ACL headaches after upgrade

Status
Not open for further replies.
B

Brad303

Dabbler
Joined
Apr 2, 2012
Messages
24
Hi guys,

I just upgraded to FreeNAS-9.3-STABLE-201602031011. I don't know what 9.3 version I was running before, but the "update available" emails were pestering me for months and the first bug in the changelog was #7376.

After the upgrade, I was unable to mv or rsync files to my datasets over NFS. Both would error out with "operation not permitted". I didn't change the permissions on the directories, so it must have been something that changed with the update.

I was prompted by a gui warning to do a `zfs upgrade` on 2 of my 3 pools, although why it wasn't all 3 I don't know. That warning wasn't there previously.

I never noticed it before, but mount now shows my ZFS pools as being mounted with 'nfsv4acls':
Code:
FatZ on /mnt/FatZ (zfs, local, nfsv4acls)


Additionally, some of my datasets have the '+' which indicates ACLs:
Code:
drwxrwxr-x+ 58 nobody  windows  58 Feb 10 21:25 TV


If I use `setfacl -b` to clear the ACLs on the destination directory, mv and rsync work as they did previous to the upgrade. Currently, setfacl is missing the recursive option, so it's an exercise in frustration to recursively clear all the ACLs in a large dataset.

That also begs the question of how the ACLs were created in the first place. Why do some datasets have the ACLs, but some don't? Does it have anything to do with the "Permission Type" or "Share type" of the pool?

Is there a way to turn off the 'nfsv4acls' mount option on the pool? I'm assuming not as ZFS uses nfsv4 ACLs internally.

Barring that, how do I clear the ACLs recursively? Can it be done via the GUI?

Thanks,

Brad
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Brad Waite said:
Hi guys,

I just upgraded to FreeNAS-9.3-STABLE-201602031011. I don't know what 9.3 version I was running before, but the "update available" emails were pestering me for months and the first bug in the changelog was #7376.

After the upgrade, I was unable to mv or rsync files to my datasets over NFS. Both would error out with "operation not permitted". I didn't change the permissions on the directories, so it must have been something that changed with the update.

I was prompted by a gui warning to do a `zfs upgrade` on 2 of my 3 pools, although why it wasn't all 3 I don't know. That warning wasn't there previously.

I never noticed it before, but mount now shows my ZFS pools as being mounted with 'nfsv4acls':
Code:
FatZ on /mnt/FatZ (zfs, local, nfsv4acls)


Additionally, some of my datasets have the '+' which indicates ACLs:
Code:
drwxrwxr-x+ 58 nobody  windows  58 Feb 10 21:25 TV


If I use `setfacl -b` to clear the ACLs on the destination directory, mv and rsync work as they did previous to the upgrade. Currently, setfacl is missing the recursive option, so it's an exercise in frustration to recursively clear all the ACLs in a large dataset.

That also begs the question of how the ACLs were created in the first place. Why do some datasets have the ACLs, but some don't? Does it have anything to do with the "Permission Type" or "Share type" of the pool?

Is there a way to turn off the 'nfsv4acls' mount option on the pool? I'm assuming not as ZFS uses nfsv4 ACLs internally.

Barring that, how do I clear the ACLs recursively? Can it be done via the GUI?

Thanks,

Brad
Click to expand...

"Windows" permissions type uses ACLs. Changing permissions type to "unix" then recursively applying a user/group change on a dataset through the webgui should be enough to remove the ACLs.

Otherwise you can use "find" and "setfacl" to reset acls. e.g. "find /mnt/<pool>/<dataset> -exec setfacl -b {} \;"
 
B

Brad303

Dabbler
Joined
Apr 2, 2012
Messages
24
Thanks for the reply.

Unfortunately, I can't get the "unix" perm type to stick. I've changed it in the GUI, ticked the recursive box and changed the user & group. While the user and group ownership actually change, the '+' is still next to everything in the dataset.

The `find /foo exec` worked, although there should be a way to undo the "damage" caused by selecting "Windows" permissions in the GUI.

Is there a reference to the difference between "Windows permissions" and "Windows share type"?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Brad Waite said:
Thanks for the reply.

Unfortunately, I can't get the "unix" perm type to stick. I've changed it in the GUI, ticked the recursive box and changed the user & group. While the user and group ownership actually change, the '+' is still next to everything in the dataset.

The `find /foo exec` worked, although there should be a way to undo the "damage" caused by selecting "Windows" permissions in the GUI.

Is there a reference to the difference between "Windows permissions" and "Windows share type"?
Click to expand...

The UI options are documented on doc.freenas.org
I wouldn't characterize it as 'damage'. The changes that it makes are specifically to prevent people from wrecking permissions on their CIFS shares.
 
B

Brad303

Dabbler
Joined
Apr 2, 2012
Messages
24
I must have been looking at old docs, as I see the details there now.

I don't know if I found a bug, but there was no way I could find to disable the ACLs from the GUI once they were enabled. The docs say it should revert, but that wasn't the case for me.

As to "damage", I was referring to the fact that my NFS & CIFS shares played well together until the upgrade. After that the permissions prohibited me from doing what I was doing before.

Yes, I understand that finer-grained permissions are handy in various situations, but in this case, it was very bewildering and frustrating. And I've been running FreeBSD systems for decades.
 
Status
Not open for further replies.

Similar threads

R
Permission/ACL problems after converting one Windows dataset to Unix
Replies
7
Views
2K
rudds
R
F
  • Locked
samba-tool ntacl sysvolreset needed, but not possible
Replies
3
Views
2K
styne666
S
M
  • Locked
Strange mounts listed in 9.3
Replies
2
Views
1K
DrKK
DrKK
S
Freenas Replication - Daily Security Email - Filesystem Changes "Read Only" an Error on my part?
Replies
0
Views
810
SMATHEW315
S
MrToddsFriends
  • Locked
Replication target datasets mounted ro in FreeNAS-9.3-STABLE-201602020212 and newer
Replies
4
Views
1K
depasseg
depasseg
Top