ONTAP Discussions

NFS Name Mapping Windows -> Unix root and no_root_squash

I read through the manuals but it seems I dont quite understand how to properly set up an NFS Storage with no_root_squash and Name Mapping for my Domain Admins to Root.


Goal:
Have NFS Storage that I can mount on my Linux Box. Linux Box is connected with AD. I want to be able to create Folders/Files as root:root and also with my domain users domuser@domain:domgroup@domain. Preferably with NFS4.0 so I can use ACL and set multiple permission Groups on Folders/Files.

 

Set Up is now as following
Cluster: 10.0.0.5
Client: 10.0.0.10
SVM: SMB

Volume: nfs_sftp
QTree: qtree_nfs_sftp

 

 

vserver export-policy rule show -vserver SMB -policyname exp_NFS_SFTP -ruleindex 1


                                    Vserver: SMB
                                Policy Name: exp_NFS_SFTP
                                 Rule Index: 1
                            Access Protocol: nfs
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 10.0.0.10
                             RO Access Rule: any
                             RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
                   Superuser Security Types: sys
               Honor SetUID Bits in SETATTR: true
                  Allow Creation of Devices: true

 

 

 

volume show -vserver SMB -volume nfs_sftp -fields policy

vserver       volume   policy       
------------- -------- ------------ 
SMB           nfs_sftp exp_NFS_SFTP 

 

 

 

nfs show -vserver SMB -instance


                                        Vserver: SMB
                             General NFS Access: true
                                         NFS v3: enabled
                                       NFS v4.0: enabled
                                   UDP Protocol: enabled
                                   TCP Protocol: enabled
                           Default Windows User: 
                            NFSv4.0 ACL Support: enabled
                NFSv4.0 Read Delegation Support: disabled
               NFSv4.0 Write Delegation Support: disabled
                        NFSv4 ID Mapping Domain: localdomain
            NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL (and NTFS File Permissions in Unified Security Style): enabled
                  NFSv4.1 Minor Version Support: disabled
                                  Rquota Enable: disabled
                   NFSv4.1 Parallel NFS Support: enabled
                            NFSv4.1 ACL Support: disabled
                           NFS vStorage Support: disabled
            NFSv4 Support for Numeric Owner IDs: enabled
                          Default Windows Group: -
                NFSv4.1 Read Delegation Support: disabled
               NFSv4.1 Write Delegation Support: disabled
                            NFS Mount Root Only: enabled
                                  NFS Root Only: disabled
            Permitted Kerberos Encryption Types: des, des3, aes-128, aes-256
                              Showmount Enabled: enabled
Set the Protocol Used for Name Services Lookups for Exports: udp
                    NFSv3 MS-DOS Client Support: disabled
     Idle Connection Timeout Value (in seconds): 360
             Are Idle NFS Connections Supported: disabled
Hide Snapshot Directory under NFSv3 Mount Point: disabled
           Provide Root Path as Showmount State: disabled

 

 

 

vserver name-mapping show -vserver SMB 

Vserver:   SMB
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: Domain\\User1
                                          Replacement: root

 

 

My Issue now is:

With NFS4.1 activated and a Standard Domain User set im able to mount and list everything in it but when I create a Folder its owner is shown as root but reroutet to nobody.

 

root@ubuntu:/# mount -t nfs 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt

root@ubuntu:/mnt# ls -la
total 12
drwxrwxrwx  3 root root 4096 Aug  6 11:30 .
drwxr-xr-x 21 root root 4096 Jul 22 09:18 ..
drwx------  3 root root 4096 Aug  6 11:32 testfolder

root@ubuntu:/mnt# getfacl testfolder/
# file: testfolder/
# owner: root
# group: root
user::rwx
group::---
other::---

root@ubuntu:/mnt# setfacl -m g:domaingrp:rwx testfolder/
setfacl: testfolder/: Operation not supported

 

With NFS4.0 activated im not able to mount the Share.

 

root@ubuntu:/# mount -t nfs 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt
mount.nfs: access denied by server while mounting 10.0.0.5:/nfs_sftp/qtree_nfs_sftp

 

With NFS3 activated I can mount the share but have no permission to list whats in it, I also created the "exp_NFS_SFTP" file to refer to the Export Policy as suggested in the Manual.

 

 

I def did not quite understand how to properly configure it so Im full of hope someone can point me in the right directions.

28 REPLIES 28

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

You enabled NFSv4.0 ACLs, but NFSv4.1 ACLs are still disabled.

 

From your client, do a "mount" and/or cat /proc/mounts and look for your mount.

Verify it is using NFSv4. It may be using NFSv4.1 which is why you cannot set the ACL

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

root@ubuntu:/# mount -t nfs4 -o nfsvers=4.0 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt
mount.nfs4: access denied by server while mounting 10.0.0.5:/nfs_sftp/qtree_nfs_sftp

thats part of the issue. for whatever reason I cant mount with nfs4.0

 

I suppose that Event is related to that issue

Details
Event:
secd.nfsAuth.noNameMap: vserver (SMB) Cannot map UNIX name to CIFS name. Error: Get user credentials procedure failed [ 0 ms] Determined UNIX id 0 is UNIX user 'root' [ 0] Trying to map 'root' to Windows user 'root' using implicit mapping [ 1] Unable to connect to LSA service on (Error: RESULT_ERROR_GENERAL_FAILURE) [ 1] Successfully connected to ip x.x.x.x, port 445 using TCP [ 12] Successfully authenticated with DC dc.domain [ 15] Could not find Windows name 'root' [ 15] Unable to map 'root'. No default Windows user defined. **[ 15] FAILURE: Name mapping for UNIX user 'root' failed. No mapping found
Message Name:
secd.nfsAuth.noNameMap
Sequence Number:
2194901
Description:
This message occurs when an NFS authorization attempt fails because of a UNIX to Windows name mapping issue.
Action:
Examine the failure details to determine corrective action. Common failures include no appropriate UNIX-to-Windows name mapping rules, no configured default Windows user, or the inability of the system to contact LDAP if LDAP is configured for name mapping.

It has, as seen here, something to do with the propper name mapping. I dont know exactly how to handle it for the local root user on my local Linux Box to be forwarded to allow him to mount the share without forwarding it to a windows user in my ldap as the goal here is to keep root as root.

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

Your user mapping is wrong.

You have specified only a WIN-UNIX mapping. You need a UNIX-WIN mapping also.

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

how do I propperly map the root user? I can route it to some Domain User. But doesnt that affect also Folder/File creation and replaces the owner with that domain user?

 

**EDIT

First of all, thank you for your assistance. I'm working on this issue now for quite a while and its driving me crazy.

Adding the Mapping in the other direction worked. Im not able to connect through NFS4.0 but I'm still not sure how it works and how it affects Folder/File creation.

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

Root squash is covered in TR-4067 on page 117.

 

https://www.netapp.com/us/media/tr-4067.pdf

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

Also, it seems you have an NTFS security style volume, which is why root is trying to map to a Windows user.

 

If you don't want that behavior, use UNIX security styles. Otherwise, you can create a Windows user named "root" or map root to a valid Windows user of your choice. Depends on the permissions you want root to have.

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

I know. I studied that part multiple times. tbh its quite poorly described how that feature works. As I understood you create the export policy and link to that export policy by creating a file in the root of the directory with the name the policy has.

 

vserver export-policy rule show -vserver SMB -policyname exp_NFS_SFTP -ruleindex 1    

                                    Vserver: SMB
                                Policy Name: exp_NFS_SFTP
                                 Rule Index: 1
                            Access Protocol: nfs
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 10.0.0.10
                             RO Access Rule: sys
                             RW Access Rule: sys
User ID To Which Anonymous Users Are Mapped: 65534
                   Superuser Security Types: any
               Honor SetUID Bits in SETATTR: true
                  Allow Creation of Devices: true

 

root@ubuntu:/mnt# ll
total 16
drwxr-xr-x  4 root root 4096 Aug  6 13:53 ./
drwxr-xr-x 21 root root 4096 Jul 22 09:18 ../
drwx------  3 root root 4096 Aug  6 13:04 SFTPdata/
-rwxrwxrwx  1 root root    0 Aug  6 11:37 exp_NFS_SFTP* << The File
drwxr-xr-x  2 root root 4096 Aug  6 13:53 testfolder/

 

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

What is the output from the following:

 

vol show -fields policy -volume nfs_sftp, <svm_root_vol>

vol qtree show -fields export-policy -volume nfs_sftp -qtree qtree_nfs_sftp

 

For mapping the root user to a windows user....you need to pick a user to map to. (maybe domain\administrator ?)

Yes. Whatever domain user/admin you map to, the unix user (root in your case) will use that user when it needs Windows security info. 

 

You should refer to this fantastic Tech Reports:

NFS in NetApp ONTAP Best Practice and Implementation Guide

https://www.netapp.com/us/media/tr-4067.pdf

 

Justins Blog:

Generally, from a security standpoint, not a good idea to use root unless you have lots of logging and sudo everything. I gernerally do not see that. Elevated users are the way to go (with logging)

Re: NFS Name Mapping Windows -> Unix root and no_root_squash


@Hermes wrote:

**EDIT

First of all, thank you for your assistance. I'm working on this issue now for quite a while and its driving me crazy.

Adding the Mapping in the other direction worked. Im not able to connect through NFS4.0 but I'm still not sure how it works and how it affects Folder/File creation.


Root will write as root, regardless of security style.

 

Here I have a UNIX-WIN name mapping that maps root to administrator:

 

::*> vserver name-mapping show -vserver DEMO -direction unix-win

Vserver: DEMO
Direction: unix-win
Position Hostname IP Address/Mask
-------- ---------------- ----------------
1 - - Pattern: root
Replacement: NTAP\\administrator

 

I can check that mapping and creds with:

 

::*> access-check authentication show-creds -vserver DEMO -unix-user-name root
(vserver services access-check authentication show-creds)

UNIX UID: root <> Windows User: NTAP\Administrator (Windows Domain User)

GID: daemon
Supplementary GIDs:
daemon
wheel

Primary Group SID: NTAP\DomainUsers (Windows Domain group)

Windows Membership:
NTAP\Group Policy Creator Owners (Windows Domain group)
NTAP\Domain Admins (Windows Domain group)
NTAP\DomainUsers (Windows Domain group)
NTAP\ProfGroup (Windows Domain group)
NTAP\Enterprise Admins (Windows Domain group)
NTAP\Schema Admins (Windows Domain group)
NTAP\Denied RODC Password Replication Group (Windows Alias)
NTAP\local-group.ntap (Windows Alias)
Service asserted identity (Windows Well known group)
BUILTIN\Administrators (Windows Alias)
BUILTIN\Users (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x22b7):
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSecurityPrivilege
SeChangeNotifyPrivilege

I mount a volume with NTFS and UNIX style qtrees:

demo:/home on /mnt type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,local_lock=none,addr=x.x.x.x)

Here are the qtrees:

::*> qtree show -vserver DEMO -volume home
Vserver Volume Qtree Style Oplocks Status
---------- ------------- ------------ ------------ --------- --------
DEMO home "" unix enable normal
DEMO home dynamicuid unix enable normal
DEMO home ftp unix enable normal
DEMO home ftpuser ntfs enable normal
DEMO home git unix enable normal
DEMO home mtuser ntfs enable normal
DEMO home oracle unix enable normal
DEMO home prof1 unix enable normal
DEMO home root unix enable normal
DEMO home student1 unix enable normal
DEMO home student2 unix enable normal
11 entries were displayed.

When I write to the UNIX style qtree, root it root:

# cd /mnt
# cd prof1
# touch rootfile
# ls -la | grep rootfile
-rw-r--r-- 1 root root 0 Aug 6 10:03 rootfile

 

When I write to the NTFS qtree as root, root is root (though the group is daemon):

 

# cd /home/mtuser
[root@centos7 mtuser]# touch rootfile
[root@centos7 mtuser]# ls -la | grep rootfile
-rwxrwxrwx 1 root daemon 0 Aug 6 10:05 rootfile

Daemon is the group because it's what ONTAP sees as the primary group. (see the show-creds output above)

 

Daemon in ONTAP is 1, but is 2 on my client. But because NFSv4.x uses name strings, it's using daemon@NTAP.LOCAL as the group, rather than the numeric.

::*> unix-group show -vserver DEMO -name daemon

Vserver: DEMO
Group Name: daemon
Group ID: 1
Users: -



# ls -lan | grep rootfile
-rwxrwxrwx 1 0 2 0 Aug 6 10:05 rootfile


# getent group daemon
daemon:x:2:

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

@parisi I alrdy changed this to mixed, just to be sure.

 

@TMAC_CTG 

vol show -fields policy -volume nfs_sftp 
vserver       volume   policy       
------------- -------- ------------ 
SMB           nfs_sftp exp_NFS_SFTP 
vol qtree show -fields export-policy -volume nfs_sftp -qtree qtree_nfs_sftp
vserver       volume   qtree          export-policy 
------------- -------- -------------- ------------- 
SMB           nfs_sftp qtree_nfs_sftp exp_NFS_SFTP 

 

You gave me quite some stuff to read through now, I need a bit for that

 

The usecase is an SFTP Server linked to my Domain. It manages authentication through Domain Groups and creates Home Directorys in a jailed environment - preferably on my mounted NFS share.

Therefore I need to be able to set root permissions on folders or the SSH Service cant redirect the users connecting through sftp in their jailed home folders.

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

I don't know how you got "create a file in the root of the directory" from that section. The file created is to show which policy was used in which instance. Nowhere did it say you need to create a file with the same name to make it work.

 

The part you need to pay attention to is:

 

Squashing Root

The following examples show how to squash root to anon in various configuration scenarios.
Example 1: Root is squashed to the anon user for all clients.
This approach uses superuser for all NFS clients using sec=sys; other sec types are denied access.

cluster::> vserver export-policy rule show –policyname root_squash -instance
(vserver export-policy rule show)
Vserver: vs0
Policy Name: root_squash
Rule Index: 1
Access Protocol: nfs <- only NFS is allowed (NFSv3 and v4)
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0 <- all clients
RO Access Rule: sys <- only AUTH_SYS is allowed
RW Access Rule: sys <- only AUTH_SYS is allowed
User ID To Which Anonymous Users Are Mapped: 65534 <- mapped to 65534
Superuser Security Types: none <- superuser (root) squashed to anon user
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true

 

And:

 

Example 2: Root is squashed to the anon user using superuser for a specific client.
In this example, sec=sys and sec=none are allowed.
cluster::> vserver export-policy rule show –policyname root_squash_client -instance
(vserver export-policy rule show)
Vserver: vs0
Policy Name: root_squash_client
118 NFS in NetApp ONTAP: Best Practices and Implementation Guide © 2020 NetApp, Inc. All Rights Reserved.
Rule Index: 1
Access Protocol: nfs <- only NFS is allowed (NFSv3 and v4)
Client Match Hostname, IP Address, Netgroup, or Domain: x.x.x.x <- just this client
RO Access Rule: sys,none <- AUTH_SYS and AUTH_NONE are allowed
RW Access Rule: sys,none <- AUTH_SYS and AUTH_NONE are allowed
User ID To Which Anonymous Users Are Mapped: 65534 <- mapped to 65534
Superuser Security Types: none <- superuser (root) squashed to anon user
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true

 

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

Don't use mixed. You'll just confuse yourself further, as the effective security style toggles between NTFS and UNIX depending on who set the last permissions.

 

Pick either UNIX or NTFS.

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

ookay. So set "Allow Superuser Access" IS no_root_squash.

the part with "[root@nfsclient mnt]# touch root_allow_krb5_only" was misleading for me.

 

Then it seems with actually having set the propper name mapping all is done.

So far, with all those settings it works for me. I can mount and I can create files and so on.

There is only one thing left I dont understand.

 

Having UNIX set, mapped root to a domain user so if he needs windows authentication (for example to be able to mount the drive), folders created as root:root and so on .. how can I now set an acl on that folder.

 

vserver nfs show -vserver SMB -fields v4.0-acl 
vserver       v4.0-acl 
------------- -------- 
SMB           enabled 

 

root@ubuntu:/mnt# getfacl SFTPdata/
# file: SFTPdata/
# owner: root
# group: root
user::rwx
group::---
other::---

 

root@ubuntu:/mnt# setfacl -m g:Domänen-Admins@domain:rwx SFTPdata/
setfacl: SFTPdata/: Operation not supported

Re: NFS Name Mapping Windows -> Unix root and no_root_squash

You can't set NFSv4.x ACLs on NTFS security styles. And you can't set NTFS ACLs on UNIX security styles.

 

Mixed allows you to set ACLs from either protocol, but it will toggle the effective security style each time, which changes how name mappings work.

 

So I'd recommend picking the way you want to set ACLs (either NFSv4 or NTFS) and set the security style to that.

Review Banner
All Community Forums
Public