Network and Storage Protocols

ISO volume for both NFS and CIFS

jirikanicky
4,804 Views

Hi.

I am quite new to NetApp and I am not able to to configure correct NFS options to be able to use ISO export for both NFS and CIFS.

I need to configure NFS export with:

- Anonymous User ID (65535 is nobody user in /etc/passwd)

- Anonymous Group ID (I am planing to create same group as the user id 65535)

- Root Access with root_squash or all_squash (I need this, because I want to have files from root user with nobody user permissions.)

This will ensure that I have all files uploaded with nobody user permissions. Even from root user. This is quite common configuration on any Linux or OpenFiler, but I struggle with this on NetApp.

Currently I have:
/vol/iso        -sec=sys,rw=172.16.0.0/16,anon=65535

After I have this configured, I am planning to create CIFS share on the same volume /vol/iso and enter the UNIX group that will be automatically assigned to files  in this share.

I was not able to find any document or forum post how to achieve this.

Can anybody advise?

7 REPLIES 7

ekashpureff
4,805 Views

Try using 'sec=none' ?


I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

radek_kubka
4,804 Views

Hi,

You can manipulate mappings using wcc command:

http://now.netapp.com/NOW/knowledge/docs/ontap/rel80/html/ontap/cmdref/man1/na_wcc.1.htm

There is a good TR about multiprotocol access - a bit old, but sill most of the content is accurate:

http://www.netapp.com/us/library/technical-reports/tr-3490.html

Regards,
Radek

jirikanicky
4,804 Views

Hi.

Thanks for the links, but so far i was not able to find out how to make the correct permissions just on NFS.

I need to map every user to anonymous UID and GID, including root (root_squash). I have tried all possible combinations but I am not able to achieve to mount NFS as root and write a file with anonymous UID and GID. I can do this on OpenFiler and that way all files created on the volume have only anonymous permission.

ekashpureff
4,804 Views

Use a unix security style file system on the volume.

sec=secflavor[:secflavor]...

The security flavor of none can also be applied to an export. If the client uses this flavor, then all requests get the effective UID of the anonymous user. Also, if a request arrives with a security context which is not present in the export, and none is allowed, then that request is treated as if it arrived with the flavor of none.

You can use anon= to map anonymous to any UID you want.

Use a method of multiprotocol to map all Windows users to anonymous - usermap.cfg or `

wafl.default_unix_user
Specifies the UNIX user account to use when an authenticated NT user did not match an entry in the usermap.cfg file. If this option is set to the null string, NT users which are not matched in the usermap.cfg file will not be allowed to log in. The default value for this option is `pcuser'.

The problem with this on the windows side is that it will do this for all cifs shares, not just this share.

You may wish to do this on a vfiler.


I hope this response has been more helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

jirikanicky
4,804 Views

Hi.

Thank you for your comment.

Whatever I configure I am still not able to get what I need. Here is an example.

NetApp NFS

/vol/iso        -sec=sys,rw=172.16.0.0/16,root=172.16.0.0/16,anon=65535,nosuid

1. I mount the volume on Linux as root

2. I create a file

3. File is created with root permissions. Not with anonymous user permissions as it suppose to do.

To be able to manage R/W access to any file from CIFS using wafl.default_unix_user, I need to be able to manage the permission from the root user first, because if I create a file as a root, it will have root:root permissions and therefore users accessing the share using CIFS are not able to rewrite or delete the file.

So that is the place I am lost at this moment.

OpenFiler NFS

/mnt/store02/iso/iso 172.16.0.0/255.255.0.0(rw,anonuid=96,anongid=96,secure,all_squash,wdelay,async)

1. If you mount it as root, any file created by root inherits permissions 96:96. This works correctly

2. Samba also rewrites the group to 96.

So here, I have it quite simple and it works as one would expect.

I would be interested to know how other people use ISO share for both Windows and Linux where everyone have got R/W permissions and can delete any file which other user created.

ekashpureff
4,804 Views

Did you ever try sec=none on the export ?


I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.linkedin.com/in/eugenekashpureff http://www.kashpureff.org/

(P.S. I appreciate points for helpful or correct answers.)

jirikanicky
4,804 Views

I have tried all possible combinations and I am not able to find solution.

1.

I still do not understand why I am not able to map anonymous user to different user then 0.

2.

Lets assume that I configure NFS as follows:
/vol/iso -sec=sys,rw,anon=0

Than I create CIFS share over the /vol/iso.

I have got full access as Domain Administrator (rw), however user Everyone can only read (r).

If I change the permission for the user Everyone to full control (rw), it will cut off all NFS users.


Is there any way to change the permissions that Everyone can access the share with full R/W permissions and not break the NFS permissions?

Public