Network and Storage Protocols

NFS Questions

JOSHBAIRD
10,869 Views

Hi,

I have an NFSv3 export configured, and a specific host granted "Read Write" access.  When I mount this NFS export on the remote client, all permissions automatically become 777 and is owned by root.  I want the NFS filesystem to be owned by another user, and I don't want permissions to be 777 (so not everyone on the remote host has read/write access to it).

I believe I need to add users with to the Filer's /etc/passwd and /etc/group with UID/GID's that match those on the remote host first of all.  How can I do this?  I don't see an option in useradmin to specify UID/GID.  Do I need to manually drop to a shell and modify /etc/passwd and /etc/group?

How do I keep the export from forcing 777 on the remote host?

Thanks!

19 REPLIES 19

LTDCLSERGAO
10,792 Views

Hello,

Did you  mount teh NFS whith the options vers=3 ?

Question :  Why don't you use NFSv4 ?

JOSHBAIRD
10,792 Views

I'm going to test NFSv4 as well.  But, I still think I face the same problems with UID/GID and having to define users in the Filer's /etc/passwd?

LTDCLSERGAO
10,792 Views

With NFSv4 you dont have to create user on the filer, you define just the  nfs.v4.id.domain that to be the same that you will configure in you client.

To set UID/GID on the file/diretory you could use setfacl commande on the client.

JOSHBAIRD
10,792 Views

Ok, so you only use ACL's in NFSv4?  What user/group would own the actual files on the remote host, though?  Thanks for the info!

LTDCLSERGAO
10,792 Views

whith setfacl you can for exemple leave the root as owner and  set rwx ( or as you need)  right to a list of users.

I guess you are mounting  a qtree, so  you can also change de owner from root to another user with chown command  ( for this, you have to mount the volume and change the owner on the qtree)

JOSHBAIRD
10,792 Views

Hi,

If I wish to control access via ACL's on the client side, what options should I export with on the Filer?  Should I also control access per host at the filer using rw=hostname, etc?

Thanks

LTDCLSERGAO
10,792 Views

hello,

Yes, you sould control access per host on on the filer using rw and root.

On the client, do you have NIS / LDAP for authentification ?

JOSHBAIRD
10,792 Views

Yes, but not for every user.  The user who needs to own the files and directories is not a LDAP/NIS user, it is a local /etc/passwd user.

JOSHBAIRD
10,792 Views

Ok, got the mount working correctly, but I'm unable to use setfacl.  ACL support is enabled on the filer.

setfacl: hi3: Operation not supported

Client is RHEL6.  Export is mounted with:

filer:/vol/vol4/ePortalShare on /mnt/test type nfs4 (rw,rsize=65536,wsize=65536,hard,intr,proto=tcp,timeo=600,retrans=3,sec=sys,addr=172.26.103.122,clientaddr=172.26.101.56)

Any ideas?

Thanks!

JOSHBAIRD
9,371 Views

Ok, I think I need to use "nfs4_setfacl" on RHEL (instead of setfacl) to set the ACL's.  Do I have to export the filesystem read+write or should I just use an ACL to allow write access?  If I export the filesystem as read+write, then every user on the client machine can delete/modify/create new files, regardless of the ACL setting.  This is not what I was looking for.  I want to use ACLs to restrict which local users on the client machine can modify files on the NFS export.

Thanks!

LTDCLSERGAO
9,371 Views

Hello,

My experience with NFSv4 was with solaris, I think It's the same thing for redhat.

I exported the volume /vol/test ( with rw and root right to my host) and mounted it.

Then, il did a chmod 744 on my qtree

I umount the volume. and then I mount my qtree ( with rw and root right to my host).

I create a file toot as root on the qtree :

6:37:27 root@host:/mount_TEST4

1266# getfacl toto

# file: toto

# owner: root

# group: root

user::rw-

group::r--              #effective:r--

mask:rwx

other:r--

16:37:38 root@host:/mount_TEST4

--> I try to modify the file with the user "me"

bash-3.00$ id

uid=1609(me) gid=15(users)

bash-3.00$ cd /mount_TEST4

bash-3.00$ ls –la toto

-rw-r--r--   1 root     root           0 Feb 19 16:37 toto

bash-3.00$ echo "hello" > toto

bash: toto: Permission denied

bash-3.00$

 

--> I add as user "me" with setfacl to have rwx access to the file

6:39:44 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1273# setfacl -m user:me:rwx toto

16:39:48 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1274# ls –la toto

-rw-r--r--+  1 root     root           0 Feb 19 16:37 toto

16:39:50 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1275# getfacl toto

# file: toto

# owner: root

# group: root

user::rw-

user:me:rwx               #effective:rwx

group::r--              #effective:r--

mask:rwx

other:r--

--> test :

bash-3.00$ id

uid=1609(me) gid=15(users)

bash-3.00$ echo "hello" > toto

bash-3.00$

--> test with oracle user

16:45:59 oracle@host 😕

1$ cd /mount_TEST4

16:46:04 oracle@host:/mount_TEST4

2$ echo "hello" > toto

bash: toto: Permission denied

===

16:41:14 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4

1277# setfacl -m user:oracle:rwx toto

6:46:13 mailto:oracle@host:/mount_TEST4oracle@hostmailto:oracle@host:/mount_TEST4:/mount_TEST4

3$ echo "hello" > toto

16:46:53 mailto:oracle@host:/mount_TEST4oracle@hostmailto:oracle@host:/mount_TEST4:/mount_TEST4

I don't know how to configure NFSv4 on redhat, but on solaris il do like below :

--> on the filer :

Filer> options nfs.v4

nfs.v4.acl.enable            on         (value might be overwritten in takeover)

nfs.v4.enable                on         (value might be overwritten in takeover)

nfs.v4.id.domain             labo.domain.fr

nfs.v4.read_delegation       off        (value might be overwritten in takeover)

nfs.v4.setattr_acl_preserve  off        (value might be overwritten in takeover)

nfs.v4.write_delegation      off        (value might be overwritten in takeover

-->  on the host

16:29:12 mailto:root@host:/etc/defaultroot@hostmailto:root@host:/etc/default:/etc/default

1119# cat nfs |grep DOMAIN

NFSMAPID_DOMAIN=labo.domain.fr

hope this will help.

JOSHBAIRD
9,371 Views

Thanks!  When you say you "chmod 744" your qTree, are you just chmodding the directory on your Solaris host (of the mount point), or are you actually chmodding something on the filer?

LTDCLSERGAO
9,371 Views

yes, chmodding the directory on the solaris host ( of the mount point)

JOSHBAIRD
9,371 Views

Ok, got it.  So, my testing reveals that I am only able to configure ACL's for users that are on the Filer AND the client.  If user "xyz" is a local user on the Linux machine, but not defined in /etc/passwd (or LDAP/NIS) on the Filer, the ACL operation fails.  Is this expected?

LTDCLSERGAO
9,371 Views

I did not test for a local user. But il think that if you are using a domain id ( ldap/nis) , you can set the ACL just for the users in this domain. If you have a local user, you should add it to the domain.

JOSHBAIRD
8,297 Views

Ok, I'm trying to use domain users in my ACL's (my Filer is a member of the domain), but I can't get the syntax correct:  "NA" is the name of the domain:

I have tried:

nfs4_setfacl -a A::na\\jbaird@domain.com:RWX hi

nfs4_setfacl -a A::jbaird@domain.com:RWX hi

domain.com is the IDMAP domain specified on the Filer and Linux client, and na\jbaird is the domain user (domain\user).

I am able to use ACL's for local /etc/passwd users that are defined on both the Filer and the Linux client, but not domain users that both the Filer and the Linux client are a member of.

Thanks.

LTDCLSERGAO
8,297 Views

Did the linux client and the filer  recognise  the user jbraid ?

what is thr result  of the commands  :

on the client :  id jbraid

and on the filer :  wcc -u jbraid

JOSHBAIRD
8,297 Views

Thats my problem!  The LDAP stuff isn't properly configured on the Filer.

fc-netapp03> wcc -u jbaird

no passwd entry for jbaird

I'm looking into configuring LDAP now and will test again.


I really appreciate all of your help.

Thanks

LTDCLSERGAO
8,297 Views

wellcome Josh. Let me know if it's ok.

Public