Network Storage Protocols Discussions

NFS Questions

JOSHBAIRD

Hi,

I have an NFSv3 export configured, and a specific host granted "Read Write" access.  When I mount this NFS export on the remote client, all permissions automatically become 777 and is owned by root.  I want the NFS filesystem to be owned by another user, and I don't want permissions to be 777 (so not everyone on the remote host has read/write access to it).

I believe I need to add users with to the Filer's /etc/passwd and /etc/group with UID/GID's that match those on the remote host first of all.  How can I do this?  I don't see an option in useradmin to specify UID/GID.  Do I need to manually drop to a shell and modify /etc/passwd and /etc/group?

How do I keep the export from forcing 777 on the remote host?

Thanks!

19 REPLIES 19

Re: NFS Questions

LTDCLSERGAO

Hello,

Did you  mount teh NFS whith the options vers=3 ?

Question :  Why don't you use NFSv4 ?

Re: NFS Questions

JOSHBAIRD

I'm going to test NFSv4 as well.  But, I still think I face the same problems with UID/GID and having to define users in the Filer's /etc/passwd?

Re: NFS Questions

LTDCLSERGAO

With NFSv4 you dont have to create user on the filer, you define just the  nfs.v4.id.domain that to be the same that you will configure in you client.

To set UID/GID on the file/diretory you could use setfacl commande on the client.

Re: NFS Questions

JOSHBAIRD

Ok, so you only use ACL's in NFSv4?  What user/group would own the actual files on the remote host, though?  Thanks for the info!

Re: NFS Questions

LTDCLSERGAO

whith setfacl you can for exemple leave the root as owner and  set rwx ( or as you need)  right to a list of users.

I guess you are mounting  a qtree, so  you can also change de owner from root to another user with chown command  ( for this, you have to mount the volume and change the owner on the qtree)

Re: NFS Questions

JOSHBAIRD

Hi,

If I wish to control access via ACL's on the client side, what options should I export with on the Filer?  Should I also control access per host at the filer using rw=hostname, etc?

Thanks

Re: NFS Questions

LTDCLSERGAO

hello,

Yes, you sould control access per host on on the filer using rw and root.

On the client, do you have NIS / LDAP for authentification ?

Re: NFS Questions

JOSHBAIRD

Yes, but not for every user.  The user who needs to own the files and directories is not a LDAP/NIS user, it is a local /etc/passwd user.

Re: NFS Questions

JOSHBAIRD

Ok, got the mount working correctly, but I'm unable to use setfacl.  ACL support is enabled on the filer.

setfacl: hi3: Operation not supported

Client is RHEL6.  Export is mounted with:

filer:/vol/vol4/ePortalShare on /mnt/test type nfs4 (rw,rsize=65536,wsize=65536,hard,intr,proto=tcp,timeo=600,retrans=3,sec=sys,addr=172.26.103.122,clientaddr=172.26.101.56)

Any ideas?

Thanks!

Re: NFS Questions

JOSHBAIRD

Ok, I think I need to use "nfs4_setfacl" on RHEL (instead of setfacl) to set the ACL's.  Do I have to export the filesystem read+write or should I just use an ACL to allow write access?  If I export the filesystem as read+write, then every user on the client machine can delete/modify/create new files, regardless of the ACL setting.  This is not what I was looking for.  I want to use ACLs to restrict which local users on the client machine can modify files on the NFS export.

Thanks!

Re: NFS Questions

LTDCLSERGAO

Hello,

My experience with NFSv4 was with solaris, I think It's the same thing for redhat.

I exported the volume /vol/test ( with rw and root right to my host) and mounted it.

Then, il did a chmod 744 on my qtree

I umount the volume. and then I mount my qtree ( with rw and root right to my host).

I create a file toot as root on the qtree :

6:37:27 root@host:/mount_TEST4

1266# getfacl toto

# file: toto

# owner: root

# group: root

user::rw-

group::r--              #effective:r--

mask:rwx

other:r--

16:37:38 root@host:/mount_TEST4

--> I try to modify the file with the user "me"

bash-3.00$ id

uid=1609(me) gid=15(users)

bash-3.00$ cd /mount_TEST4

bash-3.00$ ls –la toto

-rw-r--r--   1 root     root           0 Feb 19 16:37 toto

bash-3.00$ echo "hello" > toto

bash: toto: Permission denied

bash-3.00$

 

--> I add as user "me" with setfacl to have rwx access to the file

6:39:44 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1273# setfacl -m user:me:rwx toto

16:39:48 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1274# ls –la toto

-rw-r--r--+  1 root     root           0 Feb 19 16:37 toto

16:39:50 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1275# getfacl toto

# file: toto

# owner: root

# group: root

user::rw-

user:me:rwx               #effective:rwx

group::r--              #effective:r--

mask:rwx

other:r--

--> test :

bash-3.00$ id

uid=1609(me) gid=15(users)

bash-3.00$ echo "hello" > toto

bash-3.00$

--> test with oracle user

16:45:59 oracle@host 😕

1$ cd /mount_TEST4

16:46:04 oracle@host:/mount_TEST4

2$ echo "hello" > toto

bash: toto: Permission denied

===

16:41:14 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1277# setfacl -m user:oracle:rwx toto

6:46:13 mailto:oracle@host:/mount_TEST4oracle@hostmailto:oracle@host:/mount_TEST4:/mount_TEST4

3$ echo "hello" > toto

16:46:53 mailto:oracle@host:/mount_TEST4oracle@hostmailto:oracle@host:/mount_TEST4:/mount_TEST4

I don't know how to configure NFSv4 on redhat, but on solaris il do like below :

--> on the filer :

Filer> options nfs.v4

nfs.v4.acl.enable            on         (value might be overwritten in takeover)

nfs.v4.enable                on         (value might be overwritten in takeover)

nfs.v4.id.domain             labo.domain.fr

nfs.v4.read_delegation       off        (value might be overwritten in takeover)

nfs.v4.setattr_acl_preserve  off        (value might be overwritten in takeover)

nfs.v4.write_delegation      off        (value might be overwritten in takeover

-->  on the host

16:29:12 mailto:root@host:/etc/defaultroot@hostmailto:root@host:/etc/default:/etc/default

1119# cat nfs |grep DOMAIN

NFSMAPID_DOMAIN=labo.domain.fr

hope this will help.

Re: NFS Questions

JOSHBAIRD

Thanks!  When you say you "chmod 744" your qTree, are you just chmodding the directory on your Solaris host (of the mount point), or are you actually chmodding something on the filer?

Re: NFS Questions

LTDCLSERGAO

yes, chmodding the directory on the solaris host ( of the mount point)

Re: NFS Questions

JOSHBAIRD

Ok, got it.  So, my testing reveals that I am only able to configure ACL's for users that are on the Filer AND the client.  If user "xyz" is a local user on the Linux machine, but not defined in /etc/passwd (or LDAP/NIS) on the Filer, the ACL operation fails.  Is this expected?

Re: NFS Questions

LTDCLSERGAO

I did not test for a local user. But il think that if you are using a domain id ( ldap/nis) , you can set the ACL just for the users in this domain. If you have a local user, you should add it to the domain.

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public