msnfs41client: Patches for FreeBSD nfsd test setup, ACL-on-file-create+misc, 2025-11-13-002
Posted by Anonymous on Thu 13th Nov 2025 22:40
raw | new post

From 8235a08bb38b28da5cb97c2ae0d7b819c179b7c2 Mon Sep 17 00:00:00 2001
From: Aurelien Couderc <aurelien.couderc2002@gmail.com>
Date: Thu, 13 Nov 2025 22:32:40 +0100
Subject: [PATCH 1/4] daemon: Fix a missing newline in EASSERT_MSG()

Fix a missing newline in EASSERT_MSG().

Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
---
 daemon/acl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemon/acl.c b/daemon/acl.c
index 8fece12..d53281e 100644
--- a/daemon/acl.c
+++ b/daemon/acl.c
@@ -178,7 +178,7 @@ static int convert_nfs4acl_2_dacl(nfs41_daemon_globals *nfs41dg,
                 curr_nfsace->who, domain?domain:"<null>"));

         EASSERT_MSG(!isdigit(curr_nfsace->who[0]),
-            ("convert_nfs4acl_2_dacl: aces[%d]->who='%s' uses numeric id",
+            ("convert_nfs4acl_2_dacl: aces[%d]->who='%s' uses numeric id\n",
             (int)nfs_i, curr_nfsace->who));

 #ifdef NFS41_DRIVER_ACLS_SETACL_SKIP_WINNULLSID_ACES
--
2.51.0

From 365708a11337b38b8939357059697aba4fbe6fa8 Mon Sep 17 00:00:00 2001
From: Cedric Blancher <cedric.blancher@gmail.com>
Date: Thu, 13 Nov 2025 22:34:25 +0100
Subject: [PATCH 2/4] tests: Update FreeBSD NFS server setup instructions

Update FreeBSD NFS server setup instructions.

Signed-off-by: Roland Mainz <roland.mainz@nrubsig.org>
---
 tests/nfs_server_setup.txt | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tests/nfs_server_setup.txt b/tests/nfs_server_setup.txt
index e802e80..594f04f 100644
--- a/tests/nfs_server_setup.txt
+++ b/tests/nfs_server_setup.txt
@@ -212,9 +212,9 @@ sysrc nfsv4_server_enable=YES
 sysrc nfsuserd_flags="-domain GLOBAL.LOC"
 sysrc nfsuserd_enable=YES
 sysrc nfscbd_enable=YES
-sysctl vfs.nfs.enable_uidtostring=1
-sysctl vfs.nfsd.enable_stringtouid=1
-sysctl vfs.nfsd.issue_delegations=1
+printf 'vfs.nfs.enable_uidtostring=0\n' >>'/etc/sysctl.conf'
+printf 'vfs.nfsd.enable_stringtouid=0\n' >>'/etc/sysctl.conf'
+printf 'vfs.nfsd.issue_delegations=1\n' >>'/etc/sysctl.conf'

 mkdir /nfsdata
 chmod a+rwxt /nfsdata
@@ -230,9 +230,14 @@ service nfsd start
 - Add groups entry for group "wheel" if neccesary:
 $ printf 'wheel:S-1-0-0:0:\n' >>'/etc/group'

-##### 3. Misc commands:
+##### 3. Misc FreeBSD commands:
 pw groupadd group -n None -g 197121
 pw groupadd group -n ced -g 197608
 pw useradd -n ced -u 197608 -g None -G None,ced -m -s /bin/sh
+# later add more groups, and add user "ced" as member:
+pw groupadd group -n cygwingrp1 -g 197611
+pw groupadd group -n cygwingrp2 -g 197612
+pw groupmod cygwingrp1 -m ced
+pw groupmod cygwingrp2 -m ced

 # EOF.
--
2.51.0

From a73322e5f1b21fcccc85cc66371c2a521a0b32f2 Mon Sep 17 00:00:00 2001
From: Roland Mainz <roland.mainz@nrubsig.org>
Date: Thu, 13 Nov 2025 22:38:15 +0100
Subject: [PATCH 3/4] daemon: Cleanup |map_access_2_allowdeny()|

Cleanup |map_access_2_allowdeny()|.

Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
---
 daemon/open.c | 99 +++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 72 insertions(+), 27 deletions(-)

diff --git a/daemon/open.c b/daemon/open.c
index 93f8b3a..0ac8c28 100644
--- a/daemon/open.c
+++ b/daemon/open.c
@@ -474,47 +474,92 @@ static int map_disposition_2_nfsopen(ULONG disposition, int in_status, bool_t pe
     return status;
 }

-static void map_access_2_allowdeny(ULONG access_mask, ULONG access_mode,
-                                   ULONG disposition, uint32_t *allow, uint32_t *deny)
+static void map_access_2_allowdeny(
+    IN ULONG access_mask,
+    IN ULONG access_mode,
+    IN ULONG disposition,
+    OUT uint32_t *restrict allow,
+    OUT uint32_t *restrict deny)
 {
-    if ((access_mask &
-            (FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES)) &&
-            (access_mask & (FILE_READ_DATA | FILE_EXECUTE)))
+    bool access_mask_readaccess;
+    bool access_mask_writeaccess;
+
+    /*
+     * FIXME: Why is |FILE_READ_ATTRIBUTES| missing here, but the test
+     * for |access_mask_writeaccess| includes |FILE_WRITE_ATTRIBUTES| ?
+     */
+    if (access_mask & (FILE_READ_DATA|FILE_EXECUTE)) {
+        access_mask_readaccess = true;
+    }
+    else {
+        access_mask_readaccess = false;
+    }
+    if (access_mask &
+        (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_ATTRIBUTES)) {
+        access_mask_writeaccess = true;
+    }
+    else {
+        access_mask_writeaccess = false;
+    }
+
+    if (access_mask_readaccess && access_mask_writeaccess) {
         *allow = OPEN4_SHARE_ACCESS_BOTH;
-    else if (access_mask & (FILE_READ_DATA | FILE_EXECUTE))
+    }
+    else if (access_mask_readaccess) {
         *allow = OPEN4_SHARE_ACCESS_READ;
-    else if (access_mask &
-                (FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES))
+    }
+    else if (access_mask_writeaccess) {
         *allow = OPEN4_SHARE_ACCESS_WRITE;
-    /* if we are creating a file and no data access is specified, then
-     * do an open and request no delegations. example open with share access 0
-     * and share deny 0 (ie deny_both).
+    }
+    else {
+        EASSERT_MSG(false,
+            ("map_access_2_allowdeny: "
+            "No access_mask_readaccess&&access_mask_writeaccess, "
+            "access_mask=0x%lx\n",
+            (unsigned long)access_mask));
+        *allow = 0;
+    }
+
+    /*
+     * If we are creating a file and no data access is specified, then
+     * do an open and request no delegations. Example open with share
+     * access 0 and share deny 0 (ie deny_both).
      */
-    if ((disposition == FILE_CREATE || disposition == FILE_OPEN_IF ||
-            disposition == FILE_OVERWRITE_IF || disposition == FILE_SUPERSEDE ||
-            disposition == FILE_OVERWRITE) &&
-            !(access_mask & (FILE_WRITE_DATA | FILE_APPEND_DATA |
-            FILE_WRITE_ATTRIBUTES | FILE_READ_DATA | FILE_EXECUTE)))
+    if ((disposition == FILE_CREATE ||
+        disposition == FILE_OPEN_IF ||
+        disposition == FILE_OVERWRITE_IF ||
+        disposition == FILE_SUPERSEDE ||
+        disposition == FILE_OVERWRITE)
+        &&
+        ((access_mask_readaccess == false) &&
+        (access_mask_writeaccess == false))) {
         *allow = OPEN4_SHARE_ACCESS_READ | OPEN4_SHARE_ACCESS_WANT_NO_DELEG;
+    }

-#define FIX_ALLOW_DENY_WIN2NFS_CONVERSION
+#define FIX_ALLOW_DENY_WIN2NFS_CONVERSION 1
 #ifdef FIX_ALLOW_DENY_WIN2NFS_CONVERSION
-    if ((access_mode & FILE_SHARE_READ) &&
-            (access_mode & FILE_SHARE_WRITE))
+    if ((access_mode & (FILE_SHARE_READ|FILE_SHARE_WRITE)) ==
+        (FILE_SHARE_READ|FILE_SHARE_WRITE)) {
         *deny = OPEN4_SHARE_DENY_NONE;
-    else if (access_mode & FILE_SHARE_READ)
+    }
+    else if (access_mode & FILE_SHARE_READ) {
         *deny = OPEN4_SHARE_DENY_WRITE;
-    else if (access_mode & FILE_SHARE_WRITE)
+    }
+    else if (access_mode & FILE_SHARE_WRITE) {
         *deny = OPEN4_SHARE_DENY_READ;
-    else
+    }
+    else {
         *deny = OPEN4_SHARE_DENY_BOTH;
+    }
 #else
-    // AGLO: 11/13/2009.
-    // readonly file that is being opened for reading with a
-    // share read mode given above logic translates into deny
-    // write and linux server does not allow it.
+    /*
+     * AGLO: 11/13/2009:
+     * readonly file that is being opened for reading with a
+     * share read mode given above logic translates into deny
+     * write and linux server does not allow it.
+     */
     *deny = OPEN4_SHARE_DENY_NONE;
-#endif
+#endif /* FIX_ALLOW_DENY_WIN2NFS_CONVERSION */
 }

 static int check_execute_access(nfs41_open_state *state)
--
2.51.0

From 437caac0ad8e49467708bcec4b673c1cb6f324b7 Mon Sep 17 00:00:00 2001
From: Roland Mainz <roland.mainz@nrubsig.org>
Date: Thu, 13 Nov 2025 23:28:02 +0100
Subject: [PATCH 4/4] README.md,docs: Document create file/dir with ACL issues

Document create file/dir with ACL issues.

Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
---
 README.md       | 8 ++++++++
 docs/README.xml | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/README.md b/README.md
index a41dca6..8da6e80 100644
--- a/README.md
+++ b/README.md
@@ -792,6 +792,14 @@ Within WSL mount UNC path returned by `/sbin/nfs_mount`
   which require NTFS or ReFS, but should be physically hosted on the NFS
   server.

+- Creating a new Win32 file/dir with an ACL only works with NFS servers
+  which support `FATTR4_ACL`/`FATTR4_DACL` for `OPEN`/`CREATE`
+  operations.
+
+  So far FreeBSD 14.3 and the NFS-Ganesha NFS servers are known to
+  support this, while Linux 6.12.\*, Solaris 11.4 and Illumos NFS
+  servers ignore the ACL on `OPEN`/`CREATE` operations.
+
 # Troubleshooting && finding bugs/debugging

 - `nfsd_debug.exe` has the `-d` option to set a level for debug output.
diff --git a/docs/README.xml b/docs/README.xml
index a74a903..161ac5d 100644
--- a/docs/README.xml
+++ b/docs/README.xml
@@ -887,6 +887,15 @@ Datei befindet. Versuchen Sie, die Datei woanders zu speichern.</programlisting>
         <command>filedisk /mount 35 'N:\winntfs_filedisk_003.img' S:</command> as global mount
         which require NTFS or ReFS, but should be physically hosted on the NFS server.</para>
       </listitem>
+      <listitem>
+        <para>Creating a new Win32 file/dir with an ACL only works with NFS servers which support
+        <literal>FATTR4_ACL</literal>/<literal>FATTR4_DACL</literal> for
+        <literal>OPEN</literal>/<literal>CREATE</literal>
+        operations.</para>
+        <para>So far FreeBSD 14.3 and the NFS-Ganesha NFS servers are known to support this,
+        while Linux 6.12.*, Solaris 11.4 and Illumos NFS servers ignore the ACL on
+        <literal>OPEN</literal>/<literal>CREATE</literal> operations.</para>
+      </listitem>
     </itemizedlist>
   </section>

--
2.51.0