Network and Storage Protocols

NFS mount of a ntfs security style directory fails

rsmits1074
5,404 Views

I have already submitted this as a support call to netapp, but maybe someone here can tell me what is going on.

I have a volume that has the NTFS security style.

-- (qtree)

vol2              ntfs  enabled  normal

--

-------------- (cifs shares)

vol2         /vol/vol2                         Testshare
             ... user limit=10
            everyone / Full Control

---------------

From windows i can access : /vol/vol2

As user richardshared :

sudo mount -t nfs4 -o sec=krb5 srv311:/vol/vol2 /mnt/srv311

** This works **


But now i want to root mount the test homedir : /vol/vol2/richardshared

sudo mount -t nfs4 -o sec=krb5 srv311:/vol/vol2/richardshared /mnt/srv311

mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting srv311:/vol/vol2/richardshared

--- (exportfs)

/vol/vol2    -sec=krb5,rw,anon=0

----

The usermapping works good, I have the same loginname in Windows and Linux, so all the "wcc" commands are also ok.

If i do a ls -al in /vol/vol2 from a nfs mount. (The one that works)

The acl's look ok.

------ (ls -al /vol/vol2)

drwx------ 10 richardshared domain users 4096 2010-12-08 14:25 richardshard

------

fsecurity show /vol/vol2/richardshared            
[/vol/vol2/richardshared - Directory (inum 76923)]
  Security style: NTFS
  Effective style: NTFS

  DOS attributes: 0x0030 (---AD---)

  Unix security:
    uid: 456814 (Richardshared)
    gid: 100513 (Domain Users)
    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:
    Owner: DOMAIN\richardshared
    Group: DOMAIN\Domain Users
    DACL:
      Allow - DOMAIN\Domain Admins - 0x001f01ff (Full Control) - OI|CI
      Allow - DOMAIN\richardshared - 0x001301bf (Modify) - OI|CI

Does anyone know what this could be ?

Greetings .. Richard Smits

1 ACCEPTED SOLUTION

rsmits1074
5,404 Views

The "wafl.default_nt_user" did the trick. I was reading back this forum and saw this thread. Netapp support did advise me of this setting. Apperantly the linux user does not have the permission to see the "deep" path what is exported.

Explanation :

Setting wafl.default_nt_user will effectively map any user we cannot otherwise map to some specific user. This would include pcuser, but is not limited to pcuser.

Or you can do a manual mapping in the usermap.cfg file, but this works good.

View solution in original post

2 REPLIES 2

Darkstar
5,404 Views

For root mounts to work you have to add "root=<ip>" to your /etc/exports file for that volume. Otherwise all root mounts are treated as nobody-mounts and you won't get access.

Also, the option "cifs.nfs_root_ignore_acl" might help you. If set to yes, "root" users from unix ignore windows ACLs (they are basically treated as windows admins)

-Michael

rsmits1074
5,405 Views

The "wafl.default_nt_user" did the trick. I was reading back this forum and saw this thread. Netapp support did advise me of this setting. Apperantly the linux user does not have the permission to see the "deep" path what is exported.

Explanation :

Setting wafl.default_nt_user will effectively map any user we cannot otherwise map to some specific user. This would include pcuser, but is not limited to pcuser.

Or you can do a manual mapping in the usermap.cfg file, but this works good.

Public