It seems to me that Posix ACLs in a mounted gluterfs volume are not being translated to NFSv4 ACLs at all when exported (kernel NFS). Exporting a local filesystem with XFS and exactly the same Posix ACLs work as expected (NFSv4 ACLs are translated right from Posix ACLs). More details: OS: Rocky Linux release 8.5 (Green Obsidian) fstab for the exported directories: /dev/mapper/vg_kvm_sistema-lv_directo_informatica /exports/directo_informatica xfs defaults 0 0 gluster02.fnr.gub.uy:/gv0_inf /exports/gv0_inf/ glusterfs defaults,acl 0 0 Mount for the exported directories: /dev/mapper/vg_kvm_sistema-lv_directo_informatica on /exports/directo_informatica type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) gluster02.fnr.gub.uy:/gv0_inf on /exports/gv0_inf type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072) exports file: /exports *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,fsid=0) /exports/directo_informatica *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint) /exports/gv0_inf *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint,fsid=2) Exported directories ACLs: # getfacl /exports/directo_informatica/ getfacl: Removing leading '/' from absolute path names # file: exports/directo_informatica/ # owner: root # group: root user::rwx user:root:rwx group::r-x group:root:r-x group:informatica@xxxxxxxxxxxxxxxxx:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::r-x default:group:root:r-x default:group:informatica@xxxxxxxxxxxxxxxxx:rwx default:mask::rwx default:other::--- # getfacl /exports/gv0_inf/ getfacl: Removing leading '/' from absolute path names # file: exports/gv0_inf/ # owner: root # group: root user::rwx user:root:rwx group::r-x group:root:r-x group:informatica@xxxxxxxxxxxxxxxxx:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::r-x default:group:root:r-x default:group:informatica@xxxxxxxxxxxxxxxxx:rwx default:mask::rwx default:other::--- Directories mounted remotely (same server for the tests): gluster02.adtest.fnr.gub.uy:/directo_informatica on /prueba2 type nfs4 (rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8) gluster02.adtest.fnr.gub.uy:/gv0_inf on /prueba type nfs4 (rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8) NFSv4 ACLs remotely: $ nfs4_getfacl /prueba2 # file: /prueba2 A::OWNER@:rwaDxtTcCy A::root@xxxxxxxxxxxxxxxxx:rwaDxtcy A::GROUP@:rxtcy A:g:root@xxxxxxxxxxxxxxxxx:rxtcy A:g:informatica@xxxxxxxxxxxxxxxxx@idmpru.fnr.gub.uy:rwaDxtcy A::EVERYONE@:tcy A:fdi:OWNER@:rwaDxtTcCy A:fdi:root@xxxxxxxxxxxxxxxxx:rwaDxtcy A:fdi:GROUP@:rxtcy A:fdig:root@xxxxxxxxxxxxxxxxx:rxtcy A:fdig:informatica@xxxxxxxxxxxxxxxxx@idmpru.fnr.gub.uy:rwaDxtcy A:fdi:EVERYONE@:tcy $ nfs4_getfacl /prueba # file: /prueba A::OWNER@:rwaDxtTcCy A::GROUP@:rwaDxtcy A::EVERYONE@:tcy I have tried other alternatives with different results, but no one solved my problem completely. For example, with NFS Ganesha it seems there is an idmap problem. Anyway, I've been talking about it with Strahil Nikolov and he pointed out that as my case was a complex one I should write to this list. Although that, I tried to present it in the most simple way I could, avoiding details about the users and the authentication systems, as it seems to me that with kernel NFS the problem is related to Posix to NFSv4 ACLs translation. Any help is appreciated. Thanks very much. ------- Community Meeting Calendar: Schedule - Every 2nd and 4th Tuesday at 14:30 IST / 09:00 UTC Bridge: https://meet.google.com/cpu-eiue-hvk Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx https://lists.gluster.org/mailman/listinfo/gluster-devel
