ONTAP Discussions
ONTAP Discussions
We have configured a volume on a dedicated SVM and are making this accessible via CIFS and NFS.
The CIFS access is working as we'd expect but we are having issues with the NFS access from a RedHat Enterprise Linux server (RHEL 7.9)
Users are logging into the RHEL server using Active Directory credentials and can successfully mount / access the files in the volume but ONLY when we add EVERYONE to the ACL.
When we try and create a file from the Linux server (using touch) we get "Permission denied"
We have configured LDAP on the SVM and believe it to be functional but name resolution does not seem to be working correctly.
AD Forest Functional Level and Domain Func Level are 2016
Clustered OnTAP version is 9.9.1
Anyone able to assist with best steps to troubleshoot this?
I will attach a file showing steps taken so far and relevant output / configuration
When NFSv3 comes into ONTAP, it sends its numeric ID. In UNIX security style volumes, this doesn't present any problem - we just just the numeric ID to determine permissions.
In your case, you sound like you have NTFS security style volumes. When the numeric ID comes into ONTAP, ONTAP tries to translate the numeric ID (say, 1234) into a UNIX user name. This is because NTFS permissions have Windows usernames associated with them and ONTAP needs a UNIX user name to start the name mapping process to determine proper access.
Because this works when you add "Everyone" to the NTFS ACL, that means the user attempting access to the mount is mapping as a user that doesn't have Windows permissions to the volume.
TR-4887 covers some troubleshooting steps for multiprotocol, but I'd suggest the following:
::> set advanced
::*> access-check authentication show-creds -node node1 -vserver SVMname -uid 1234 -list-name true -list-id true
From your NFS troubleshooting output, I see a few potential issues:
Thank you very much for the detailed response and information. It will take me a day or so to work through everything you've provided but I wanted to acknowledge the time you have taken to respond, which is appreciated.
I will update again once I have made progress.
where you able to test the action plan provided by Parisi? @Oneplus7