine (running Linux). The Samba clients are usually Windows. The reason this is connected like this is because of the network policy / firewall. It would be strongly discouraged to access the NFS server by Samba directly.
Additionally, as a side-effect this setup gives everyone samba access to the development machine.
The exported NFS resources should be read/writable by a specific group. I implemented this using Unix ACLs. When accessing the share via the development machine (the NFS client) directly, this already gives me trouble. It seems that the mask
is not properly kept.
I have found a couple of resource on the web covering this topic, but I still have trouble understanding exactly why/how this is happening.
I also came across NFSv4 ACLs which are different from the ACLs you set using setfacl
. I tried to play around with those as well, but running the command, gave me an error:
[11:24:32] michel@BBS-extractor coftp $ nfs4_getfacl .
Operation to request attribute not supported.
I thought this might be a problem related to mount options. However, the underlying FS is an ext4
volume. Which has nothing to do with NFS... right?
Can someone explain to me what's happening here? Why is the default mask
ignored when using NFS?
As a practical example, let me give you the ACLs of the root folder:
[11:30:26] michel@BBS-extractor coftp $ getfacl .
# file: .
# owner: coftp
# group: coftp
# flags: -s-
user::rwx
group::rwx
group:coftp:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:coftp:rwx
default:mask::rwx
default:other::r-x
After creating a folder named test
on the remote machine, I get this:
[11:30:26] michel@BBS-extractor coftp $ getfacl test
# file: test
# owner: michel
# group: coftp
# flags: -s-
user::rwx
group::rwx #effective:r-x
group:coftp:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::rwx
default:group:coftp:rwx
default:mask::rwx
default:other::r-x
This shows, that the group "coftp" won't have write access to this folder, although in the ACL on the root folder, it should have. The reason being the mask
. The root folder specifies a default mask, but it seems to be ignored/changed when accessing the folder via NFS.
0 Answers