Network and Storage Protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Permission Denied - NFS Mount from linux host to Netapp Qtree/NFSExport w/ NTFS permissions

JLundfelt
‎2013-11-08 07:28 AM
41,549 Views

I have an issue with a NFS export on a controller with a NTFS qtree and NTFS permissions. What's weird is that I can mount the export from a linux host, and browse the directory tree, but only while logged in as root. If I login with any other account, I can mount, but not browse the export-

Client Error

[spice@irv-dev-ieapi1 ~]$ cd /mnt/Omniture

-bash: cd: /mnt/Omniture: Permission denied

fcstab / mounts

Works

  lv-gdc-san1b.prod.mycompany.com:/vol/Archive/PI/archive/export on /mnt/PIExport type nfs (rw,hard,intr,tcp,addr=10.20.96.101)

Doesn’t work

  irv-gdc-san1a.corp.mycompany.com:/vol/Archive/DA/Omniture on /mnt/Omniture type nfs (rw,hard,intr,tcp,addr=10.228.26.100)

  NetApp (irv-gdc-san1a)-

Qtree

Qtree         : DA

SecurityStyle : ntfs

Status        : normal

Volume        : Archive

Security      : ntfs

NFSExport


irv-gdc-san1a> wcc -u spice

Thu Nov  7 07:05:40 PST last message repeated 3 times

Thu Nov  7 07:05:42 PST [irv-gdc-san1a: auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: LSA lookup: Lookup of account "mycompany\#pcuser#" failed: STATUS_NONE_MAPPED (0xc0000073).

Mapped user not found

Thu Nov  7 07:05:42 PST [irv-gdc-san1a: auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: LSA lookup: Located account "mycompany\pcuser" in domain "mycompany"..

irv-gdc-san1a> wcc -u pcuser

(NT - UNIX) account name(s):  (KBB\pcuser - pcuser)

        ***************

        UNIX uid = 65534

          NT membership

                KBB\pcuser

                KBB\KBBcomSP_ReadAccess

                KBB\CDM_ITFileShare

                KBB\WebBusAnalytics_Read_SP

                KBB\Domain Users

                KBB\CERTSVC_DCOM_ACCESS

                BUILTIN\Users

        User is also a member of Everyone, Network Users,

        Authenticated Users

        ***************

Usermap.cfg file-

#mycompany\"#pcuser" <= root

mycompany\"#pcuser" <= nz

mycompany\"#pcuser#" <= biadmin

mycompany\pcuser <= spice

#mycompany\"#pcuser#" <= *

I have tried every variation of syntax on the usermap.cfg file, and cannot get the configuration I need, for all unix users to get mapped to a windows account 'pcuser'. I have validated that account has permissions, and can get to that same location via CIFS from a windows system just fine. What's even more strange is that the mount that is working is going to a similar NetApp that doesn't even have any usermap.cfg, or passwd entries. Anyone have any thoughts on this? I definately don't want to change the qtree security style to Mixed or unix.

0 Kudos
View By:
1 ACCEPTED SOLUTION

billshaffer
‎2013-11-08 11:33 AM
In response to JLundfelt
41,546 Views

Does the AD username really have the hashes?  It didn't in the AD account snip....

If the NTFS ACL says everyone can read, that may be what is allowing root in, and the failure of the other users would be the lack of a working usermap.  In unix qtrees, root shouldn't have access unless the root= option is set, but it could be that because this is NTFS that is overridden.

But that doesn't explain why the system with no usermap works - unless your unix IDs are the same as your AD IDs, in which case the mapping is done automatically.  Or, if the default mapped user on the working system has access through the NTFS ACL, that would explain it too.  Which brings up a question - if the ACLs allow everyone read access, why are you trying to map the users?  I assumed the ACLs allowed only pcuser access, in which case it would make sense.

Bill

View solution in original post

15 REPLIES 15
All Community Forums
Public