permission denied

Have you tried using mixed mode for the qtree security on the volumes that are being accessed via cifs and nfs?

yes, I did, and I get the exact same result as if it was ntfs.

But I really don't want to be using mix permission because of issue between permissions.

Hi,

I'm guessing you have exported the volumes/qtrees with ntfs security to your admin linux box with root rights.

After that you need to make an options change:

options cifs.nfs_root_ignore_acl     on

Then you should be able to mount the filesystems.  You won't necessarily see much as far as filesystem rights and won't be able to solve every problem via unix/nfs, but it will get you access.

If you want to make sure that things are "cleaner" between cifs and nfs, remember to set "group" permissions and umask (see 'cifs shares' and 'cifs access' documentation) on your cifs shares.  It might also be an idea to check out 'options cifs.preserve_unix_security' .

I know of no one that has had success with 'mixed mode' qtrees.  I'd avoid it like the plague.

Hi,

sorry if I was unclear on that part. I have no issue whatsoever to mount anything. I get the permission denied when I try to access (cd / ls) that qtree using an AD/nis account. That account is the same on both domain.

Root can access the qtree if I set anon to 0 in the /etc/exports.

cifs.nfs_root_ignore_acl is now on

cifs.preserve_unix_security was already on.

What I did was create a volume, and a qtree on top of that volume using NTFS mode.

Then I created an nfs share on that qtree using this in the /etc/exports (/software    -actual/vol/vol3/data/software,sec=sys,rw.anon=65535).

Then, from my linux box, I mount that volume (netapp:/software    /nfs/software  nfs  rw  0 0).

Hi,

You won't need to use the "nobody" or "anon=0" hacks if you export the filesystem with, for example:

/software      -actual/vol/vol3/data/software,sec=sys,root=<admin.host.ip.addr>,rw==<admin.host.ip.addr>

What you have basically done is allowed anyone to mount your software share read/write for user nobody... anon=0 is a blank check to read/write for everyone... not a good idea, usually.

yea, I do aggree that this is not a good idea to allow everyone to rw/mount, but for the purpose of trying to access the ntfs qtree using a basic account, I tried to remove all security.

Solved my problem.

First, I was using different domain name for AD and NIS.

So I created one AD for both (using SFU).

Then, I setup cifs for AD, disabled NIS and enabled LDAP to point to the new AD.

Using LDAP, I don't have to setup any usermap or anything and I can manage rights using NTFS.