2016-07-15 03:55 AM
I'm having some hard time setting up NFSv3 with anonymous access on NetApp. I'm unable to squash anonymous users.
I’ve read the NetApp’s man page for “exports”. The below is the list of options that I get:
path= anon= nosuid ro= rw= root= sec=
I have no clue how one is supposed to set “all_squash” in this case.
The man exports says that by default, the effective user ID of all anonymous and root NFS client users is 65534. This is my exprots file:
FAS> rdfile /etc/exports /vol/NFS_WEB -sec=sys,rw=10.10.0.149:10.10.0.147,root=10.10.0.147:10.10.0.149,anon=65534,nosuid
Ran the following after setting the exports file:
FAS> exportfs -r
This is the current security context:
FAS> fsecurity show /vol/NFS_WEB [/vol/NFS_WEB - Directory (inum 64)] Security style: Unix Effective style: Unix DOS attributes: 0x0010 (----D---) Unix security: uid: 65534 (pcuser) gid: 65534 (pcuser) mode: 0755 (rwxr-xr-x) No security descriptor available.
These may help as well:
FAS> rdfile /etc/passwd root:_<removed>:0:1::/: pcuser::65534:65534::/: nobody::65535:65535::/: ftp::65533:65533:FTP Anonymous:/home/ftp:
FAS> rdfile /etc/group daemon:*:1: pcuser:*:65534: nobody:*:65535:
So it’s got uid/gid of 65534 on the NetApp.
Now on the NFS client (CentOS 6), I mount the share as NFSv3:
# mount|grep netapp 10.10.0.51:/vol/NFS_WEB/ on /mnt/netapp_nfs type nfs (rw,vers=3,sec=sys,clientaddr=10.10.0.147,addr=10.10.0.51)
These are the uid/gid:
# ls -ld /mnt/netapp_nfs/ drwxr-xr-x. 3 nfsnobody nfsnobody 4096 Jul 15 11:11 /mnt/netapp_nfs/ # ls -lnd /mnt/netapp_nfs/ drwxr-xr-x. 3 65534 65534 4096 Jul 15 11:11 /mnt/netapp_nfs/
We see that uid/gid math with the ones we have on the NetApp.
With NFSv3, I should be able to write to the share as a regular user:
$ id uid=3001(test) gid=504(test) groups=504(test),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ touch /mnt/netapp_nfs/test touch: cannot touch `/mnt/netapp_nfs/test': Permission denied $ ls -ld /mnt/netapp_nfs/ drwxr-xr-x. 3 nfsnobody nfsnobody 4096 Jul 15 11:29 /mnt/netapp_nfs/ $ ls -lnd /mnt/netapp_nfs/ drwxr-xr-x. 3 65534 65534 4096 Jul 15 11:29 /mnt/netapp_nfs/
SELinux is set to permissive:
$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
I’m trying to understand why NFSv3 doesn’t work.
And one more thing to show that it’s not squashing on NFSv3, take a look at the below:
# touch /mnt/netapp_nfs/root # ls -l /mnt/netapp_nfs/root -rw-r--r--. 1 root root 0 Jul 15 11:38 /mnt/netapp_nfs/root
The owner of the file is root and not nfsnobody.
Now if I do the following:
# usermod -aG nfsnobody test # su - test $ id uid=3001(test) gid=504(test) groups=504(test),10(wheel),65534(nfsnobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ touch /mnt/netapp_nfs/test $ ls -l /mnt/netapp_nfs/test -rw-rw-r--. 1 test test0 Jul 15 11:39 /mnt/netapp_nfs/test
It’s owned by my user test and not nfsnobody (and yes, I’m able to write to the share if my user is a member of the nfsnobody group and when share permissions are 775 – no idea why that’s required).
2016-07-15 05:13 AM
I wasn't aware of that, thanks. However, that still doesn't work for me.
This is what I have on NetApp now:
FAS> exportfs -v /vol/NFS_WEB -sec=sys,rw=10.10.0.149:10.10.0.147,nosuid
On the client, if I try to write as root, it's squashed (root_squash is invoked I suspect):
# touch /mnt/netapp_nfs/root
# ls -l /mnt/netapp_nfs/root -rw-r--r--. 1 nfsnobody nfsnobody 0 Jul 15 13:08 /mnt/netapp_nfs/root
However, my regular user still has no access:
# su - test
$ touch /mnt/netapp_nfs/newtest touch: cannot touch `/mnt/netapp_nfs/newtest': Permission denied
This implies that all_squash doesn't work (but root_squash does).
2016-07-15 08:06 AM
I just tried with sec=none, still get permission denied when trying to write with my regular user.
FAS> exportfs -r
FAS> exportfs -v /vol/NFS_WEB -sec=none,rw=10.10.0.149:10.10.0.147,nosuid
I re-mounted the share on the client, it's now owned by the root (was nfsnobody previously):
# ls -ld /mnt/netapp_nfs/
drwxr-xr-x. 2 root root 4096 Jul 15 16:03 /mnt/netapp_nfs/
# touch /mnt/netapp_nfs/rootnew # ls -l /mnt/netapp_nfs/rootnew -rw-r--r--. 1 root root 0 Jul 15 16:03 /mnt/netapp_nfs/rootnew
Regular user denied:
# su - test
$ touch /mnt/netapp_nfs/testnew touch: cannot touch `/mnt/netapp_nfs/testnew': Permission denied
2016-07-15 08:20 AM
Apologies, I just realised that the share hasn't even been mounted - I tried to write to the folder that resides on a local system, hence root permissions.
I run the following on the client:
# mount -v -t nfs -o vers=3,sec=none 10.10.0.51:/vol/NFS_WEB /mnt/netapp_nfs/ mount.nfs: timeout set for Fri Jul 15 16:18:45 2016 mount.nfs: trying text-based options 'vers=3,sec=none,addr=10.10.0.51' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 10.10.0.51 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 10.10.0.51 prog 100005 vers 3 prot UDP port 4046 mount.nfs: mount(2): Permission denied mount.nfs: access denied by server while mounting 10.10.0.51:/vol/NFS_WEB
The file /var/log/messages on the client says:
localhost kernel: RPC: server 10.10.0.51 requires stronger authentication.
The NetApp tells me that:
[FAS:nfsd.auth.status.bad:warning]: Client 10.10.0.147 has an authentication error 5
So I cannot even mount it now.
2016-07-15 08:59 PM
Looks like feature is broken in 8.x 7-Mode. I got the same result on 8.2. Testing with "exportfs -c" succeeds, as well as mount request from client, but then client got error response when actually accessing volume. I also verified that client does send AUTH_NONE as expected. I then tested on 9.0RC1 (C-mode obviously) and it works as expected (setting sec=none as the only accepted authentication will effectively result in all_squash behavior). I do not have Data ONTAP 7.x to test right now, but I am fairly confident it was working in the past.
I suggest you open case with NetApp support. May be there is some hidden option to do it, but I could not find one. If you get it working I appreciate if you share information (I found old post two years ago with the same question and the same problem with sec=none not working). Thank you!
2016-07-16 02:25 AM
Our ONTAP version is 8.2.2P2.
I do have a case open with NetApp support for over a week now, and so far they had zero luck fixing the issue (that's basically the point where I turned for help to community).
If I manage to get it working, I'll post the solution. Thanks for your help.