I'm going to test NFSv4 as well.  But, I still think I face the same problems with UID/GID and having to define users in the Filer's /etc/passwd?

With NFSv4 you dont have to create user on the filer, you define just the  nfs.v4.id.domain that to be the same that you will configure in you client.

To set UID/GID on the file/diretory you could use setfacl commande on the client.

Ok, so you only use ACL's in NFSv4?  What user/group would own the actual files on the remote host, though?  Thanks for the info!

whith setfacl you can for exemple leave the root as owner and  set rwx ( or as you need)  right to a list of users.

I guess you are mounting  a qtree, so  you can also change de owner from root to another user with chown command  ( for this, you have to mount the volume and change the owner on the qtree)

Hi,

If I wish to control access via ACL's on the client side, what options should I export with on the Filer?  Should I also control access per host at the filer using rw=hostname, etc?

Thanks

hello,

Yes, you sould control access per host on on the filer using rw and root.

On the client, do you have NIS / LDAP for authentification ?

Yes, but not for every user.  The user who needs to own the files and directories is not a LDAP/NIS user, it is a local /etc/passwd user.

Ok, got the mount working correctly, but I'm unable to use setfacl.  ACL support is enabled on the filer.

setfacl: hi3: Operation not supported

Client is RHEL6.  Export is mounted with:

filer:/vol/vol4/ePortalShare on /mnt/test type nfs4 (rw,rsize=65536,wsize=65536,hard,intr,proto=tcp,timeo=600,retrans=3,sec=sys,addr=172.26.103.122,clientaddr=172.26.101.56)

Any ideas?

Thanks!

Ok, I think I need to use "nfs4_setfacl" on RHEL (instead of setfacl) to set the ACL's.  Do I have to export the filesystem read+write or should I just use an ACL to allow write access?  If I export the filesystem as read+write, then every user on the client machine can delete/modify/create new files, regardless of the ACL setting.  This is not what I was looking for.  I want to use ACLs to restrict which local users on the client machine can modify files on the NFS export.

Thanks!

Hello,

My experience with NFSv4 was with solaris, I think It's the same thing for redhat.

I exported the volume /vol/test ( with rw and root right to my host) and mounted it.

Then, il did a chmod 744 on my qtree

I umount the volume. and then I mount my qtree ( with rw and root right to my host).

I create a file toot as root on the qtree :

6:37:27 root@host:/mount_TEST4

1266# getfacl toto

# file: toto

# owner: root

# group: root

user::rw-

group::r--              #effective:r--

mask:rwx

other:r--

16:37:38 root@host:/mount_TEST4

--> I try to modify the file with the user "me"

bash-3.00$ id

uid=1609(me) gid=15(users)

bash-3.00$ cd /mount_TEST4

bash-3.00$ ls –la toto

-rw-r--r--   1 root     root           0 Feb 19 16:37 toto

bash-3.00$ echo "hello" > toto

bash: toto: Permission denied

bash-3.00$

--> I add as user "me" with setfacl to have rwx access to the file

6:39:44 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1273# setfacl -m user:me:rwx toto

16:39:48 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1274# ls –la toto

-rw-r--r--+  1 root     root           0 Feb 19 16:37 toto

16:39:50 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1275# getfacl toto

# file: toto

# owner: root

# group: root

user::rw-

user:me:rwx               #effective:rwx

group::r--              #effective:r--

mask:rwx

other:r--

--> test :

bash-3.00$ id

uid=1609(me) gid=15(users)

bash-3.00$ echo "hello" > toto

bash-3.00$

--> test with oracle user

16:45:59 oracle@host 😕

1$ cd /mount_TEST4

16:46:04 oracle@host:/mount_TEST4

2$ echo "hello" > toto

bash: toto: Permission denied

===

16:41:14 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1277# setfacl -m user:oracle:rwx toto

6:46:13 mailto:oracle@host:/mount_TEST4oracle@hostmailto:oracle@host:/mount_TEST4:/mount_TEST4

3$ echo "hello" > toto

16:46:53 mailto:oracle@host:/mount_TEST4oracle@hostmailto:oracle@host:/mount_TEST4:/mount_TEST4

I don't know how to configure NFSv4 on redhat, but on solaris il do like below :

--> on the filer :

Filer> options nfs.v4

nfs.v4.acl.enable            on         (value might be overwritten in takeover)

nfs.v4.enable                on         (value might be overwritten in takeover)

nfs.v4.id.domain             labo.domain.fr

nfs.v4.read_delegation       off        (value might be overwritten in takeover)

nfs.v4.setattr_acl_preserve  off        (value might be overwritten in takeover)

nfs.v4.write_delegation      off        (value might be overwritten in takeover

-->  on the host

16:29:12 mailto:root@host:/etc/defaultroot@hostmailto:root@host:/etc/default:/etc/default

1119# cat nfs |grep DOMAIN

NFSMAPID_DOMAIN=labo.domain.fr

hope this will help.

Thanks!  When you say you "chmod 744" your qTree, are you just chmodding the directory on your Solaris host (of the mount point), or are you actually chmodding something on the filer?

yes, chmodding the directory on the solaris host ( of the mount point)

Ok, got it.  So, my testing reveals that I am only able to configure ACL's for users that are on the Filer AND the client.  If user "xyz" is a local user on the Linux machine, but not defined in /etc/passwd (or LDAP/NIS) on the Filer, the ACL operation fails.  Is this expected?

I did not test for a local user. But il think that if you are using a domain id ( ldap/nis) , you can set the ACL just for the users in this domain. If you have a local user, you should add it to the domain.

Ok, I'm trying to use domain users in my ACL's (my Filer is a member of the domain), but I can't get the syntax correct:  "NA" is the name of the domain:

I have tried:

nfs4_setfacl -a A::na\\jbaird@domain.com:RWX hi

nfs4_setfacl -a A::jbaird@domain.com:RWX hi

domain.com is the IDMAP domain specified on the Filer and Linux client, and na\jbaird is the domain user (domain\user).

I am able to use ACL's for local /etc/passwd users that are defined on both the Filer and the Linux client, but not domain users that both the Filer and the Linux client are a member of.

Thanks.

Did the linux client and the filer  recognise  the user jbraid ?

what is thr result  of the commands  :

on the client :  id jbraid

and on the filer :  wcc -u jbraid

Thats my problem!  The LDAP stuff isn't properly configured on the Filer.

fc-netapp03> wcc -u jbaird

no passwd entry for jbaird

I'm looking into configuring LDAP now and will test again.

I really appreciate all of your help.

Thanks

wellcome Josh. Let me know if it's ok.