root@ubuntu:/# mount -t nfs4 -o nfsvers=4.0 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt
mount.nfs4: access denied by server while mounting 10.0.0.5:/nfs_sftp/qtree_nfs_sftp

thats part of the issue. for whatever reason I cant mount with nfs4.0

I suppose that Event is related to that issue

Details
Event:
secd.nfsAuth.noNameMap: vserver (SMB) Cannot map UNIX name to CIFS name. Error: Get user credentials procedure failed [ 0 ms] Determined UNIX id 0 is UNIX user 'root' [ 0] Trying to map 'root' to Windows user 'root' using implicit mapping [ 1] Unable to connect to LSA service on (Error: RESULT_ERROR_GENERAL_FAILURE) [ 1] Successfully connected to ip x.x.x.x, port 445 using TCP [ 12] Successfully authenticated with DC dc.domain [ 15] Could not find Windows name 'root' [ 15] Unable to map 'root'. No default Windows user defined. **[ 15] FAILURE: Name mapping for UNIX user 'root' failed. No mapping found
Message Name:
secd.nfsAuth.noNameMap
Sequence Number:
2194901
Description:
This message occurs when an NFS authorization attempt fails because of a UNIX to Windows name mapping issue.
Action:
Examine the failure details to determine corrective action. Common failures include no appropriate UNIX-to-Windows name mapping rules, no configured default Windows user, or the inability of the system to contact LDAP if LDAP is configured for name mapping.

It has, as seen here, something to do with the propper name mapping. I dont know exactly how to handle it for the local root user on my local Linux Box to be forwarded to allow him to mount the share without forwarding it to a windows user in my ldap as the goal here is to keep root as root.

I meant to paste this on the last post:

NFSv4x ACLs

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9CC2F-9D07-4FAB-8E7B-E8A9B0C456BE.html

What is the output from the following:

vol show -fields policy -volume nfs_sftp, <svm_root_vol>

vol qtree show -fields export-policy -volume nfs_sftp -qtree qtree_nfs_sftp

For mapping the root user to a windows user....you need to pick a user to map to. (maybe domain\administrator ?)

Yes. Whatever domain user/admin you map to, the unix user (root in your case) will use that user when it needs Windows security info. 

You should refer to this fantastic Tech Reports:

NFS in NetApp ONTAP Best Practice and Implementation Guide

https://www.netapp.com/us/media/tr-4067.pdf

Justins Blog:

Generally, from a security standpoint, not a good idea to use root unless you have lots of logging and sudo everything. I gernerally do not see that. Elevated users are the way to go (with logging)

@parisi I alrdy changed this to mixed, just to be sure.

@TMACMD 

vol show -fields policy -volume nfs_sftp 
vserver       volume   policy       
------------- -------- ------------ 
SMB           nfs_sftp exp_NFS_SFTP 

vol qtree show -fields export-policy -volume nfs_sftp -qtree qtree_nfs_sftp
vserver       volume   qtree          export-policy 
------------- -------- -------------- ------------- 
SMB           nfs_sftp qtree_nfs_sftp exp_NFS_SFTP 

You gave me quite some stuff to read through now, I need a bit for that

The usecase is an SFTP Server linked to my Domain. It manages authentication through Domain Groups and creates Home Directorys in a jailed environment - preferably on my mounted NFS share.

Therefore I need to be able to set root permissions on folders or the SSH Service cant redirect the users connecting through sftp in their jailed home folders.

Don't use mixed. You'll just confuse yourself further, as the effective security style toggles between NTFS and UNIX depending on who set the last permissions.

Pick either UNIX or NTFS.

To add to what Justin said, if you're using NFS, just use UNIX. It will be a lot easier.

It is set to UNIX by now.

Waht im trying to achieve is:

Folder is set to root:root 700

I want to be able to look into that folder with Domain\DomAdmin1 to without changing root:root

I understood ACL as being able to have root:root and add a second group with "setfacl -m g:DomainAdminGrp:rwx" but that doesnt work (and Im sure because I dont understand it enough). My second approach was to add name mapping "Win-Unix Domain\DomAdmin1 -> root" but that also does not work.

And are you browsing with CIFS or NFS? NFS won't use AD authentication, but can use LDAP. That said, it would use the UNIX username in your LDAP server.

From my Linux Box I use NFS. That works so far.

I currently use SMB/CIFS with my Windows Explorer and try to access the Folder that way.

My Understanding was that after checking the usual ways, however I use CIFS or NFS, if nothing is found it checks name mapping as last straw. There i added my Domain Admin User I use to enter the folder through Windows Explorer. But it cant open it at the end.

I'd get a case open. I'd want to get our NAS TSEs to look at the logs and figure this out.

Also, so we can improve our documentation, please let us know when you get it working where it is confusing so we can get it corrected.

@TMACMD Thank you, you pointed me in good directions

@paul_stejskal I will add an additional post once I got it working what confused my in the documentation. Mostly its pretty accurate but the root_squash part with the examples confused me hard. Afterwards, now where I got how it works, Its actually pretty easy understandable.

@parisi Thank you. With your help I got it running. The hint with the "nfs4_setfacl" was worth it all. I additionally had to figure out how to properly set the permissions but I got it working with using the gids and uids. But at the end its working.

Now I have a huge Issue and I hope you guys can help me. Yesterday I had finally time to finish the SetUp and when starting some functional tests I encountered following Issue:

Mounted the NFS on my Linux Box. Everything works as expected. I got my Folder as root:root and could set additional permissions with ACLs.

When I now access the Folder through my Windows Client with smb and create a file in that folder it immediately changes the Owner of all Files and Folders to nobody. Is there any way to prevent this behaviour?

Okay I found the issue and Im kinda embarrased now as it was alrdy mentioned in this Thread.

I set NFSv4 ID Mapping Domain correctly but forgot to add this DOmain entry on my Server to the /etc/hosts and /etc/idmapd.conf

Thanks again to all of you, this Thread is now solved and everything works as expected.

Not entirely true...I have customers with RHEL (CENTOS) using "sssd" to connect to AD for an Identity Provider:

https://www.linuxtechi.com/integrate-rhel7-centos7-windows-active-directory/

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-ad

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-integration-intro

This is possible via NFSv4.x ACLs.

Note that my directory named "dir" has the following permissions seen in ls:

# ls -la | grep dir
d--------- 2 root root 4096 Sep 14 2017 dir

The NFSv4.x ACLs are:

# nfs4_getfacl dir

# file: dir
A::root@NTAP.LOCAL:rwaDxtTnNcCy
A:g:ProfGroup@NTAP.LOCAL:rwaDxtTnNcCy

So, only the root user and members of ProfGroup can access the folder.

# id
uid=0(root) gid=0(root) groups=0(root)
# touch /mnt/dir/rootfile
# ls -la /mnt/dir/rootfile
total 8
d--------- 2 root root 4096 Aug 6 11:39 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile

Members in ProfGroup are:

Prof1
Administrator

# id administrator
uid=503(admin) gid=1101(group1) groups=1101(group1),10002(ProfGroup)
# id prof1
uid=1102(prof1) gid=10002(ProfGroup) groups=10002(ProfGroup),1101(group1),10000(Domain Users),1202(group2),1220(sharedgroup),1203(group3)

Prof1 can write:

# su prof1
sh-4.2$ cd /mnt/dir
sh-4.2$ ls -la
total 8
d--------- 2 root root 4096 Aug 6 11:39 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile
sh-4.2$ touch prof1
sh-4.2$ ls -la
total 8
d--------- 2 root root 4096 Aug 6 11:39 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 prof1 ProfGroup 0 Aug 6 11:39 prof1
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile

Administrator can write:

# su administrator
sh-4.2$ cd /mnt/dir
sh-4.2$ ls -la
total 8
d--------- 2 root root 4096 Aug 6 11:39 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 prof1 ProfGroup 0 Aug 6 11:39 prof1
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile
sh-4.2$ touch adminfile
sh-4.2$ ls -la
total 8
d--------- 2 root root 4096 Aug 6 11:43 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 admin group1 0 Aug 6 11:43 adminfile
-rw-r--r-- 1 prof1 ProfGroup 0 Aug 6 11:39 prof1
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile

Student2 is *not* a member of the group. As a result, it gets access denied.

# id student2
uid=1302(student2) gid=1101(group1) groups=1101(group1),10000(Domain Users),1202(group2),1220(sharedgroup),1203(group3)
# su student2
sh-4.2$ id
uid=1302(student2) gid=1101(group1) groups=1101(group1),1202(group2),1203(group3),1220(sharedgroup),10000(Domain Users)
sh-4.2$ cd /mnt/dir
sh: cd: /mnt/dir: Permission denied

Your user mapping is wrong.

You have specified only a WIN-UNIX mapping. You need a UNIX-WIN mapping also.

how do I propperly map the root user? I can route it to some Domain User. But doesnt that affect also Folder/File creation and replaces the owner with that domain user?

**EDIT

First of all, thank you for your assistance. I'm working on this issue now for quite a while and its driving me crazy.

Adding the Mapping in the other direction worked. Im not able to connect through NFS4.0 but I'm still not sure how it works and how it affects Folder/File creation.

Root squash is covered in TR-4067 on page 117.

https://www.netapp.com/us/media/tr-4067.pdf

Also, it seems you have an NTFS security style volume, which is why root is trying to map to a Windows user.

If you don't want that behavior, use UNIX security styles. Otherwise, you can create a Windows user named "root" or map root to a valid Windows user of your choice. Depends on the permissions you want root to have.