Linux LDAP User not have the right access to NFS volume directory with NFSv4 ACL

DDA · ‎2023-12-01

After deploy the environment by "How to configure LDAP in ONTAP TR-4835"

Environment

1. Windows server 2019 with LDAP services

2. CentOS7 client use sssd and realm add to the AD Domain, and use two methods according to TR, shows below

[root@centos7 ~]# id u01
uid=2000(u01) gid=3000(Domain Users) groups=3000(Domain Users)
[root@centos7 ~]# id u01@gtish.loc
uid=1596602150(u01@GTISH.LOC) gid=1596600513(domain users@GTISH.LOC) groups=1596600513(domain users@GTISH.LOC),1596602153(all test users@GTISH.LOC)

3. From ONTAP SVM, the name services query returns correct results, shows below

::*> getxxbyyy getpwbyname -node FAS2750-01 -vserver SVM_LDAP -show-source true -use-cache false -username u01
(vserver services name-service getxxbyyy getpwbyname)
Source used for lookup: LDAP
pw_name: u01
pw_passwd:
pw_uid: 2000
pw_gid: 3000
pw_gecos:
pw_dir:
pw_shell: /bin/bash

Problem

The LDAP user u01@gtish.loc cannot access the directory in the ONTAP NFS volume with NFSv4 ACL, shows below

[u01@GTISH.LOC@centos7 ldap]$ nfs4_getfacl root

# file: root

A::OWNER@:rwaDxtTnNcCy

A::u01@gtish.loc:rwaDxtTnNcCy

[u01@GTISH.LOC@djwcentos7 ldap]$ cd root/

bash: cd: root/: access denied

Any things set wrong?

parisi · ‎2023-12-04

Using the root user, what does "ls -la" show for that volume/the files in the volume?

Your NFSv4 configuration might be wrong. If the owner shows "nobody" or "nfsnobody" then you need to fix the v4 config. TR-4067 covers it.

https://www.netapp.com/pdf.html?item=/media/10720-tr-4067.pdf