ONTAP Discussions

NFS Name Mapping Windows -> Unix root and no_root_squash

Hermes
8,865 Views

I read through the manuals but it seems I dont quite understand how to properly set up an NFS Storage with no_root_squash and Name Mapping for my Domain Admins to Root.


Goal:
Have NFS Storage that I can mount on my Linux Box. Linux Box is connected with AD. I want to be able to create Folders/Files as root:root and also with my domain users domuser@domain:domgroup@domain. Preferably with NFS4.0 so I can use ACL and set multiple permission Groups on Folders/Files.

 

Set Up is now as following
Cluster: 10.0.0.5
Client: 10.0.0.10
SVM: SMB

Volume: nfs_sftp
QTree: qtree_nfs_sftp

 

 

vserver export-policy rule show -vserver SMB -policyname exp_NFS_SFTP -ruleindex 1


                                    Vserver: SMB
                                Policy Name: exp_NFS_SFTP
                                 Rule Index: 1
                            Access Protocol: nfs
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 10.0.0.10
                             RO Access Rule: any
                             RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
                   Superuser Security Types: sys
               Honor SetUID Bits in SETATTR: true
                  Allow Creation of Devices: true

 

 

 

volume show -vserver SMB -volume nfs_sftp -fields policy

vserver       volume   policy       
------------- -------- ------------ 
SMB           nfs_sftp exp_NFS_SFTP 

 

 

 

nfs show -vserver SMB -instance


                                        Vserver: SMB
                             General NFS Access: true
                                         NFS v3: enabled
                                       NFS v4.0: enabled
                                   UDP Protocol: enabled
                                   TCP Protocol: enabled
                           Default Windows User: 
                            NFSv4.0 ACL Support: enabled
                NFSv4.0 Read Delegation Support: disabled
               NFSv4.0 Write Delegation Support: disabled
                        NFSv4 ID Mapping Domain: localdomain
            NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL (and NTFS File Permissions in Unified Security Style): enabled
                  NFSv4.1 Minor Version Support: disabled
                                  Rquota Enable: disabled
                   NFSv4.1 Parallel NFS Support: enabled
                            NFSv4.1 ACL Support: disabled
                           NFS vStorage Support: disabled
            NFSv4 Support for Numeric Owner IDs: enabled
                          Default Windows Group: -
                NFSv4.1 Read Delegation Support: disabled
               NFSv4.1 Write Delegation Support: disabled
                            NFS Mount Root Only: enabled
                                  NFS Root Only: disabled
            Permitted Kerberos Encryption Types: des, des3, aes-128, aes-256
                              Showmount Enabled: enabled
Set the Protocol Used for Name Services Lookups for Exports: udp
                    NFSv3 MS-DOS Client Support: disabled
     Idle Connection Timeout Value (in seconds): 360
             Are Idle NFS Connections Supported: disabled
Hide Snapshot Directory under NFSv3 Mount Point: disabled
           Provide Root Path as Showmount State: disabled

 

 

 

vserver name-mapping show -vserver SMB 

Vserver:   SMB
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: Domain\\User1
                                          Replacement: root

 

 

My Issue now is:

With NFS4.1 activated and a Standard Domain User set im able to mount and list everything in it but when I create a Folder its owner is shown as root but reroutet to nobody.

 

root@ubuntu:/# mount -t nfs 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt

root@ubuntu:/mnt# ls -la
total 12
drwxrwxrwx  3 root root 4096 Aug  6 11:30 .
drwxr-xr-x 21 root root 4096 Jul 22 09:18 ..
drwx------  3 root root 4096 Aug  6 11:32 testfolder

root@ubuntu:/mnt# getfacl testfolder/
# file: testfolder/
# owner: root
# group: root
user::rwx
group::---
other::---

root@ubuntu:/mnt# setfacl -m g:domaingrp:rwx testfolder/
setfacl: testfolder/: Operation not supported

 

With NFS4.0 activated im not able to mount the Share.

 

root@ubuntu:/# mount -t nfs 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt
mount.nfs: access denied by server while mounting 10.0.0.5:/nfs_sftp/qtree_nfs_sftp

 

With NFS3 activated I can mount the share but have no permission to list whats in it, I also created the "exp_NFS_SFTP" file to refer to the Export Policy as suggested in the Manual.

 

 

I def did not quite understand how to properly configure it so Im full of hope someone can point me in the right directions.

1 ACCEPTED SOLUTION

parisi
6,671 Views

Here are my results from Windows.

 

As prof1:

 

C:\>net use Z: \\demo\home /USER:NTAP\prof1
The command completed successfully.


C:\>net use
New connections will not be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z: \\demo\home Microsoft Windows Network
The command completed successfully.



# ls -la | grep prof1dir
d--------- 2 prof1 ProfGroup 4096 Aug 6 12:12 prof1dir

 

But my v4 ACLs didn't inherit:

 

# nfs4_getfacl prof1dir/

# file: prof1dir/
A::OWNER@:tcCy
A:g:GROUP@:tcy
A::EVERYONE@:tcy

 

So I can't access that folder:

 

Z:\dir\prof1dir>dir
Volume in drive Z is home
Volume Serial Number is 80F0-3713

Directory of Z:\dir\prof1dir

File Not Found

Z:\dir\prof1dir>mkdir testdir
Access is denied.

 

If I set an inherit ACL flag at the top level:

 

# nfs4_getfacl /mnt/dir

# file: /mnt/dir
A:fdi:root@NTAP.LOCAL:rwaDxtTnNcCy
A:fdg:ProfGroup@NTAP.LOCAL:rwaDxtTnNcCy

Then files/folders inherit the ACLs:

 

Z:\dir>mkdir prof1dir


# nfs4_getfacl /mnt/dir/prof1dir

# file: /mnt/dir/prof1dir
A:fd:root@NTAP.LOCAL:rwaDxtTnNcCy
A:dg:ProfGroup@NTAP.LOCAL:rwaDxtTnNcCy


Z:\dir>echo TEST >> prof1-file.txt


# nfs4_getfacl /mnt/dir/prof1-file.txt

# file: /mnt/dir/prof1-file.txt
A::root@NTAP.LOCAL:rwaxtTnNcCy
A:g:ProfGroup@NTAP.LOCAL:rwaxtTnNcCy
# cat /mnt/dir/prof1-file.txt
TEST

 

And I can access/write to the folder I created as prof1:

Z:\>cd dir

Z:\dir>cd prof1dir

Z:\dir\prof1dir>echo YAY! > prof1-file.txt


# cd prof1dir/
# ls -la
total 8
d--------- 2 prof1 ProfGroup 4096 Aug 6 13:14 .
d--------- 3 root root 4096 Aug 6 13:05 ..
---------- 1 prof1 ProfGroup 7 Aug 6 13:14 prof1-file.txt


# cat prof1-file.txt
YAY!


# nfs4_getfacl /mnt/dir/prof1dir/prof1-file.txt

# file: /mnt/dir/prof1dir/prof1-file.txt
A::root@NTAP.LOCAL:rwaxtTnNcCy
A:g:ProfGroup@NTAP.LOCAL:rwaxtTnNcCy

 

As student2, I will be denied access from Windows to that folder, due to the ACLs/group membership:

 

C:\>net use Z: \\demo\home /USER:NTAP\student2
The password or user name is invalid for \\demo\home.

Enter the password for 'NTAP\student2' to connect to 'demo':
The command completed successfully.

 

It can't even see the directory named "dir":

 

C:\>Z:

Z:\>cd dir
The system cannot find the path specified.



Z:\>dir
Volume in drive Z is home
Volume Serial Number is 80F0-3713

Directory of Z:\

08/05/2020 12:27 PM <DIR> .
08/05/2020 12:27 PM <DIR> ..
04/24/2020 01:42 PM <DIR> student1
04/24/2020 01:54 PM <DIR> student2
08/06/2020 10:03 AM <DIR> prof1
08/06/2020 10:05 AM <DIR> mtuser
07/21/2020 02:51 PM <DIR> root
07/07/2017 11:09 AM <DIR> ftpuser
05/18/2020 12:32 PM <DIR> git
05/21/2020 01:27 PM 0 rootfile
05/21/2020 01:53 PM 0 rootfile2
07/10/2017 10:09 AM <DIR> ftp
08/05/2020 12:27 PM 4,973,780,992 Win2019-1M.iso
09/15/2017 08:18 PM <DIR> dynamicuid
04/08/2020 10:36 PM <DIR> silly
04/24/2020 02:59 PM <DIR> oracle
06/22/2020 12:51 PM <DIR> flexgroup
3 File(s) 4,973,780,992 bytes
14 Dir(s) 96,919,887,872 bytes free

 

View solution in original post

28 REPLIES 28

TMACMD
8,024 Views

You enabled NFSv4.0 ACLs, but NFSv4.1 ACLs are still disabled.

 

From your client, do a "mount" and/or cat /proc/mounts and look for your mount.

Verify it is using NFSv4. It may be using NFSv4.1 which is why you cannot set the ACL

Hermes
8,017 Views
root@ubuntu:/# mount -t nfs4 -o nfsvers=4.0 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt
mount.nfs4: access denied by server while mounting 10.0.0.5:/nfs_sftp/qtree_nfs_sftp

thats part of the issue. for whatever reason I cant mount with nfs4.0

 

I suppose that Event is related to that issue

Details
Event:
secd.nfsAuth.noNameMap: vserver (SMB) Cannot map UNIX name to CIFS name. Error: Get user credentials procedure failed [ 0 ms] Determined UNIX id 0 is UNIX user 'root' [ 0] Trying to map 'root' to Windows user 'root' using implicit mapping [ 1] Unable to connect to LSA service on (Error: RESULT_ERROR_GENERAL_FAILURE) [ 1] Successfully connected to ip x.x.x.x, port 445 using TCP [ 12] Successfully authenticated with DC dc.domain [ 15] Could not find Windows name 'root' [ 15] Unable to map 'root'. No default Windows user defined. **[ 15] FAILURE: Name mapping for UNIX user 'root' failed. No mapping found
Message Name:
secd.nfsAuth.noNameMap
Sequence Number:
2194901
Description:
This message occurs when an NFS authorization attempt fails because of a UNIX to Windows name mapping issue.
Action:
Examine the failure details to determine corrective action. Common failures include no appropriate UNIX-to-Windows name mapping rules, no configured default Windows user, or the inability of the system to contact LDAP if LDAP is configured for name mapping.

It has, as seen here, something to do with the propper name mapping. I dont know exactly how to handle it for the local root user on my local Linux Box to be forwarded to allow him to mount the share without forwarding it to a windows user in my ldap as the goal here is to keep root as root.

TMACMD
8,016 Views

TMACMD
7,978 Views

What is the output from the following:

 

vol show -fields policy -volume nfs_sftp, <svm_root_vol>

vol qtree show -fields export-policy -volume nfs_sftp -qtree qtree_nfs_sftp

 

For mapping the root user to a windows user....you need to pick a user to map to. (maybe domain\administrator ?)

Yes. Whatever domain user/admin you map to, the unix user (root in your case) will use that user when it needs Windows security info. 

 

You should refer to this fantastic Tech Reports:

NFS in NetApp ONTAP Best Practice and Implementation Guide

https://www.netapp.com/us/media/tr-4067.pdf

 

Justins Blog:

Generally, from a security standpoint, not a good idea to use root unless you have lots of logging and sudo everything. I gernerally do not see that. Elevated users are the way to go (with logging)

Hermes
7,973 Views

@parisi I alrdy changed this to mixed, just to be sure.

 

@TMACMD 

vol show -fields policy -volume nfs_sftp 
vserver       volume   policy       
------------- -------- ------------ 
SMB           nfs_sftp exp_NFS_SFTP 
vol qtree show -fields export-policy -volume nfs_sftp -qtree qtree_nfs_sftp
vserver       volume   qtree          export-policy 
------------- -------- -------------- ------------- 
SMB           nfs_sftp qtree_nfs_sftp exp_NFS_SFTP 

 

You gave me quite some stuff to read through now, I need a bit for that

 

The usecase is an SFTP Server linked to my Domain. It manages authentication through Domain Groups and creates Home Directorys in a jailed environment - preferably on my mounted NFS share.

Therefore I need to be able to set root permissions on folders or the SSH Service cant redirect the users connecting through sftp in their jailed home folders.

parisi
7,970 Views

Don't use mixed. You'll just confuse yourself further, as the effective security style toggles between NTFS and UNIX depending on who set the last permissions.

 

Pick either UNIX or NTFS.

paul_stejskal
6,008 Views

To add to what Justin said, if you're using NFS, just use UNIX. It will be a lot easier.

 

Hermes
6,005 Views

It is set to UNIX by now.

 

Waht im trying to achieve is:

Folder is set to root:root 700

I want to be able to look into that folder with Domain\DomAdmin1 to without changing root:root

 

I understood ACL as being able to have root:root and add a second group with "setfacl -m g:DomainAdminGrp:rwx" but that doesnt work (and Im sure because I dont understand it enough). My second approach was to add name mapping "Win-Unix Domain\DomAdmin1 -> root" but that also does not work.

 

 

paul_stejskal
5,103 Views

And are you browsing with CIFS or NFS? NFS won't use AD authentication, but can use LDAP. That said, it would use the UNIX username in your LDAP server.

Hermes
5,099 Views

From my Linux Box I use NFS. That works so far.

 

I currently use SMB/CIFS with my Windows Explorer and try to access the Folder that way.

My Understanding was that after checking the usual ways, however I use CIFS or NFS, if nothing is found it checks name mapping as last straw. There i added my Domain Admin User I use to enter the folder through Windows Explorer. But it cant open it at the end.

paul_stejskal
5,078 Views

I'd get a case open. I'd want to get our NAS TSEs to look at the logs and figure this out.

 

Also, so we can improve our documentation, please let us know when you get it working where it is confusing so we can get it corrected.

 

parisi
6,672 Views

Here are my results from Windows.

 

As prof1:

 

C:\>net use Z: \\demo\home /USER:NTAP\prof1
The command completed successfully.


C:\>net use
New connections will not be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z: \\demo\home Microsoft Windows Network
The command completed successfully.



# ls -la | grep prof1dir
d--------- 2 prof1 ProfGroup 4096 Aug 6 12:12 prof1dir

 

But my v4 ACLs didn't inherit:

 

# nfs4_getfacl prof1dir/

# file: prof1dir/
A::OWNER@:tcCy
A:g:GROUP@:tcy
A::EVERYONE@:tcy

 

So I can't access that folder:

 

Z:\dir\prof1dir>dir
Volume in drive Z is home
Volume Serial Number is 80F0-3713

Directory of Z:\dir\prof1dir

File Not Found

Z:\dir\prof1dir>mkdir testdir
Access is denied.

 

If I set an inherit ACL flag at the top level:

 

# nfs4_getfacl /mnt/dir

# file: /mnt/dir
A:fdi:root@NTAP.LOCAL:rwaDxtTnNcCy
A:fdg:ProfGroup@NTAP.LOCAL:rwaDxtTnNcCy

Then files/folders inherit the ACLs:

 

Z:\dir>mkdir prof1dir


# nfs4_getfacl /mnt/dir/prof1dir

# file: /mnt/dir/prof1dir
A:fd:root@NTAP.LOCAL:rwaDxtTnNcCy
A:dg:ProfGroup@NTAP.LOCAL:rwaDxtTnNcCy


Z:\dir>echo TEST >> prof1-file.txt


# nfs4_getfacl /mnt/dir/prof1-file.txt

# file: /mnt/dir/prof1-file.txt
A::root@NTAP.LOCAL:rwaxtTnNcCy
A:g:ProfGroup@NTAP.LOCAL:rwaxtTnNcCy
# cat /mnt/dir/prof1-file.txt
TEST

 

And I can access/write to the folder I created as prof1:

Z:\>cd dir

Z:\dir>cd prof1dir

Z:\dir\prof1dir>echo YAY! > prof1-file.txt


# cd prof1dir/
# ls -la
total 8
d--------- 2 prof1 ProfGroup 4096 Aug 6 13:14 .
d--------- 3 root root 4096 Aug 6 13:05 ..
---------- 1 prof1 ProfGroup 7 Aug 6 13:14 prof1-file.txt


# cat prof1-file.txt
YAY!


# nfs4_getfacl /mnt/dir/prof1dir/prof1-file.txt

# file: /mnt/dir/prof1dir/prof1-file.txt
A::root@NTAP.LOCAL:rwaxtTnNcCy
A:g:ProfGroup@NTAP.LOCAL:rwaxtTnNcCy

 

As student2, I will be denied access from Windows to that folder, due to the ACLs/group membership:

 

C:\>net use Z: \\demo\home /USER:NTAP\student2
The password or user name is invalid for \\demo\home.

Enter the password for 'NTAP\student2' to connect to 'demo':
The command completed successfully.

 

It can't even see the directory named "dir":

 

C:\>Z:

Z:\>cd dir
The system cannot find the path specified.



Z:\>dir
Volume in drive Z is home
Volume Serial Number is 80F0-3713

Directory of Z:\

08/05/2020 12:27 PM <DIR> .
08/05/2020 12:27 PM <DIR> ..
04/24/2020 01:42 PM <DIR> student1
04/24/2020 01:54 PM <DIR> student2
08/06/2020 10:03 AM <DIR> prof1
08/06/2020 10:05 AM <DIR> mtuser
07/21/2020 02:51 PM <DIR> root
07/07/2017 11:09 AM <DIR> ftpuser
05/18/2020 12:32 PM <DIR> git
05/21/2020 01:27 PM 0 rootfile
05/21/2020 01:53 PM 0 rootfile2
07/10/2017 10:09 AM <DIR> ftp
08/05/2020 12:27 PM 4,973,780,992 Win2019-1M.iso
09/15/2017 08:18 PM <DIR> dynamicuid
04/08/2020 10:36 PM <DIR> silly
04/24/2020 02:59 PM <DIR> oracle
06/22/2020 12:51 PM <DIR> flexgroup
3 File(s) 4,973,780,992 bytes
14 Dir(s) 96,919,887,872 bytes free

 

Hermes
4,799 Views

@TMACMD Thank you, you pointed me in good directions

@paul_stejskal I will add an additional post once I got it working what confused my in the documentation. Mostly its pretty accurate but the root_squash part with the examples confused me hard. Afterwards, now where I got how it works, Its actually pretty easy understandable.

@parisi Thank you. With your help I got it running. The hint with the "nfs4_setfacl" was worth it all. I additionally had to figure out how to properly set the permissions but I got it working with using the gids and uids. But at the end its working.

 

Now I have a huge Issue and I hope you guys can help me. Yesterday I had finally time to finish the SetUp and when starting some functional tests I encountered following Issue:

 

Mounted the NFS on my Linux Box. Everything works as expected. I got my Folder as root:root and could set additional permissions with ACLs.

 

When I now access the Folder through my Windows Client with smb and create a file in that folder it immediately changes the Owner of all Files and Folders to nobody. Is there any way to prevent this behaviour?

Hermes
4,771 Views

Okay I found the issue and Im kinda embarrased now as it was alrdy mentioned in this Thread.

 

I set NFSv4 ID Mapping Domain correctly but forgot to add this DOmain entry on my Server to the /etc/hosts and /etc/idmapd.conf

 

Thanks again to all of you, this Thread is now solved and everything works as expected.

parisi
5,099 Views

This is possible via NFSv4.x ACLs.

 

Note that my directory named "dir" has the following permissions seen in ls:

 

# ls -la | grep dir
d--------- 2 root root 4096 Sep 14 2017 dir

 

The NFSv4.x ACLs are:

 

# nfs4_getfacl dir

# file: dir
A::root@NTAP.LOCAL:rwaDxtTnNcCy
A:g:ProfGroup@NTAP.LOCAL:rwaDxtTnNcCy

 

So, only the root user and members of ProfGroup can access the folder.

 

# id
uid=0(root) gid=0(root) groups=0(root)
# touch /mnt/dir/rootfile
# ls -la /mnt/dir/rootfile
total 8
d--------- 2 root root 4096 Aug 6 11:39 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile

 

Members in ProfGroup are:

 

Prof1
Administrator

 

# id administrator
uid=503(admin) gid=1101(group1) groups=1101(group1),10002(ProfGroup)
# id prof1
uid=1102(prof1) gid=10002(ProfGroup) groups=10002(ProfGroup),1101(group1),10000(Domain Users),1202(group2),1220(sharedgroup),1203(group3)

 

Prof1 can write:

 

# su prof1
sh-4.2$ cd /mnt/dir
sh-4.2$ ls -la
total 8
d--------- 2 root root 4096 Aug 6 11:39 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile
sh-4.2$ touch prof1
sh-4.2$ ls -la
total 8
d--------- 2 root root 4096 Aug 6 11:39 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 prof1 ProfGroup 0 Aug 6 11:39 prof1
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile

 

Administrator can write:

 

# su administrator
sh-4.2$ cd /mnt/dir
sh-4.2$ ls -la
total 8
d--------- 2 root root 4096 Aug 6 11:39 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 prof1 ProfGroup 0 Aug 6 11:39 prof1
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile
sh-4.2$ touch adminfile
sh-4.2$ ls -la
total 8
d--------- 2 root root 4096 Aug 6 11:43 .
drwxrwxrwx 17 root root 4096 Aug 5 12:27 ..
-rw-r--r-- 1 admin group1 0 Aug 6 11:43 adminfile
-rw-r--r-- 1 prof1 ProfGroup 0 Aug 6 11:39 prof1
-rw-r--r-- 1 root root 0 Aug 6 11:39 rootfile

 

Student2 is *not* a member of the group. As a result, it gets access denied.

 

# id student2
uid=1302(student2) gid=1101(group1) groups=1101(group1),10000(Domain Users),1202(group2),1220(sharedgroup),1203(group3)
# su student2
sh-4.2$ id
uid=1302(student2) gid=1101(group1) groups=1101(group1),1202(group2),1203(group3),1220(sharedgroup),10000(Domain Users)
sh-4.2$ cd /mnt/dir
sh: cd: /mnt/dir: Permission denied

TMACMD
8,011 Views

Your user mapping is wrong.

You have specified only a WIN-UNIX mapping. You need a UNIX-WIN mapping also.

Hermes
8,009 Views

how do I propperly map the root user? I can route it to some Domain User. But doesnt that affect also Folder/File creation and replaces the owner with that domain user?

 

**EDIT

First of all, thank you for your assistance. I'm working on this issue now for quite a while and its driving me crazy.

Adding the Mapping in the other direction worked. Im not able to connect through NFS4.0 but I'm still not sure how it works and how it affects Folder/File creation.

parisi
7,998 Views

Root squash is covered in TR-4067 on page 117.

 

https://www.netapp.com/us/media/tr-4067.pdf

parisi
7,996 Views

Also, it seems you have an NTFS security style volume, which is why root is trying to map to a Windows user.

 

If you don't want that behavior, use UNIX security styles. Otherwise, you can create a Windows user named "root" or map root to a valid Windows user of your choice. Depends on the permissions you want root to have.

Public