samba - Apr 2018 - Operation Not Supported error for GETXATTR when VFS plugin "nfs4acl_xattr" is used

Hi All

I found there is one bug in the plugin. The name of the attribute for ACL
as per strace output of nfs4_setfacl is *system.nfs4_acl.*
The source code has defined it as
#define NFS4ACL_XATTR_NAME      ( "system.nfs4acl" )

Note there is missing underscore.

After this, the EOPNOTSUPP error is not observed.

Hope this helps

Akash

On Thu, Apr 5, 2018 at 11:43 PM, Jeremy Allison <jra at samba.org> wrote:
> On Thu, Apr 05, 2018 at 04:09:26PM +0530, Akash Jain via samba wrote:
> >
> > Can someone help me understand, why following call may fail when the
path
> > is locally mounted NFS share and not a VFS path:
> >
> > *                length = SMB_VFS_NEXT_GETXATTR(handle, path,
> > NFS4ACL_XATTR_NAME, blob.data, blob.length);*
> >
> > Since next module in the stack is Default_VFS, isn't it supposed
to
> forward
> > the request to local NFS client? I do not see any packets on NFS port
of
> > the local NFS client when this operation fails.
>
> Looks like your local NFS client doesn't support remote xattr
> operations.
>

On Fri, Apr 06, 2018 at 01:44:50PM +0530, Akash Jain
wrote:
> Hi All
> 
> I found there is one bug in the plugin. The name of the attribute for ACL
as
> per strace output of nfs4_setfacl is system.nfs4_acl.
> The source code has defined it as
> #define NFS4ACL_XATTR_NAME      ( "system.nfs4acl" )
> 
> Note there is missing underscore.
> 
> After this, the EOPNOTSUPP error is not observed.
> 
> Hope this helps
Hmmm. This has been changed for Samba 4.8.0 and above,
with commit df99ac27106dededcf0a98a251e58c24b90bf6d1.

This would seem to be a correct fix, as it seems

"The "system" xattr namespace is reserved for the kernel. Any
attempt to
    use xattrs in that namesspace will fail with EOPNOTSUPP, regardless of
    priveleges."

Can you check with 4.8.x ?

Jeremy.

Author: Ralph Boehme <slow at samba.org>
Date:   Thu Nov 2 12:17:48 2017 +0100

    librpc/idl: rename NFS4 ACL xattr name
    
    The "system" xattr namespace is reserved for the kernel. Any
attempt to
    use xattrs in that namesspace will fail with EOPNOTSUPP, regardless of
    priveleges. In autobuild we're using the xattr_tdb VFS module, so it
    works there.
    
    Using the "security" namespace instead makes this module generally
    usable with Linux filesystem xattrs as storage backend.
    
    Additionally prefix the xattr name with "_ndr". This is in
preperation
    of later commits that add a ACL blob marshalling format based on XDR. To
    avoid xattr name collision, both format will use distinct xattr names by
    default.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

diff --git a/librpc/idl/nfs4acl.idl b/librpc/idl/nfs4acl.idl
index 3d6894a604c..79e742c90e7 100644
--- a/librpc/idl/nfs4acl.idl
+++ b/librpc/idl/nfs4acl.idl
@@ -13,7 +13,7 @@ import "misc.idl", "security.idl";
 ]
 interface nfs4acl_interface
 {
-       const char *NFS4ACL_NDR_XATTR_NAME = "system.nfs4acl";
+       const char *NFS4ACL_NDR_XATTR_NAME = "security.nfs4acl_ndr";
 
        const char *NFS4ACL_XATTR_OWNER_WHO      = "OWNER@";
        const char *NFS4ACL_XATTR_GROUP_WHO      = "GROUP@";

On Fri, Apr 06, 2018 at 10:27:32AM -0700, Jeremy Allison via samba
wrote:
> On Fri, Apr 06, 2018 at 01:44:50PM +0530, Akash Jain wrote:
> > Hi All
> > 
> > I found there is one bug in the plugin. The name of the attribute for
ACL as
> > per strace output of nfs4_setfacl is system.nfs4_acl.
> > The source code has defined it as
> > #define NFS4ACL_XATTR_NAME      ( "system.nfs4acl" )
> > 
> > Note there is missing underscore.
> > 
> > After this, the EOPNOTSUPP error is not observed.
> > 
> > Hope this helps
> 
> Hmmm. This has been changed for Samba 4.8.0 and above,
> with commit df99ac27106dededcf0a98a251e58c24b90bf6d1.
> 
> This would seem to be a correct fix, as it seems
> 
> "The "system" xattr namespace is reserved for the kernel.
Any attempt to
>     use xattrs in that namesspace will fail with EOPNOTSUPP, regardless of
>     priveleges."
> 
> Can you check with 4.8.x ?
I guess that statement may not be correct, depending on which kernel subsystem
exposes the xattr? My testing was with local filesytems, not with nfsv4
mounts. Apparantly it works with nfs4_getfacl|nfs4_setfacl...

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG Key Fingerprint:           FAE2 C608 8A24 2520 51C5
                               59E4 AA1E 9B71 2639 9E46