NFS V4 ACL administration

AIX® does not allow a file system to be NFS V4 exported unless it supports NFS V4 ACLs. By contrast, Linux does not allow a file system to be NFS V4 exported unless it supports POSIX ACLs.

This is because NFS V4 Linux servers handle NFS V4 ACLs by translating them into POSIX ACLs. For more information, see Linux ACLs and extended attributes.

With AIX, the file system must be configured to support NFS V4 ACLs (with the -k all or -k nfs4 option of the mmcrfs or mmchfs command). The default for the mmcrfs command is -k all.

With Linux, the file system must be configured to support POSIX ACLs (with the -k all or -k posix option of the mmcrfs or mmchfs command).

Depending on the value (posix | nfs4 | all) of the -k parameter, one or both ACL types can be allowed for a given file system. Since ACLs are assigned on a per-file basis, this means that within the same file system one file may have an NFS V4 ACL, while another has a POSIX ACL. The type of ACL can be changed by using the mmputacl or mmeditacl command to assign a new ACL or by the mmdelacl command (causing the permissions to revert to the mode which is in effect a POSIX ACL). At any point in time, only a single ACL can be associated with a file. Access evaluation is done as required by the ACL type associated with the file.

NFS V4 ACLs are represented in a completely different format than traditional ACLs. For detailed information on NFS V4 and its ACLs, refer to NFS Version 4 Protocol and other information found in the Network File System Version 4 (nfsv4) section of the IETF Datatracker website.

In the case of NFS V4 ACLs, there is no concept of a default ACL. Instead, there is a single ACL and the individual ACL entries can be flagged as being inherited (either by files, directories, both, or neither). Consequently, specifying the -d flag on the mmputacl command for an NFS V4 ACL is an error.