Users who have reached their hard quota limit cannot modify extended attributes anymore: modifying an extended attribute amounts to creating a new block, followed by freeing the old block. When the hard quota limit is reached, no more new blocks can be allocated. As soon as a single block becomes available to the user, modifying extended attributes works again.
Version 2 of the NFS protocol (NFSv2) does not implement the ACCESS remote procedure call, and instead performs some access control decisions at the client machine, based on the file mode permission bits. It grants the user access to cached files if it thinks access is granted be the file mode permission bits. This logic is no longer correct if access control lists are in effect; both false positives and denials might result.
Write access is not affected, as all writes are authenticated on the server in all cases. As a workaround to this problem, the ACL patch adds the no_acl export option of the kernel NFS daemon. If no_acl is not specified (the default setting), file mode permission bits are sent to clients unchanged. If no_acl is specified, file mode permission bits are modified so that clients are never granted any access to files to which they might not have access on the server.
The patches for acl support over nfs in the 2.6 kernel do not yet support the no_acl export option.
Version 4 of the NFS protocol (NFSv4) does support standardized remote procedure calls for getting/setting ACLs. The Linux NFSv4 project only has some of the parts for ACL support in place, so ACLs are not yet fully useable with NFSv4, but the NFSv4 project members are working on it. Client ACL support has been added to NFSv4 in the meantime.
Note that only the kernel NFS daemon has been patched to implement this. The userspace NFS daemon still serves the "wrong" file mode permission bits. The userspace NFS daemon currently only supports NFSv2.