NFSv4, krb5, ACL propeties not properly handled

Questions about using the NFS Server may be placed here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
ced2c
I'm New!
I'm New!
Posts: 2
Joined: Sun Aug 12, 2018 5:49 pm

NFSv4, krb5, ACL propeties not properly handled

Unread post by ced2c » Sun Aug 12, 2018 6:30 pm

Dear Syno users,

After few weeks of fights, I succeed to achieve an almost working setup.

NFSV4 server is running on my Syno DS214+/ DSM 6.2-23739
NFS clients are on Debian testing (up to date at this time post).
A Solidrun Cubox is used as a kerberos KDC.

NFS authentication is performed through krb5.

ID mapping which is a recurrent topic on the forum run now successfully. (I waste a lot of time due to obsolete documentation, and stupid Synology doc saying that NFSV4 domain name was optional ... )

The last point that does not work is the ACL matching through NFS.
To be more accurate, it almost work, the only point remaining is that ACL read only setting leads to a "permission denied" when I try to access to my shared directory through my nfs client.
The workaround I found is that I need to add the following permission :
p: a(p)pend data (create dir)
in order to be able to read files.

So to sum-up, if the permissions are set as follow : (ls -e output / synoacltool is your friend too )
group:Kids:allow:r-x---a-R-c--:fd-- (level:0) -> I can't list the directory : permission denied
group:Kids:allow:r-xp--a-R-c--:fd-- (level:0) -> Read access are Ok, but users can create directory.

If the users belonging to group "Kids", browse the same folder directly with FileStation, both configurations allow read access.

My conclusion is that something is broken in the ACL translation between proprietary syno ACL implementation, and NFSV4 ACL.

I think that this bug has been introduced during a Syno update. I had this setup working before without this limitation, but as I updated the Syno, and the Debian testing within the same time frame, I am not 100% sure Syno is guilty, If you faced this same bug, do not hesitate to share !
Regards
Cedric

Post Reply

Return to “NFS Server”