Network and Storage Protocols
Network and Storage Protocols
I have already submitted this as a support call to netapp, but maybe someone here can tell me what is going on.
I have a volume that has the NTFS security style.
-- (qtree)
vol2 ntfs enabled normal
--
-------------- (cifs shares)
vol2 /vol/vol2 Testshare
... user limit=10
everyone / Full Control
---------------
From windows i can access : /vol/vol2
As user richardshared :
sudo mount -t nfs4 -o sec=krb5 srv311:/vol/vol2 /mnt/srv311
** This works **
But now i want to root mount the test homedir : /vol/vol2/richardshared
sudo mount -t nfs4 -o sec=krb5 srv311:/vol/vol2/richardshared /mnt/srv311
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting srv311:/vol/vol2/richardshared
--- (exportfs)
/vol/vol2 -sec=krb5,rw,anon=0
----
The usermapping works good, I have the same loginname in Windows and Linux, so all the "wcc" commands are also ok.
If i do a ls -al in /vol/vol2 from a nfs mount. (The one that works)
The acl's look ok.
------ (ls -al /vol/vol2)
drwx------ 10 richardshared domain users 4096 2010-12-08 14:25 richardshard
------
fsecurity show /vol/vol2/richardshared
[/vol/vol2/richardshared - Directory (inum 76923)]
Security style: NTFS
Effective style: NTFS
DOS attributes: 0x0030 (---AD---)
Unix security:
uid: 456814 (Richardshared)
gid: 100513 (Domain Users)
mode: 0777 (rwxrwxrwx)
NTFS security descriptor:
Owner: DOMAIN\richardshared
Group: DOMAIN\Domain Users
DACL:
Allow - DOMAIN\Domain Admins - 0x001f01ff (Full Control) - OI|CI
Allow - DOMAIN\richardshared - 0x001301bf (Modify) - OI|CI
Does anyone know what this could be ?
Greetings .. Richard Smits
Solved! See The Solution
The "wafl.default_nt_user" did the trick. I was reading back this forum and saw this thread. Netapp support did advise me of this setting. Apperantly the linux user does not have the permission to see the "deep" path what is exported.
Explanation :
Setting wafl.default_nt_user will effectively map any user we cannot otherwise map to some specific user. This would include pcuser, but is not limited to pcuser.
Or you can do a manual mapping in the usermap.cfg file, but this works good.
For root mounts to work you have to add "root=<ip>" to your /etc/exports file for that volume. Otherwise all root mounts are treated as nobody-mounts and you won't get access.
Also, the option "cifs.nfs_root_ignore_acl" might help you. If set to yes, "root" users from unix ignore windows ACLs (they are basically treated as windows admins)
-Michael
The "wafl.default_nt_user" did the trick. I was reading back this forum and saw this thread. Netapp support did advise me of this setting. Apperantly the linux user does not have the permission to see the "deep" path what is exported.
Explanation :
Setting wafl.default_nt_user will effectively map any user we cannot otherwise map to some specific user. This would include pcuser, but is not limited to pcuser.
Or you can do a manual mapping in the usermap.cfg file, but this works good.