Subscribe

How to enforce all_squash for NFSv3 on NetApp?

Hi there,

 

I'm having some hard time setting up NFSv3 with anonymous access on NetApp. I'm unable to squash anonymous users.

 

I’ve read the NetApp’s man page for “exports”.  The below is the list of options that I get:

 

path=
anon=
nosuid
ro=
rw=
root=
sec=

 

I have no clue how one is supposed to set “all_squash” in this case.

 

The man exports says that by default, the effective user ID of all anonymous and root NFS client users is 65534. This is my exprots file:

 

FAS> rdfile /etc/exports
/vol/NFS_WEB      -sec=sys,rw=10.10.0.149:10.10.0.147,root=10.10.0.147:10.10.0.149,anon=65534,nosuid

 

Ran the following after setting the exports file:

 

FAS> exportfs -r

This is the current security context:

 

FAS>  fsecurity show /vol/NFS_WEB

[/vol/NFS_WEB - Directory (inum 64)]

  Security style: Unix
  Effective style: Unix

   DOS attributes: 0x0010 (----D---)

   Unix security:

    uid: 65534 (pcuser)
    gid: 65534 (pcuser)
    mode: 0755 (rwxr-xr-x)

   No security descriptor available.

 

These may help as well:

 

 

FAS> rdfile /etc/passwd
root:_<removed>:0:1::/:
pcuser::65534:65534::/:
nobody::65535:65535::/:
ftp::65533:65533:FTP Anonymous:/home/ftp:

 

 

FAS> rdfile /etc/group
daemon:*:1:
pcuser:*:65534:
nobody:*:65535:

So it’s got uid/gid of 65534 on the NetApp.

 

Now on the NFS client (CentOS 6), I mount the share as NFSv3:

 

# mount|grep netapp
10.10.0.51:/vol/NFS_WEB/ on /mnt/netapp_nfs type nfs (rw,vers=3,sec=sys,clientaddr=10.10.0.147,addr=10.10.0.51)

These are the uid/gid:

 

# ls -ld /mnt/netapp_nfs/
drwxr-xr-x. 3 nfsnobody nfsnobody 4096 Jul 15 11:11 /mnt/netapp_nfs/

# ls -lnd /mnt/netapp_nfs/
drwxr-xr-x. 3 65534 65534 4096 Jul 15 11:11 /mnt/netapp_nfs/

 

We see that uid/gid math with the ones we have on the NetApp.

 

With NFSv3, I should be able to write to the share as a regular user:

 

$ id
uid=3001(test) gid=504(test) groups=504(test),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ touch /mnt/netapp_nfs/test
touch: cannot touch `/mnt/netapp_nfs/test': Permission denied

$ ls -ld /mnt/netapp_nfs/
drwxr-xr-x. 3 nfsnobody nfsnobody 4096 Jul 15 11:29 /mnt/netapp_nfs/

$ ls -lnd /mnt/netapp_nfs/
drwxr-xr-x. 3 65534 65534 4096 Jul 15 11:29 /mnt/netapp_nfs/

SELinux is set to permissive:

 

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

 

I’m trying to understand why NFSv3 doesn’t work.

 

 

And one more thing to show that it’s not squashing on NFSv3, take a look at the below:

 

# touch /mnt/netapp_nfs/root
# ls -l /mnt/netapp_nfs/root
-rw-r--r--. 1 root root 0 Jul 15 11:38 /mnt/netapp_nfs/root

 

The owner of the file is root and not nfsnobody.

 

Now if I do the following:

 

# usermod -aG nfsnobody test

# su - test

$ id
uid=3001(test) gid=504(test) groups=504(test),10(wheel),65534(nfsnobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ touch /mnt/netapp_nfs/test

$ ls -l /mnt/netapp_nfs/test
-rw-rw-r--. 1 test test0 Jul 15 11:39 /mnt/netapp_nfs/test

It’s owned by my user test and not nfsnobody (and yes, I’m able to write to the share if my user is a member of the nfsnobody group and when share permissions are 775 – no idea why that’s required).

 

Re: How to enforce all_squash for NFSv3 on NetApp?

All_squash is default if you do not explicitly give root= option.

Re: How to enforce all_squash for NFSv3 on NetApp?

I wasn't aware of that, thanks. However, that still doesn't work for me.

 

This is what I have on NetApp now:

 

FAS> exportfs -v
/vol/NFS_WEB      -sec=sys,rw=10.10.0.149:10.10.0.147,nosuid

On the client, if I try to write as root, it's squashed (root_squash is invoked I suspect):

 

# touch /mnt/netapp_nfs/root
# ls -l /mnt/netapp_nfs/root -rw-r--r--. 1 nfsnobody nfsnobody 0 Jul 15 13:08 /mnt/netapp_nfs/root

However, my regular user still has no access:

 

# su - test
$ touch /mnt/netapp_nfs/newtest touch: cannot touch `/mnt/netapp_nfs/newtest': Permission denied

This implies that all_squash doesn't work (but root_squash does).

Re: How to enforce all_squash for NFSv3 on NetApp?

I apologize - I misunderstood your question. Try sec=none option; then all connections are treated as anonymous.

Re: How to enforce all_squash for NFSv3 on NetApp?

I just tried with sec=none, still get permission denied when trying to write with my regular user.

 

 

FAS> exportfs -r
FAS> exportfs -v /vol/NFS_WEB -sec=none,rw=10.10.0.149:10.10.0.147,nosuid

I re-mounted the share on the client, it's now owned by the root (was nfsnobody previously):

 

# ls -ld /mnt/netapp_nfs/
drwxr-xr-x. 2 root root 4096 Jul 15 16:03 /mnt/netapp_nfs/

# touch /mnt/netapp_nfs/rootnew # ls -l /mnt/netapp_nfs/rootnew -rw-r--r--. 1 root root 0 Jul 15 16:03 /mnt/netapp_nfs/rootnew

Regular user denied:

 

# su - test
$ touch /mnt/netapp_nfs/testnew touch: cannot touch `/mnt/netapp_nfs/testnew': Permission denied

 

Re: How to enforce all_squash for NFSv3 on NetApp?

Apologies, I just realised that the share hasn't even been mounted - I tried to write to the folder that resides on a local system, hence root permissions.

 

I run the following on the client:

 

# mount -v -t nfs -o vers=3,sec=none 10.10.0.51:/vol/NFS_WEB /mnt/netapp_nfs/
mount.nfs: timeout set for Fri Jul 15 16:18:45 2016
mount.nfs: trying text-based options 'vers=3,sec=none,addr=10.10.0.51'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.10.0.51 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.10.0.51 prog 100005 vers 3 prot UDP port 4046
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 10.10.0.51:/vol/NFS_WEB

The file /var/log/messages on the client says:

 

 localhost kernel: RPC: server 10.10.0.51 requires stronger authentication.

The NetApp tells me that:

 

 

[FAS:nfsd.auth.status.bad:warning]: Client 10.10.0.147 has an authentication error 5

So I cannot even mount it now.

 

Re: How to enforce all_squash for NFSv3 on NetApp?

You need to export with sec=none on NetApp side.

Re: How to enforce all_squash for NFSv3 on NetApp?

It's been done, see my previous reply.

 

FAS> exportfs -v
/vol/NFS_WEB      -sec=none,rw=10.10.0.149:10.10.0.147,nosuid

Re: How to enforce all_squash for NFSv3 on NetApp?

Looks like feature is broken in 8.x 7-Mode. I got the same result on 8.2. Testing with "exportfs -c" succeeds, as well as mount request from client, but then client got error response when actually accessing volume. I also verified that client does send AUTH_NONE as expected. I then tested on 9.0RC1 (C-mode obviously) and it works as expected (setting sec=none as the only accepted authentication will effectively result in all_squash behavior). I do not have Data ONTAP 7.x to test right now, but I am fairly confident it was working in the past.

 

I suggest you open case with NetApp support. May be there is some hidden option to do it, but I could not find one. If you get it working I appreciate if you share information (I found old post two years ago with the same question and the same problem with sec=none not working). Thank you!

Re: How to enforce all_squash for NFSv3 on NetApp?

Our ONTAP version is 8.2.2P2.

 

I do have a case open with NetApp support for over a week now, and so far they had zero luck fixing the issue (that's basically the point where I turned for help to community).

 

If I manage to get it working, I'll post the solution. Thanks for your help.