How to enforce all_squash for NFSv3 on NetApp?

VincentValentine · ‎2016-07-15

Hi there,

I'm having some hard time setting up NFSv3 with anonymous access on NetApp. I'm unable to squash anonymous users.

I’ve read the NetApp’s man page for “exports”. The below is the list of options that I get:

path=
anon=
nosuid
ro=
rw=
root=
sec=

I have no clue how one is supposed to set “all_squash” in this case.

The man exports says that by default, the effective user ID of all anonymous and root NFS client users is 65534. This is my exprots file:

FAS> rdfile /etc/exports
/vol/NFS_WEB      -sec=sys,rw=10.10.0.149:10.10.0.147,root=10.10.0.147:10.10.0.149,anon=65534,nosuid

Ran the following after setting the exports file:

FAS> exportfs -r

This is the current security context:

FAS>  fsecurity show /vol/NFS_WEB

[/vol/NFS_WEB - Directory (inum 64)]

  Security style: Unix
  Effective style: Unix

   DOS attributes: 0x0010 (----D---)

   Unix security:

    uid: 65534 (pcuser)
    gid: 65534 (pcuser)
    mode: 0755 (rwxr-xr-x)

   No security descriptor available.

These may help as well:

FAS> rdfile /etc/passwd
root:_<removed>:0:1::/:
pcuser::65534:65534::/:
nobody::65535:65535::/:
ftp::65533:65533:FTP Anonymous:/home/ftp:

FAS> rdfile /etc/group
daemon:*:1:
pcuser:*:65534:
nobody:*:65535:

So it’s got uid/gid of 65534 on the NetApp.

Now on the NFS client (CentOS 6), I mount the share as NFSv3:

# mount|grep netapp
10.10.0.51:/vol/NFS_WEB/ on /mnt/netapp_nfs type nfs (rw,vers=3,sec=sys,clientaddr=10.10.0.147,addr=10.10.0.51)

These are the uid/gid:

# ls -ld /mnt/netapp_nfs/
drwxr-xr-x. 3 nfsnobody nfsnobody 4096 Jul 15 11:11 /mnt/netapp_nfs/

# ls -lnd /mnt/netapp_nfs/
drwxr-xr-x. 3 65534 65534 4096 Jul 15 11:11 /mnt/netapp_nfs/

We see that uid/gid math with the ones we have on the NetApp.

With NFSv3, I should be able to write to the share as a regular user:

$ id
uid=3001(test) gid=504(test) groups=504(test),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ touch /mnt/netapp_nfs/test
touch: cannot touch `/mnt/netapp_nfs/test': Permission denied

$ ls -ld /mnt/netapp_nfs/
drwxr-xr-x. 3 nfsnobody nfsnobody 4096 Jul 15 11:29 /mnt/netapp_nfs/

$ ls -lnd /mnt/netapp_nfs/
drwxr-xr-x. 3 65534 65534 4096 Jul 15 11:29 /mnt/netapp_nfs/

SELinux is set to permissive:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

I’m trying to understand why NFSv3 doesn’t work.

And one more thing to show that it’s not squashing on NFSv3, take a look at the below:

# touch /mnt/netapp_nfs/root
# ls -l /mnt/netapp_nfs/root
-rw-r--r--. 1 root root 0 Jul 15 11:38 /mnt/netapp_nfs/root

The owner of the file is root and not nfsnobody.

Now if I do the following:

# usermod -aG nfsnobody test

# su - test

$ id
uid=3001(test) gid=504(test) groups=504(test),10(wheel),65534(nfsnobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ touch /mnt/netapp_nfs/test

$ ls -l /mnt/netapp_nfs/test
-rw-rw-r--. 1 test test0 Jul 15 11:39 /mnt/netapp_nfs/test

It’s owned by my user test and not nfsnobody (and yes, I’m able to write to the share if my user is a member of the nfsnobody group and when share permissions are 775 – no idea why that’s required).

The Future of Storage, Built for the AI Era

NetApp Support Site Wins Silver Stevie® Award