Network and Storage Protocols

Cant mount NFS with mixed security as 'root' user

KCELESLIE
5,748 Views

Hello all,

I'm not the storage person at our organization, but am trying to help

We are setting up a share that is set to mixed mode, and have CIFs and NFS shares setup. We are trying to add an entry in fstab that automounts the nfs share on the linux side but when it mounts we are not able to browse the share. On the filer side we get an error regarding the default user 'pcuser'. It tries to lookup that user in our domain and fails (because we dont have that user setup). We actually want to change the default user to another account, but it doesnt seem to take. We have set option wafl.default_nt_user and wafl.default_unix_user to another account, but we keep getting the 'pcuser' account when we try to mount the share using the root account on the remote system. If i create the 'pcuser' account everything works, but we need to be able to specify the account. We would also rather not allow all hosts to have root access to the share, just want the root user to be able to mount the share.

Any suggestioins?

6 REPLIES 6

pascalduk
5,748 Views

Setting the wafl.default_nt_user option to a valid windows user should work. The windows user of course needs the necessary NTFS permissions.

You also probably need to remount the filesystem on the linux host after changing the option, because of caching on the host side. Thats what I have often seen with solaris after changing NTFS permissions on a mounted file system.

Restricting root access to a specific host can be done by specifying in the exports file of the filer which hosts can have root access (root=....).

BTW, you should consider not using the mixed mode security style at all, but sticking to in your case NTFS. With mixed it can get really messy, because a file's security can change to whatever client last set the permission. You can access NTFS data from unix without any problems as long as the unix username can be translated to a windows username.

KCELESLIE
5,748 Views

Thanks, we actually have that option set to a valid user in active directory. I've unmounted the share then remounted, but it still defaults back to pcuser. Do i need to do something to get that setting to take affect? Reboot the filer or some sort of command? I'm just typing options wafl.default_nt_user validuser and when i type options wafl it shows up as the new user but doesnt seem to take effect. I'm pretty sure that user has permission NTFS permissions, but i will check that.

It doesnt matter that the 'root' user on the remote system is trying to mount the share and doesnt have root access on the exports, right? It should just be mapped to the default user i'm thinking.

Yeah, I have heard that mixed is messy. Unfortunatlly i cant make the decision to switch to NTFS, but i can try to talk the person who can into it

pascalduk
5,748 Views

A reboot is not required to make the option effective. You can verify the mapping by executing the command "wcc -u root". On the first row of the output you should see the windows account used.

Does the exports file entry have the host you are trying to access the file system in the root=... list? Without this the mapping of the root account to the default windows user will not work.

KCELESLIE
5,748 Views

wcc -u root returns the user that we defined, which is good. I've checked the permissions on the NTFS side and the user has valid entries. Our exports entry has root= but not for this system. We dont want to give this system root access.

We are trying to map linux home directories to the NAS. So in our /etc/fstab file on the linux machines we have an entry something like nas:/homedir   /home    nfs    option... Which works, but when the user is unable to login, and i'm guessing because the 'root' user cant view the directory of /home (but normal users can). On the filer when we try to browse the directory as the root user we get

Auth: LSA lookup: located account domain\pcuser in domain "domain"

Auth: error looking up domain groups during login from 0.0.0.0: status_no_such_user (0xc0000064)

Mapped user not found

Which makes sense because we dont have 'pcuser' defined in active directory, we have 'userA' which is what we want to map the default user to. If i create 'pcuser' on the domain everything works fine, but unfortunally i cant use the pcuser account

I dont know why it says that it located the account in the domain.

Thanks for your help

aborzenkov
5,748 Views

If you did not enable root= for your client, your client's root does not browse files as root, but as user "nobody" on filer. So you at least has to check WAFL credentials cache for this user, not root.

Do you have and entry in /etc/usermap.cfg?

KCELESLIE
5,748 Views

In usermap.cfg we have Domain\* == * (something like that). if i do a wcc -u nobody, it maps it back to our defined user in wafl.default_nt_user (which is the same as wafl.default_unix_user).

In our passwd file we have an entry for pcuser, nobody, and our custom user (which is the default user). Since we have the default user option set, shouldnt any connection that cant map to a valid user use that?

Public