Table of contents
- Table of contents
- Role definitions and responsibilities
- Managing DO, DM, and DPM
- Payment vouchers for non-chargeable storage quotas
- Before you start setting up a storage account
- Provisioning your IFS storage space
- Services configuration
- Creating a Storage Project
- Deleting Storage Projects
- Managing storage capacity and duration
- Enable Kerberos authentication for CIFS shares
- NFSv4 / Kerberos Client configuration
About the Institutional File Storage service
The Institutional File Storage (IFS) service allows institutions to store and share everyday documents with colleagues. This is aimed at desktop and laptop users who will have access to the storage via a mapped drive on their computer. The data is safely stored on an industry-standard hardware platform in the University's central data centres to protect against data loss. For more information, see https://help.uis.cam.ac.uk/institutional-file-storage.
About this user guide
This document contains step-by-step instructions for the following:
- Provisioning your storage space, using a voucher or a purchase order
- Configuring Storage services.
- Creating Storage Projects (i.e. SMB or NFS shares)
- Modifying storage project, i.e. enable/disable SMB encryption and increase the size
- Deleting a project
- Managing Data Owner, Data Managers, and Data Project Managers
- Extending storage capacity
- Extending the storage duration.
All support requests and feedback should be directed to the dedicated support email address IFSfirstname.lastname@example.org.
Role definitions and responsibilities
Institutional IFS administrators may have one of three roles:
- Data Owner: Assigns space to institutions and oversees institutional use of the IFS. Can delegate most responsibilities to Data Managers.
- Data Manager: Manages IFS space on behalf of a Data Owner.
- Data Project Manager: Responsible for the day-to-day management of the data at the project level. This role is not applicable to NFS shares as full control permissions cannot be set at the NFS share level. The DO or DM, which have full control permission, can give access and set permissions to DPMs manually.
|Can enable and disable user access|
|Appoints Data Owner, Data Managers and Data Project Managers|
|Sets up initial free spaces for institutions|
|Validates purchase orders to purchase more space|
|Can extend storage capacity and duration|
|Can increase storage project space|
|Day-to-day management of the data|
|Acquire funding and raise a purchase order to purchase more space|
|Maintains compliance with the information management guidelines and requirements that apply to the data|
|Remove the project data after the storage licence expires|
|Antivirus scanning of the data stored on IFS|
|Full control permissions on all the storage projects (i.e. SMB/NFS shares)|
|Can be given full control permissions at the project level||
Managing DO, DM, and DPM
The DO can add and delete DMs and DPMs and assign a new DO. DMs can add and delete DPMs and change the DO.
As a DO, to delete a DM, go to Configure the licence page, then delete the DM by clicking the red cross icon beside their name.
Example: delete the DM wh997.
As a DO, to change the DO (themselves), go to Configure the license page, delete the DO wh330 and assign a new one, e.g., wh998. Then, click Save
Also, as a DM, I can add Data Project Managers (DPM) to the existing projects.
Payment vouchers for non-chargeable storage quotas
UIS have issued vouchers to the Institutions' Data Owners to use for the set-up of the initial quota of non-chargeable storage space. If you have a voucher, you will be able to redeem it in the Self-Service Gateway / Buy IFS Storage instead of specifying a purchase order.
- Vouchers can only be used once and will expire by default six months from their issue date. The validity of the voucher (i.e., the period between the issue date and expiry date) can be customised according to the user's requirements. Once the voucher has been redeemed, space can be allocated.
- A purchase order will need to be raised to pay for any additional space for a duration of 1, 3, or 5 years beyond the initial free allocation covered by the voucher.
- The free space granted to University institutions will be extended in duration automatically every year. Free space is provided to the colleges for the first year only and would need to be renewed with a purchase order after one year.
- UIS will generate and provide the institutions with vouchers of the initial free space.
Example of an IFS voucher:
Voucher value and validity can be verified using Voucher tool.
Before you start setting up a storage account
The steps to set up a storage account requires work by the DO/DM as well as the UIS Networks team. The steps are as follows:
|Obtain the space via the IFS portal (see Obtain the space via the IFS portal)||Institution|
|Configure local institution firewall (see Firewall rules configuration)||Institution|
|Port block removal (see Firewall rules configuration)||UIS Networks team and/or Institution|
|Configure storage services (see Services configuration)||Institution|
Provisioning your IFS storage space
Before you can provision storage projects, you will need to configure DNS, SMB/CIFS, NFS and Kerberos services that are needed to access and use your storage space. The Self-Service Gateway portal provides you with features to do so, but as a prerequisite, you will need to make sure that the IFS service can communicate with your local DNS Name Servers, Active Directory and Kerberos services by applying the firewall rules on your institutional firewall.
|DNS||Required by SMB/NFS shares.
Connections from IFS LIF subnet 10.128.2.0/23 on ports: 53 (TCP/UDP)
|Kerberos and LDAP||Required by NFS and SMB shares.
Connections from IFS LIF subnet 10.128.2.0/23 on ports: 88 (TCP/UDP), 750 (TCP/UDP), and 389 and 636 (TCP)
|SMB/CIFS||Required by SMB/CIFS shares.
Connections to/from IFS LIF subnet 10.128.2.0/23 on ports: 137 and 138 (UDP), and 139 and 445 (TCP)
|NFS||Required by NFS shares.
Connections to IFS LIF subnet 10.128.2.0/23 on ports: 111 (TCP/UDP) and 2049 (TCP/UDP)
There are ACL blocks on switches into some institutions blocking traffic on port 445. To remove this block from your institutions for the IFS, please raise a ticket with the UIS Service Desk (email@example.com).
If you use the UIS Managed Firewall Service, please contact the UIS Service Desk (firstname.lastname@example.org) to ensure the appropriate firewall rules are put in place. This must be done by the DO.
Go to the Self-Service Gateway portal: https://selfservice.uis.cam.ac.uk/
In the Institutional File Store section (bottom left) click the Choose button:
- Enter how many terabytes you want and click the Get Quote button. You will be redirected to the payment page:
- [Example demonstrates payment by UIS-provided voucher – you can also pay by Purchase Order] Click the Voucher tab:
- Paste in your voucher code and click the Submit button:
- The voucher is validated and you will be redirected to the confirmation page. Click the Continue button:
You will be redirected to Configure the licence page to set the DO and DM(s). The DO will receive a confirmation email containing a link to accept the Terms & Conditions:
Click the I agree button to accept the Terms & Conditions:
You can also add a Data Manager by visiting the Licence page by clicking View Licence:
Click Save. Then the DM should accept the T&Cs so that their state moves to Ready:
Meanwhile, the DO and DM(s) will receive a confirmation email containing a link to accept the Terms & Conditions. See the email below as an example:
The IFS needs to be aware of a number of services in order to provide shares to your institution. In order to create storage projects, the DO or DM should start with the Vserver Configuration. The Vserver is a virtual storage server that resides in our storage backend and is associated with your storage account.
On the My Account page click Vserver Configuration to choose which service you wish to configure:
Each tab in the screenshot below presents a form for a service configuration. You can also click on Configure All Services to configure all the services with BLUE Active Directory settings:
The services to be configured are illustrated in the following table.
|DNS (see DNS Service)||Required for NFS and SMB shares.|
|CIFS Server (see CIFS Server)||Required for NFS and SMB shares. Note that CIFS server must be configured if you want to bind the LDAP Client using the CIFS server credentials.|
|NFS Service (see NFS Service)||To configure the NFS server running on the Vserver. Required for NFS and SMB shares (NFS service is required to create export policy on the CIFS shares).|
|Kerberos Realm (see Kerberos Realm)||To enable Kerberos authentification for NFS clients. Only required for NFS shares. For Kerberos authentification against SMB shares, update the Service Principal Name (SPN) attribute of the CIFS machine account on your AD (e.g., using ADSI Edit) to contain the CIFS SPN whose format should be: cifs/CIFS interface DNS name. If your account is bound to BLUE AD, please let us know.|
|LDAP Client (see LDAP Client)||To enable access the external LDAP servers. Only required for NFS shares.|
|Kerberos NFS Interface (see Kerberos NFS Interface)||To enable Kerberos authentification for NFS. Only required for NFS shares.|
This form allows you to create or modify the DNS configuration of the Vserver associated with your storage account.
- DNS search domains: A list of DNS domains such as 'sales.bar.com'.
- DNS name servers: IPv4 addresses of name servers such as '188.8.131.52'.
- SMB interface DNS name: populated automatically.
- SMB interface IP address and netmask: populated automatically.
- NFS interface DNS name: populated automatically.
- NFS interface IP address and netmask: populated automatically.
For instance, to configure the DNS service, click the DNS Service tab and choose between using the BLUE settings your own settings and click Configure DNS Service. The following screenshot shows what you see if you use BLUE settings.
After a few seconds, a message should be displayed to indicate that the configuration has succeeded. Otherwise, you will need to check your input or contact us.
This form allows you to configure and setup CIFS services on the Vserver associated with your storage account.
- Active Directory Domain: The fully qualified domain name of the Windows Active Directory the CIFS server belongs to. Example: cifs.domain.com.
- Active Directory Organisational Unit: The organisational unit within the Active Directive domain to associate with the CIFS server.
- Active Directory Account Username: The username of the account used to add the CIFS server to the Directory. This part of the credential only needs to be supplied if the domain is being modified.
- Active Directory Account Password: The password for the account used to add the CIFS server to the Active Directory. This part of the credential only needs to be supplied if the domain is being modified.
This form allows you to create and modify an NFS configuration on the Vserver associated with your storage account.
- NFSv4 ID domain: NFSv4 ID mapping domain.
- Permitted Encryption Types: List of permitted encryption types for Kerberos over NFS.
This form allows modifying a Kerberos Realm configuration on a Vserver.
- Kerberos Realm: Kerberos Realm name.
- KDC IP Address: IP address of the Key Distribution Centre (KDC) server for this Kerberos realm.
- KDC Port: TCP port on the KDC to be used for Kerberos communication. The default for this parameter is 88.
- KDC Vendor: The vendor of the Key Distribution Centre (KDC) server. If the configuration uses a Microsoft Active Directory (AD) domain for authentication, this field should be "Microsoft".
- Admin Server IP: IP address of the host where the Kerberos administration daemon is running. This is usually the master KDC. If specified, this should be the same as the KDC IP Address if the KDC Vendor is "Microsoft"
- Password Server IP: IP address of the host where the Kerberos password-changing server is running. Typically, this is the same as the host indicated in the Admin Server IP.
- AD Server Name: Hostname of the Active Directory Domain Controller (DC). This is a mandatory parameter if the KDC Vendor is "Microsoft".
- AD Server IP: IP Address of the Active Directory Domain Controller (DC). This is a mandatory parameter if the kdc-vendor is "Microsoft".
This form allows you to create or modify a Lightweight Directory Access Protocol (LDAP) client configuration on the Vserver associated with your storage account.
- Active Directory Domain: The Active Directory Domain Name for this LDAP configuration. The option is ONLY applicable for configurations using Active Directory LDAP servers.
- LDAP Servers: List of LDAP Servers to use for this configuration. The option is NOT applicable for configurations using Active Directory Domain parameter.
- Session Security: This indicates the level of security for LDAP communications. Possible values:
- "none" - No Signing or Sealing
- "sign" - Sign LDAP traffic
- "seal" - Seal and Sign LDAP traffic
- Bind as CIFS server: If True, the Vserver will use the CIFS server's credentials bind to the LDAP server.
- Minimum authentication level: The minimum authentication level that can be used to authenticate with the LDAP server. Possible values:
- "anonymous" - Anonymous bind
- "simple" - Simple bind
- "sasl" - Simple Authentication and Security Layer (SASL) bind
- Bind Distinguished Name: The Bind Distinguished Name (DN) is the LDAP identity used during the authentication process by the clients. This is required if the LDAP server does not support anonymous binds. This field is not used if "Bind as CIFS server" is set to "True".
- Bind Password: The password to be used with the Bind Distinguished Name.
- LDAP schema: LDAP schema to use for this configuration.
- Base DN: Indicates the starting point for searches within the LDAP directory tree.
This form allows you to create and modify Kerberos configuration information for the NFS Logical Network Interface on the Vserver associated with your storage account.
- Organisational Unit.
- Service Principal Name: Kerberos service principal name.
- Administrator Username.
- Administrator Password.
Use BLUE settings for service configuration
To configure all services at once with the Default Settings of BLUE Active Directory, click Configure All Services and Confirm in the Vserver Configuration page.
All services have been configured successfully as shown below.
Creating a Storage Project
Storage projects may either be SMB or NFS. This can be performed by the DO or DM.
Important note: After creating a Storage Project, you must ensure that you lock down the permissions on the SMB share – by default they are open to everyone using the same Active Directory. Do this by accessing the share from a Windows machine that has access to it and changing the permissions there. Only the DO, DMs or DPMs have the correct level of access to change the permissions in this way. You also need to lock down the permissions on the NFS shares by updating the preconfigured NFSv4 ACLs on the shares.
To create a project, on My Account page, click Unallocated.
Define the following attributes on that page and click the Save button:
- Project name (e.g. Inst1-Project1)
- Project size
- Project type: CIFS or SMB
- Whether or not to use SMB encryption for SMB shares.
- You can specify a DPM for SMB share. DPM is not applicable for NFS shares.
Note: Windows versions 7 and older do not support SMB encryption, so you may need to disable it. It will be possible to disable SMB encryption using the portal at least until the end of support of Windows 7 in January 2020.
Once the Storage Project has been created you will see a confirmation message.
The DO and DM will receive a confirmation email containing a link to access the storage.
The Configure the storage page is updated with the Storage Project details.
You can also add a Data Project Manager as shown below.
You can also create an NFS project by setting the Project type to NFS.
The project has been created. Note that a Data Project Manager does not exist in NFS projects.
To access the NFS share from your client, please follow the instructions in NFSv4 / Kerberos Client configuration.
On the My account page, DOs and DMs are able to see all the projects.
However, DPMs can only view the projects that only belong to them.
Please remember to lock down the permissions on the projects you have created.
Deleting Storage Projects
This can be done by DOs and DMs.
On the My Account page, click the link to the Storage Project you want to delete. This will open the Configure the storage page.
Click the red cross icon next to the Project name. Then type the Project name into the text field in the confirmation form to confirm and finally click the Delete Project button.
Managing storage capacity and duration
Before a DPM can increase the size of their Storage Project, they need to provide either the DO or DM with a purchase order or voucher to use to buy the additional capacity/duration. Once that payment is made, the DPM will be able to increase the size/duration of their Storage Project.
Increasing storage capacity
This is done by the DO or DM(s).
Go to Configure the licence page and click the Increase My Storage Size button:
In the pop-up dialogue box, enter how many additional TB you want, select an activation date from the date drop-down menu, and click the Get Quote button:
You will be redirected to the payment page. Enter your purchase order number (or click the Voucher link to enter a voucher code, tick the checkbox to accept the Terms & Conditions, and click the Pay button:
When the payment is processed, you will see the payment confirmation page.
You will be redirected to the Configure the licence page where you will see the original Full licence and the newly purchased Size Extension licence:
Extending storage duration
This is done by the DO or DM.
Go to the Configure the licence page and click the Extend My Storage Duration button:
In the pop-up dialogue box, you will see your storage capacity shown. Use the drop-down menu to select how long you wish to extend it for, and click the Get Quote button:
You will be redirected to the payment page. Enter your purchase order number (or click the Voucher link to enter a voucher code – see page 9), click the checkbox to accept the Terms & Conditions, and click the Pay button:
After the payment process passed you will be redirected to the Configure the licence page, where you will see the Duration Extension license listed:
Increasing the size of a Storage Project
Once the DO or DM has bought an extended licence (see page 35), the DPM can increase the size of their Storage Project.
From the My Account page, click the name of the Storage Project you want to modify. This will open the Configure the storage page.
Adjust the Project size slider to show the number of TB you want to increase to:
Click the Save button. You will see a confirmation message on the screen:
A few seconds later, the DO receives an email confirming that the project size has been increased:
The DO, DM or DPM can now enable or disable the SMB encryption for accessing the Storage Project by ticking the SMB encryption checkbox and clicking the Save button:
SMB encryption will be enabled/disabled and a confirmation message will appear on the screen, e.g.:
Enable Kerberos authentication for CIFS shares
In order to access your shares with Kerberos authentication, you have to add the CIFS service principal name in the
servicePrincipalName field of the CIFS server machine account created in your AD.
The CIFS service principal name would usually have the format
cifs/<DNS Name of your CIFS network interface>. For instance, for the CIFS interface
ifs-prod-381-cifs.ifs.uis.private.cam.ac.uk, the CIFS principal name would be
servicePrincipalName would eventually look like the following:
If you are using
BLUE AD, please contact us to update your CIFS server machine account.
NFSv4 / Kerberos Client configuration
Once you set up an NFS share through the SSGW portal, you need to configure your client to be able to mount and access the share using Kerberos authentication.
Ownership and permissions of the IFS NFS share
Any NFSv4 share created by the IFS service has Owner and Group initially set to the user root and the group root respectively and it is configured with the following permissions:
A::OWNER@:rwaDxtTnNcCy A:g:GROUP@:rwaDxtTnNcy A::EVERYONE@:rwaDxtTnNcy
To learn about the NFSv4 permissions, please see the NFSv4 ACLs documentation.
In an IFS storage account, Data Owner (DO) and Data Managers' (DMs) Kerberos identities are mapped to the UNIX user root. So, they are the Owner of all the NFS shares created in the same account. Obviously, if a DO or DM is deleted, their krb-unix name mapping will be dropped. And if a new DO is assigned or a new DM is added, they will automatically get the krb-unix name mapping to root. In addition, machine accounts trying to mount or access the share are mapped to the predefined UNIX user pcuser (User ID: 65535, Primary Group ID: 65535). Otherwise, implicit krb-unix name mapping takes place. Note that the UNIX users root and pcuser are defined locally in the Vserver namespace. Vserver is the NetApp (our backend storage system) object that is associated with a given storage account.
Example: wh999@DOMAIN is a DO, wh998@DOMAIN is a DM. machine$@DOMAIN is a machine account (Computer) and foo@DOMAIN is a User. Here is how they will be mapped:
wh999@DOMAIN → root wh998@DOMAIN → root machine$@DOMAIN → pcuser foo@DOMAIN → foo (foo user should exist in the LDAP server).
Only Kerberos 5, Kerberos 5i, and Kerberos 5p are allowed as authentication methods to access the NFS share. Otherwise, access will be denied.
Mounting the NFS share
We've set up an NFS share in a test Vserver called ifs_dev_4. The share path is /ifs_dev_4_vol/ifs_dev_4_vol_44 and is accessible through the NFS interface ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk.
The following configuration has been tested on Ubuntu 18.04 LTS and RHEL 7.7 (Maipo). Note that it could be slightly different on other OS versions.
Mounting the share using Kerberos user credentials
Start rpc.gssd daemon with option -n. See rpc.gssd man page.
Get a Kerberos ticket:
kinit ifsuser1 Password for ifsuser1@BLUE.CAM.AC.UK:
Before mounting the share, please set the attribute msDS-SupportedEncryptionTypes of the NFS Service SPN to 0x18. Or contact us to do so.
mount -o sec=krb5,vers=4 ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk:/ifs_dev_4_vol/ifs_dev_4_vol_44 /mnt/nfs4/
The share is now mounted:
df -h /mnt/nfs4/ Filesystem Size Used Avail Use% Mounted on ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk:/ifs_dev_4_vol/ifs_dev_4_vol_44 1.0T 893G 132G 88% /mnt/nfs4
Check the share owner and permissions:
ll /mnt/nfs4/ total 8 drwxrwxrwx 2 root root 4096 Feb 18 12:43 ./ drwxr-xr-x 7 root root 4096 Feb 17 12:16 ../
Mounting the share using Kerberos machine's credentials
You need to join your machine to the Kerberos Realm. Run the realm join command and specify the Organisational Unit (OU) in which the machine account will be created and the user account that has privileges to do that. Please make sure
rpc.gssd is stopped.
realm join --computer-ou OU=IFS-Test,OU=Servers,OU=uis,OU=Inst,DC=blue,DC=cam,DC=ac,DC=uk -U uis-ifs-service-test blue.cam.ac.uk --membership-software=adcli -v * Resolving: _ldap._tcp.blue.cam.ac.uk * Performing LDAP DSE lookup on: 184.108.40.206 * Performing LDAP DSE lookup on: 220.127.116.11 * Successfully discovered: blue.cam.ac.uk Password for uis-ifs-service-test: * Unconditionally checking packages * Resolving required packages ... * /usr/sbin/update-rc.d sssd enable * /usr/sbin/service sssd restart * Successfully enrolled machine in realm After joining the Realm, /etc/krb5.keytab will be created on your machine. Make sure sssd is up and running: systemctl status sssd ? sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2020-02-21 10:10:16 UTC; 1min 42s ago Main PID: 5252 (sssd) Tasks: 4 (limit: 2317) Memory: 44.3M CGroup: /system.slice/sssd.service +-5252 /usr/sbin/sssd -i --logger=files +-5276 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain blue.cam.ac.uk --uid 0 --gid 0 --logger=files +-5281 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files +-5282 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files
The mount command now uses the credentials in krb5.keytab file.
mount -o sec=krb5,vers=4 ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk:/ifs_dev_4_vol/ifs_dev_4_vol_44 /mnt/nfs4/
Configure LDAP Client
Here are two ways to set up LDAP client on your local machine (the NFS client).
Using nscd and nslcd
sudo apt install nscd # Ubuntu yum install nscd # RHEL
sudo apt install nslcd # Ubuntu yum install nslcd # RHEL
You'll get prompted to enter the LDAP server connection details in nslcd installation process. Or you can set them up directly in /etc/nslcd.conf as described below.
In /etc/nslcd.conf, update LDAP Server URI:
uri ldap://dc3.blue.cam.ac.uk/ LDAP Search Domain: # The search base that will be used for all queries. base OU=IFS-Test,OU=Servers,ou=UIS,ou=Inst,dc=blue,dc=cam,dc=ac,dc=uk Update /etc/nsswitch.conf to use ldap: passwd: compat systemd ldap group: compat systemd ldap shadow: compat ldap Set bindn and bindpw in /etc/nslcd.conf. Restrict access to the file as it contains the bind password. # The DN to bind with for normal lookups. binddn cn=ifsuser1,OU=IFS-Test,OU=Servers,ou=UIS,ou=Inst,dc=blue,dc=cam,dc=ac,dc=uk bindpw password
Add LDAP search filters for object class User and Group in /etc/nslcd.conf
filter passwd (objectClass=User) filter group (objectClass=Group)
Start (or restart) nscd and enable it on boot up:
systemctl start nscd systemctl enable nscd
Start (or restart) nslcd and enable it on boot up:
systemctl start nslcd systemctl enable nslcd
Try to get UID and GID of user ifsuser1:
getent passwd ifsuser1 ifsuser1:*:50001:10001:ifsuser1:/home/ifsuser1: getent group ifsgroup1 ifsgroup1:*:10001:
Start sssd daemon, this requires that your local machine be joined to the AD.
systemctl start sssd
Update /etc/nsswitch.conf with the sssd source.
passwd: compat systemd ldap sss group: compat systemd ldap sss shadow: compat ldap sss
Set the attribute use_fully_qualified_names to False in /etc/sssd/sssd.conf.
use_fully_qualified_names = False
systemctl restart sssd
getent passwd ifsuser1 email@example.com:*:307004846:1445400513:ifsuser1:/firstname.lastname@example.org:/bin/bash getent group ifsgroup1 email@example.com:*:307004899
In case the files in the NFS share have wrong UID/GID:
ll /mnt/nfs4/ total 8 drwxrwxrwx 2 root root 4096 Feb 25 15:48 ./ drwxr-xr-x 3 root root 4096 Feb 21 13:53 ../ -rw-r--r-- 1 nobody 4294967294 0 Feb 25 15:48 file1.txt
Check if LDAP client is configured properly (as described in the sections below).
If nscd and nslcd are used, clear the nscd cache and restart the two services:
nscd -i passwd nscd -i group systemctl restart nscd systemctl restart nslcd
You may also need to clear the sssd cache:
Listing /mnt/nfs4 directory again:
ll /mnt/nfs4/ total 8 drwxrwxrwx 2 root root 4096 Feb 25 15:48 ./ drwxr-xr-x 3 root root 4096 Feb 21 13:53 ../ -rw-r--r-- 1 ifsuser1 ifsgroup1 0 Feb 25 15:48 file1.txt
If nfs4_setfact cannot be found to configure the ACLs on the share, install nfs4-acl-tools package on Ubuntu (or its equivalent on RHEL).