Network Storage Protocols Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network Storage Protocols Discussions

Start a New Post

Access denied on 7-mode NFS qtree

explorer12
‎2016-12-07 03:01 AM

 

 

Hi,

 

I have 7-mode netapp where we store snapshots with NFS exports for redhat servers

User rights for that netapp are NOT managed by AD etc, there are just couple of local admin users only used by netap admins.

Linux user1@redhat1 can map to the export and see the snapshots so i think exports settings are ok, (i have just added IP of that Linux host to Allow Read Write list for /vol/test )

Export Rule -> Security flavor is set as : UNIX

 

user1@redhat1 /mnt/tony1 $ cd .snapshot

user1@redhat1 /mnt/tony1/.snapshot $ pwd

/mnt/tony1/.snapshot

 

 

The problem is that user cannot step into the qtree that contains the files user needs, qtree security style is NTFS.

 

[user1@redhat1 sv_weekly.0]$ ls -la qtree_test/

ls: cannot open directory qtree_test/: Permission denied

[user1@redhat1 sv_weekly.0]$ cd qtree_test/

-bash: cd: qtree_test/: Permission denied

 

How can i resolve that issue ?

Do I need to modify usermap.cfg file ? If so, i understand i will have to create additional local user on the netapp.

What entry should i add to usermap.cfg file.

How that mapping should be done so that linux user has just read/right rights to that one qtree.

 

Kind Regards

explorer

 

 

 

0 Kudos
View By:
7 REPLIES 7

parisi
A-Team Tech Advisor A-Team Tech Advisor
‎2016-12-07 06:33 AM

Any time you have to access NTFS security style with NFS/Linux clients, you need a valid Windows user that has access to the files/folders to map the UNIX user to.

 

So, yes, you would need to adjust usermap.cfg.

 

The mapping is only to help the filer determine *who* the UNIX user should be in Window land. After that, the ACLs control access.

 

Usermap syntax is located in the usermap file.

0 Kudos

explorer12
‎2016-12-07 06:44 AM
In response to parisi

 

Thank you for you replay, but to be honest I do not understand sth basic here, where that Windows user came from ? if i have Linux sever directly connecting to Netapp NFS, there is now Windows OS involved in that.

Where that Windows user schould be created ?

 

Regards

explorer12

 

 

0 Kudos

parisi
A-Team Tech Advisor A-Team Tech Advisor
‎2016-12-07 06:59 AM
In response to explorer12

It comes from the NTFS security style qtree. UNIX users and permissions have no idea how to translate NTFS ACLs. The ACLs have users and groups that the UNIX side does not understand. Thus, when authenticating to the filer, ONTAP helps translate from UNIX semantics into NTFS semantics.

 

You don't create the Windows user; you use an existing AD user that is already on the NTFS style qtree's ACLs. You can see permissions from the filer with:

 

filer> fsecurity show /vol/volname/qtree

0 Kudos

explorer12
‎2016-12-07 07:28 AM
In response to parisi

 

 

Ok, I'm test enviroment and i'm free to change whatever i want.

I understand that i need to map client linux user ; USER01 with the Windows user on the filer, and add that mapping information to usermap.cfg

Results of fsecurity command is is as pasted below so in this case what is the correct mapping?

i was adding line "USER01" == root  earlier as i thought it will resolve the access issue, but no results

 


netapp01> fsecurity show /vol/test/qtree_test
[/vol/test/qtree_test - Directory (inum 96)]
  Security style: NTFS
  Effective style: NTFS

  DOS attributes: 0x0030 (---AD---)

  Unix security:
    uid: 0 (root)
    gid: 0
    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:
    Owner: BUILTIN\Administrators
    Group: BUILTIN\Administrators
    DACL:
      Allow - Everyone - 0x001f01ff (Full Control)
      Allow - Everyone - 0x10000000 - OI|CI|IO
netapp01>

0 Kudos

parisi
A-Team Tech Advisor A-Team Tech Advisor
‎2016-12-07 07:37 AM
In response to explorer12

The folder has "Everyone - Full" so any windows mapping will work.

 

What does "wcc -u root" show? Is it mapping to a valid Windows user?

0 Kudos

explorer12
‎2016-12-07 07:46 AM
In response to parisi

 

Looks like no mapping at all

 

> wcc -u root
Mapped user not found
Issue "options cifs.trace_login on" to get more detailed information.
>

0 Kudos

parisi
A-Team Tech Advisor A-Team Tech Advisor
‎2016-12-07 08:35 AM
In response to explorer12

Looks like you found the issue then.

 

Is the filer joined to AD at all?

 

If not, change the security style to UNIX.

 

If so, make sure your usermap entry syntax is correct.

 

https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-83730CE4-A3FC-46B5-918D-2790D205A22B.html

 

In your case:

 

domain\user == root

0 Kudos
Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

View All
NetApp Insights to Action
I2A Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public