Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have an NFSv3 export configured, and a specific host granted "Read Write" access. When I mount this NFS export on the remote client, all permissions automatically become 777 and is owned by root. I want the NFS filesystem to be owned by another user, and I don't want permissions to be 777 (so not everyone on the remote host has read/write access to it).
I believe I need to add users with to the Filer's /etc/passwd and /etc/group with UID/GID's that match those on the remote host first of all. How can I do this? I don't see an option in useradmin to specify UID/GID. Do I need to manually drop to a shell and modify /etc/passwd and /etc/group?
How do I keep the export from forcing 777 on the remote host?
Thanks!
19 REPLIES 19
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Did you mount teh NFS whith the options vers=3 ?
Question : Why don't you use NFSv4 ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm going to test NFSv4 as well. But, I still think I face the same problems with UID/GID and having to define users in the Filer's /etc/passwd?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With NFSv4 you dont have to create user on the filer, you define just the nfs.v4.id.domain that to be the same that you will configure in you client.
To set UID/GID on the file/diretory you could use setfacl commande on the client.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so you only use ACL's in NFSv4? What user/group would own the actual files on the remote host, though? Thanks for the info!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whith setfacl you can for exemple leave the root as owner and set rwx ( or as you need) right to a list of users.
I guess you are mounting a qtree, so you can also change de owner from root to another user with chown command ( for this, you have to mount the volume and change the owner on the qtree)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If I wish to control access via ACL's on the client side, what options should I export with on the Filer? Should I also control access per host at the filer using rw=hostname, etc?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
Yes, you sould control access per host on on the filer using rw and root.
On the client, do you have NIS / LDAP for authentification ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but not for every user. The user who needs to own the files and directories is not a LDAP/NIS user, it is a local /etc/passwd user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, got the mount working correctly, but I'm unable to use setfacl. ACL support is enabled on the filer.
setfacl: hi3: Operation not supported
Client is RHEL6. Export is mounted with:
filer:/vol/vol4/ePortalShare on /mnt/test type nfs4 (rw,rsize=65536,wsize=65536,hard,intr,proto=tcp,timeo=600,retrans=3,sec=sys,addr=172.26.103.122,clientaddr=172.26.101.56)
Any ideas?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I think I need to use "nfs4_setfacl" on RHEL (instead of setfacl) to set the ACL's. Do I have to export the filesystem read+write or should I just use an ACL to allow write access? If I export the filesystem as read+write, then every user on the client machine can delete/modify/create new files, regardless of the ACL setting. This is not what I was looking for. I want to use ACLs to restrict which local users on the client machine can modify files on the NFS export.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
My experience with NFSv4 was with solaris, I think It's the same thing for redhat.
I exported the volume /vol/test ( with rw and root right to my host) and mounted it.
Then, il did a chmod 744 on my qtree
I umount the volume. and then I mount my qtree ( with rw and root right to my host).
I create a file toot as root on the qtree :
6:37:27 root@host:/mount_TEST4
1266# getfacl toto
# file: toto
# owner: root
# group: root
user::rw-
group::r-- #effective:r--
mask:rwx
other:r--
16:37:38 root@host:/mount_TEST4
--> I try to modify the file with the user "me"
bash-3.00$ id
uid=1609(me) gid=15(users)
bash-3.00$ cd /mount_TEST4
bash-3.00$ ls –la toto
-rw-r--r-- 1 root root 0 Feb 19 16:37 toto
bash-3.00$ echo "hello" > toto
bash: toto: Permission denied
bash-3.00$
--> I add as user "me" with setfacl to have rwx access to the file
6:39:44 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4
1273# setfacl -m user:me:rwx toto
16:39:48 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4
1274# ls –la toto
-rw-r--r--+ 1 root root 0 Feb 19 16:37 toto
16:39:50 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4
1275# getfacl toto
# file: toto
# owner: root
# group: root
user::rw-
user:me:rwx #effective:rwx
group::r-- #effective:r--
mask:rwx
other:r--
--> test :
bash-3.00$ id
uid=1609(me) gid=15(users)
bash-3.00$ echo "hello" > toto
bash-3.00$
--> test with oracle user
16:45:59 oracle@host 😕
1$ cd /mount_TEST4
16:46:04 oracle@host:/mount_TEST4
2$ echo "hello" > toto
bash: toto: Permission denied
===
16:41:14 mailto:root@host:/mount_TEST4root@hostmailto:root@host:/mount_TEST4:/mount_TEST4
1277# setfacl -m user:oracle:rwx toto
6:46:13 mailto:oracle@host:/mount_TEST4oracle@hostmailto:oracle@host:/mount_TEST4:/mount_TEST4
3$ echo "hello" > toto
16:46:53 mailto:oracle@host:/mount_TEST4oracle@hostmailto:oracle@host:/mount_TEST4:/mount_TEST4
I don't know how to configure NFSv4 on redhat, but on solaris il do like below :
--> on the filer :
Filer> options nfs.v4
nfs.v4.acl.enable on (value might be overwritten in takeover)
nfs.v4.enable on (value might be overwritten in takeover)
nfs.v4.id.domain labo.domain.fr
nfs.v4.read_delegation off (value might be overwritten in takeover)
nfs.v4.setattr_acl_preserve off (value might be overwritten in takeover)
nfs.v4.write_delegation off (value might be overwritten in takeover
--> on the host
16:29:12 mailto:root@host:/etc/defaultroot@hostmailto:root@host:/etc/default:/etc/default
1119# cat nfs |grep DOMAIN
NFSMAPID_DOMAIN=labo.domain.fr
hope this will help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! When you say you "chmod 744" your qTree, are you just chmodding the directory on your Solaris host (of the mount point), or are you actually chmodding something on the filer?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, chmodding the directory on the solaris host ( of the mount point)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, got it. So, my testing reveals that I am only able to configure ACL's for users that are on the Filer AND the client. If user "xyz" is a local user on the Linux machine, but not defined in /etc/passwd (or LDAP/NIS) on the Filer, the ACL operation fails. Is this expected?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not test for a local user. But il think that if you are using a domain id ( ldap/nis) , you can set the ACL just for the users in this domain. If you have a local user, you should add it to the domain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I'm trying to use domain users in my ACL's (my Filer is a member of the domain), but I can't get the syntax correct: "NA" is the name of the domain:
I have tried:
nfs4_setfacl -a A::na\\jbaird@domain.com:RWX hi
nfs4_setfacl -a A::jbaird@domain.com:RWX hi
domain.com is the IDMAP domain specified on the Filer and Linux client, and na\jbaird is the domain user (domain\user).
I am able to use ACL's for local /etc/passwd users that are defined on both the Filer and the Linux client, but not domain users that both the Filer and the Linux client are a member of.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did the linux client and the filer recognise the user jbraid ?
what is thr result of the commands :
on the client : id jbraid
and on the filer : wcc -u jbraid
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats my problem! The LDAP stuff isn't properly configured on the Filer.
fc-netapp03> wcc -u jbaird
no passwd entry for jbaird
I'm looking into configuring LDAP now and will test again.
I really appreciate all of your help.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wellcome Josh. Let me know if it's ok.
