NFS4 POSIX ACL setting fails

TrueNAS General
1

First time post!

I’ve been having an issue related to NFS4 and POSIX ACL setting on a share.

I’m running TrueNAS SCALE/Community 25.10, with a dataset configured with an ACL type setting of POSIX (mode set to ‘Discard’, which is automatically selected as the box is greyed out), shared via NFS4 with no_root_squash enabled. No id mapping is configured.

Mounting from a Linux VM with the command:

mount -t nfs -o vers=4.2,defaults,acl IP:/share /mnt

Using setfacl on the Linux machine results in an “Operation not supported” error, but only when mounted as NFS4. If I mount the same share via NFS3, the setfacl command works correctly.

Using setfacl from an ssh session to the TrueNAS server itself on the dataset mountpoint works without issue, so it’s not a ZFS filesystem support issue.

Can anyone advise if this is a bug, or expected behaviour? I can’t imagine it’s expected behaviour, but if there’s a known bug in 25.10 please can anyone give further details?

If there is a work around (aside from using NFS3, which I consider a hack of a fix for something that should be working with NFS4) or anyone can assist on debugging please let me know.

Many thanks for any help that can be offered :slight_smile:

2

For nfsv4 protocol you should generally be using the client tool nfs4_setfacl / nfs4_getfacl. NFSv4 ACL (RFC) is not compatible with POSIX1E (draft RFC).

At a protocol level POSIX ACLs over NFSv4 aren’t a thing (per RFC).

3

Hi - thanks for your reply.

I was sure that POSIX ACLs had been added to the NFS4 support in the kernel - and since both systems are Linux, I assumed it would be available.

But, if TrueNAS doesn’t support NFS4 POSIX ACLs then I guess I’m going to be learning about the NFS4 native ACLs.

It’s not like I don’t have enough to do already :smiley:

4

No. Wire format for ACLs in the NFSv4 protocol has always been the RFC type. POSIX ACL support is not part of the v4 spec. You can check linux kernel sources if in doubt. You could in theory convert POSIX1E in client to V4 and send over wire to a server, but that’s kind of a hack-job because the conversion from V4 to POSIX1E is lossy.