Network and Storage Protocols

Possible to set nfsv3 to pass username instead of uidnumber?

ACOWLESEPLUS
5,030 Views

Hey guys,

 

I'm setting up a multiprotocol system right now, and have run into a minor issue with file access and user mapping.

 

Clustered Data OnTAP 8.3

 

I have a volume with NTFS security style, and a cifs share created. This mounts and works fine.

I have this volume also mounting on a RHEL7 host using NFSv3.

 

I am setting up name-mapping for unix-uids to domain\uid and I have found that I am being denied access on unix.

 

In the event log I can see that the user on the linux system is trying to auth as it's uidnumber and not it's uid, and it tries to usermap that directly to DOMAIN\uidnumber which fails.

 

Example Log output:

 

1/7/2016 11:04:33   hostname        WARNING       secd.nfsAuth.noNameMap: vserver (svm) Cannot map UNIX name to CIFS name. Error: Get user credentials procedure failed
  [     2] Determined UNIX id 317401112 is UNIX user '317401112'
  [     3] Trying to map '317401112' to Windows user 'DOMAIN\317401112' using implicit mapping
  [     4] Successfully connected to domain-controller1:445 using TCP
  [    12] Successfully connected to domain-controller1:88 using TCP
  [    14] Successfully connected to domain-controller1:88 using TCP
  [    25] Successfully authenticated with DC domain-controller1

[ 28] Could not find Windows name 'DOMAIN\317401112'
[ 28] Unable to map '317401112'. No default Windows user defined.
**[ 28] FAILURE: Name mapping for UNIX user '317401112' failed. No mapping found.

 

I am able to work around this by creating my name-mapping such that uidnumber = domain\uid and access is successful on both sides.

 

Ideally, I'd like to be able to use a broad name mapping rule for all users, something like: win to unix DOMAINNAME\\(.+)  -> \1, but that is currently not possible since the values of uid != uidnumber

 

A possible workaround may be to add all unix uid's into the system so it can translate them, vserver services unix-user create, but this is quite the manual process and again not ideal.

 

Does anybody know an addtional setting I'm missing on either linux NFS or the Netapp system itself to have it use uid instead of uidnumber?

 

Thanks in advance.

 

1 ACCEPTED SOLUTION

aborzenkov
5,008 Views
Unix is using UIDs (not names) to authenticate so even if you use NFSv4 names you still must ensure that both ident and server (NetApp) resolve names to the same UIDs.

So you need working name to UID resolution anyway. And no, NFSv3 does not use names (and even with NFSv4 actual authentication - RPC - is still using UIDs).

View solution in original post

2 REPLIES 2

aborzenkov
5,009 Views
Unix is using UIDs (not names) to authenticate so even if you use NFSv4 names you still must ensure that both ident and server (NetApp) resolve names to the same UIDs.

So you need working name to UID resolution anyway. And no, NFSv3 does not use names (and even with NFSv4 actual authentication - RPC - is still using UIDs).

ACOWLESEPLUS
4,977 Views

Not the answer I wanted to hear, but I had racked my brain against everything else.

 

Thank you.

 

AC

Public