<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>Hi,</div><div><br></div><div>Another issue with NFS and sec=sys mode. As we all know there is a limit of 15 security ids involved when running NFS in sec=sys mode. This limit makes effective and granular usage of ACL assigned through groups almost unusable. One way to overcome this limit is to use kerberised NFS but GlusterFS does not natively support this access mode . Another option, at least according to one email thread, states that GlusterFS has an option server.manage-gids which should mitigate this limit and raise it to 90 something. Is this the option, which can be used for increasing sec=sys limit. Sadly documentation does not have clear description about this option, what exactly this option does and how it should be used. </div><div><br></div><div>J.</div><div><br></div><br><div><div>On 29 Jul 2015, at 16:16, Jiffin Tony Thottan <<a href="mailto:jthottan@redhat.com">jthottan@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br><br>On 29/07/15 18:04, Jüri Palis wrote:<br><blockquote type="cite">Hi,<br><br>setfacl for dir on local filesystem:<br><br>1. set acl setfacl -m g:x_meie_sec-test02:rx test<br>2. get acl<br><br># getfacl test<br>user::rwx<br>group::r-x<br>group:x_meie_sec-test02:r-x<br>mask::r-x<br>other::r-x<br><br>setfacl for dir on GlusterFS volume which is NFS mounted to client system<br><br>1. same command is used for setting ACE, no error is returned by that command<br>2. get acl<br><br>#getfacl test<br>user::rwx<br>group::r-x<br>other::---<br><br><br>If I use ordinary file as a target on GlusterFS like this<br><br>setfacl -m g:x_meie_sec-test02:rw dummy<br><br>then ACE entry is set for file dummy stored on GlusterFS<br><br># getfacl dummy<br>user::rw-<br>group::r--<br>group:x_meie_sec-test02:rw-<br>mask::rw-<br>other::—<br><br>So, as you can see setting ACLs for files works but does not work for directories.<br><br>This all is happening on CentOS7, running GlusterFS 3.7.2<br></blockquote><br>Hi Jyri,<br><br>It seems there are couple of issues ,<br><br>1.) when u set a named group acl for file/directory, it clears the permission of others too.<br>2.) named group acl is not working properly for directories ,<br><br>I will try the same on my setup and share my findings.<br>--<br>Jiffin<br><br><blockquote type="cite">J.<br>On 29 Jul 2015, at 15:16, Jiffin Thottan <<a href="mailto:jthottan@redhat.com">jthottan@redhat.com</a>> wrote:<br><br><blockquote type="cite"><br>----- Original Message -----<br>From: "Jüri Palis" <<a href="mailto:jyri.palis@gmail.com">jyri.palis@gmail.com</a>><br>To: <a href="mailto:gluster-users@gluster.org">gluster-users@gluster.org</a><br>Sent: Wednesday, July 29, 2015 4:19:20 PM<br>Subject: [Gluster-users] GlusterFS 3.7.2 and ACL<br><br>Hi<br><br>Setup:<br>GFS 3.7.2, NFS is used for host access<br><br>Problem:<br>POSIX ACL work correctly when ACLs are applied to files but do not work when ACLs are applied to directories on GFS volumes.<br><br>How can I debug this issue more deeply?<br><br>Can you please explain the issue with more details, i.e what exactly not working properly , is it setting acl or any functionality issue, in which client?<br>__<br>Jiffin<br><br>Regards,<br>Jyri<br>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br>http://www.gluster.org/mailman/listinfo/gluster-users<br></blockquote>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br><a href="http://www.gluster.org/mailman/listinfo/gluster-users">http://www.gluster.org/mailman/listinfo/gluster-users</a><br></blockquote><br>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br><a href="http://www.gluster.org/mailman/listinfo/gluster-users">http://www.gluster.org/mailman/listinfo/gluster-users</a></div></blockquote></div><br></body></html>