我有内核 NFS 服务器的情况。我有两个具有完全相同 ACL 的导出,对 [email protected] 组具有完全权限。一个是 /exports/directo_informatica/,它是带有 XFS 的 LV 的挂载点,另一个是 /exports/gv0_inf/,它是 glusterfs 的挂载点。当使用 NFS 远程挂载并使用组 [email protected] 的用户访问它时,第一个导出工作正常。第二个没有:它可以正确安装,但是当尝试使用同一用户访问它时,它会给出“权限被拒绝”。
如果我使用之前测试的同一用户直接访问 NFS 服务器 (ssh),我可以毫无问题地访问 /exports/ 中的两个目录。更多详情如下:
操作系统:Rocky Linux 8.5 版(Green Obsidian)
导出目录的 fstab:
/dev/mapper/vg_kvm_sistema-lv_directo_informatica /exports/directo_informatica xfs defaults 0 0
glustersrv02.xx.xx.xx:/gv0_inf /exports/gv0_inf/ glusterfs defaults,acl 0 0
挂载导出的目录:
/dev/mapper/vg_kvm_sistema-lv_directo_informatica on /exports/directo_informatica type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
glustersrv02.xx.xx.xx:/gv0_inf on /exports/gv0_inf type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072)
导出文件:
/exports *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,fsid=0)
/exports/directo_informatica *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint)
/exports/gv0_inf *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint,fsid=2)
导出的目录 ACL:
# getfacl /exports/directo_informatica/
getfacl: Removing leading '/' from absolute path names
# file: exports/directo_informatica/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:[email protected]:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:[email protected]:rwx
default:mask::rwx
default:other::---
# getfacl /exports/gv0_inf/
getfacl: Removing leading '/' from absolute path names
# file: exports/gv0_inf/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:[email protected]:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:[email protected]:rwx
default:mask::rwx
default:other::---
远程安装的目录:
gluster02.adtest.xx.xx.xx:/directo_informatica on /prueba2 type nfs4 (rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8)
gluster02.adtest.xx.xx.xx:/gv0_inf on /prueba type nfs4 (rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8)
远程 NFSv4 ACL:
$ nfs4_getfacl /prueba2
# file: /prueba2
A::OWNER@:rwaDxtTcCy
A::[email protected]:rwaDxtcy
A::GROUP@:rxtcy
A:g:[email protected]:rxtcy
A:g:[email protected]@idmpru.xx.xx.xx:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:[email protected]:rwaDxtcy
A:fdi:GROUP@:rxtcy
A:fdig:[email protected]:rxtcy
A:fdig:[email protected]@idmpru.xx.xx.xx:rwaDxtcy
A:fdi:EVERYONE@:tcy
$ nfs4_getfacl /prueba
# file: /prueba
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy
任何帮助表示赞赏。非常感谢。
我已经解决了这个问题。详情:https ://lists.gluster.org/pipermail/gluster-devel/2022-March/057802.html 。