Hi Thomas!
Thanks for your reply, that helped understanding the situation better:
> After some investigation we saw that there has been set a default ACL on
> _every_ directory in the installed clients -- removing this default ACL
> (setfacl -k) made sssd working again.
Mmmm, can you please check if this is a tar bug? Maybe it's related to
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1386237
The above cited bug report showed the strange behavior of tar:
When packing the base.tar.xz in /usr/sbin/fai-make-nfsroot tar is called
in create_base() like this:
tar --one-file-system -C $NFSROOT -cf $NFSROOT/var/tmp/base.tar
--exclude etc/machine-id --exclude var/tmp/base.tar --exclude
'var/lib/apt/lists/*_*' .
So there is no option --xattrs or --acl used.
When the base.tar.xz is extracted FAI uses /usr/sbin/ftar, and there it
is tested if tar supports --xattrs (which the jessie version does):
# check if tar has xattrs support
tar --xattrs -cf /dev/null /dev/null 2>/dev/null 1>/dev/null
if [ $? -eq 0 ]; then
xattrs="--xattrs --xattrs-include=*.* --selinux --acl"
else
xattrs=
fi
So we have the case that --xattrs and --acl are used when extracting.
And the bug report for tar in
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1386237 says: "The
one that caught us there was that extracting a tar file with '--acl'
that was created without '--acl' results in default acl being set on the
top level extracted directory."
This is exactly what we noticed as our problem.
The example output in https://launchpadlibrarian.net/188428776/out shows
the case:
=== extract-with/src-without/no-defaults ===
== getfacl extract-with/src-without/no-defaults ==
# file: extract-with/src-without/no-defaults
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x
== ls -l extract-with/src-without/no-defaults ==
total 0
-rw-r--r-- 1 root root 0 Oct 27 10:56 foo
== ls -ld extract-with/src-without/no-defaults ==
drwxr-xr-x+ 2 root root 4096 Oct 27 10:56
extract-with/src-without/no-defaults
I would be happy if you could suggest a solution that works for
(hopefully) everybody.
If I follow the discussion in
https://bugzilla.redhat.com/show_bug.cgi?id=771927 it looks like there
might not be a solution to make everybody happy. :-(
If I create the base.tar.xz on the same machine and file system as I
extract it, the best option would be to use the same options for tar
when creating and extracting, e.g. in both cases --xattrs and --acl or
none of them.
But what if different FS are used (one without the possibility to use
ACLs)? Or even different machines?
For me the solution would be to stop using ACLs/CAPs/EAs at all.
With regards, Alex
--
Alexander Bugl, Central IT Services
Max Planck Institute for Meteorology
Bundesstrasse 53, D-20146 Hamburg, Germany
tel +49-40-41173-351, fax -356, room d0014
