ONTAP Discussions

NFS Name Mapping Windows -> Unix root and no_root_squash

Hermes

I read through the manuals but it seems I dont quite understand how to properly set up an NFS Storage with no_root_squash and Name Mapping for my Domain Admins to Root.


Goal:
Have NFS Storage that I can mount on my Linux Box. Linux Box is connected with AD. I want to be able to create Folders/Files as root:root and also with my domain users domuser@domain:domgroup@domain. Preferably with NFS4.0 so I can use ACL and set multiple permission Groups on Folders/Files.

 

Set Up is now as following
Cluster: 10.0.0.5
Client: 10.0.0.10
SVM: SMB

Volume: nfs_sftp
QTree: qtree_nfs_sftp

 

 

vserver export-policy rule show -vserver SMB -policyname exp_NFS_SFTP -ruleindex 1


                                    Vserver: SMB
                                Policy Name: exp_NFS_SFTP
                                 Rule Index: 1
                            Access Protocol: nfs
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 10.0.0.10
                             RO Access Rule: any
                             RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
                   Superuser Security Types: sys
               Honor SetUID Bits in SETATTR: true
                  Allow Creation of Devices: true

 

 

 

volume show -vserver SMB -volume nfs_sftp -fields policy

vserver       volume   policy       
------------- -------- ------------ 
SMB           nfs_sftp exp_NFS_SFTP 

 

 

 

nfs show -vserver SMB -instance


                                        Vserver: SMB
                             General NFS Access: true
                                         NFS v3: enabled
                                       NFS v4.0: enabled
                                   UDP Protocol: enabled
                                   TCP Protocol: enabled
                           Default Windows User: 
                            NFSv4.0 ACL Support: enabled
                NFSv4.0 Read Delegation Support: disabled
               NFSv4.0 Write Delegation Support: disabled
                        NFSv4 ID Mapping Domain: localdomain
            NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL (and NTFS File Permissions in Unified Security Style): enabled
                  NFSv4.1 Minor Version Support: disabled
                                  Rquota Enable: disabled
                   NFSv4.1 Parallel NFS Support: enabled
                            NFSv4.1 ACL Support: disabled
                           NFS vStorage Support: disabled
            NFSv4 Support for Numeric Owner IDs: enabled
                          Default Windows Group: -
                NFSv4.1 Read Delegation Support: disabled
               NFSv4.1 Write Delegation Support: disabled
                            NFS Mount Root Only: enabled
                                  NFS Root Only: disabled
            Permitted Kerberos Encryption Types: des, des3, aes-128, aes-256
                              Showmount Enabled: enabled
Set the Protocol Used for Name Services Lookups for Exports: udp
                    NFSv3 MS-DOS Client Support: disabled
     Idle Connection Timeout Value (in seconds): 360
             Are Idle NFS Connections Supported: disabled
Hide Snapshot Directory under NFSv3 Mount Point: disabled
           Provide Root Path as Showmount State: disabled

 

 

 

vserver name-mapping show -vserver SMB 

Vserver:   SMB
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: Domain\\User1
                                          Replacement: root

 

 

My Issue now is:

With NFS4.1 activated and a Standard Domain User set im able to mount and list everything in it but when I create a Folder its owner is shown as root but reroutet to nobody.

 

root@ubuntu:/# mount -t nfs 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt

root@ubuntu:/mnt# ls -la
total 12
drwxrwxrwx  3 root root 4096 Aug  6 11:30 .
drwxr-xr-x 21 root root 4096 Jul 22 09:18 ..
drwx------  3 root root 4096 Aug  6 11:32 testfolder

root@ubuntu:/mnt# getfacl testfolder/
# file: testfolder/
# owner: root
# group: root
user::rwx
group::---
other::---

root@ubuntu:/mnt# setfacl -m g:domaingrp:rwx testfolder/
setfacl: testfolder/: Operation not supported

 

With NFS4.0 activated im not able to mount the Share.

 

root@ubuntu:/# mount -t nfs 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt
mount.nfs: access denied by server while mounting 10.0.0.5:/nfs_sftp/qtree_nfs_sftp

 

With NFS3 activated I can mount the share but have no permission to list whats in it, I also created the "exp_NFS_SFTP" file to refer to the Export Policy as suggested in the Manual.

 

 

I def did not quite understand how to properly configure it so Im full of hope someone can point me in the right directions.

1 ACCEPTED SOLUTION

parisi

Here are my results from Windows.

 

As prof1:

 

C:\>net use Z: \\demo\home /USER:NTAP\prof1
The command completed successfully.


C:\>net use
New connections will not be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z: \\demo\home Microsoft Windows Network
The command completed successfully.



# ls -la | grep prof1dir
d--------- 2 prof1 ProfGroup 4096 Aug 6 12:12 prof1dir

 

But my v4 ACLs didn't inherit:

 

# nfs4_getfacl prof1dir/

# file: prof1dir/
A::OWNER@:tcCy
A:g:GROUP@:tcy
A::EVERYONE@:tcy

 

So I can't access that folder:

 

Z:\dir\prof1dir>dir
Volume in drive Z is home
Volume Serial Number is 80F0-3713

Directory of Z:\dir\prof1dir

File Not Found

Z:\dir\prof1dir>mkdir testdir
Access is denied.

 

If I set an inherit ACL flag at the top level:

 

# nfs4_getfacl /mnt/dir

# file: /mnt/dir
A:fdi:root@NTAP.LOCAL:rwaDxtTnNcCy
A:fdg:ProfGroup@NTAP.LOCAL:rwaDxtTnNcCy

Then files/folders inherit the ACLs:

 

Z:\dir>mkdir prof1dir


# nfs4_getfacl /mnt/dir/prof1dir

# file: /mnt/dir/prof1dir
A:fd:root@NTAP.LOCAL:rwaDxtTnNcCy
A:dg:ProfGroup@NTAP.LOCAL:rwaDxtTnNcCy


Z:\dir>echo TEST >> prof1-file.txt


# nfs4_getfacl /mnt/dir/prof1-file.txt

# file: /mnt/dir/prof1-file.txt
A::root@NTAP.LOCAL:rwaxtTnNcCy
A:g:ProfGroup@NTAP.LOCAL:rwaxtTnNcCy
# cat /mnt/dir/prof1-file.txt
TEST

 

And I can access/write to the folder I created as prof1:

Z:\>cd dir

Z:\dir>cd prof1dir

Z:\dir\prof1dir>echo YAY! > prof1-file.txt


# cd prof1dir/
# ls -la
total 8
d--------- 2 prof1 ProfGroup 4096 Aug 6 13:14 .
d--------- 3 root root 4096 Aug 6 13:05 ..
---------- 1 prof1 ProfGroup 7 Aug 6 13:14 prof1-file.txt


# cat prof1-file.txt
YAY!


# nfs4_getfacl /mnt/dir/prof1dir/prof1-file.txt

# file: /mnt/dir/prof1dir/prof1-file.txt
A::root@NTAP.LOCAL:rwaxtTnNcCy
A:g:ProfGroup@NTAP.LOCAL:rwaxtTnNcCy

 

As student2, I will be denied access from Windows to that folder, due to the ACLs/group membership:

 

C:\>net use Z: \\demo\home /USER:NTAP\student2
The password or user name is invalid for \\demo\home.

Enter the password for 'NTAP\student2' to connect to 'demo':
The command completed successfully.

 

It can't even see the directory named "dir":

 

C:\>Z:

Z:\>cd dir
The system cannot find the path specified.



Z:\>dir
Volume in drive Z is home
Volume Serial Number is 80F0-3713

Directory of Z:\

08/05/2020 12:27 PM <DIR> .
08/05/2020 12:27 PM <DIR> ..
04/24/2020 01:42 PM <DIR> student1
04/24/2020 01:54 PM <DIR> student2
08/06/2020 10:03 AM <DIR> prof1
08/06/2020 10:05 AM <DIR> mtuser
07/21/2020 02:51 PM <DIR> root
07/07/2017 11:09 AM <DIR> ftpuser
05/18/2020 12:32 PM <DIR> git
05/21/2020 01:27 PM 0 rootfile
05/21/2020 01:53 PM 0 rootfile2
07/10/2017 10:09 AM <DIR> ftp
08/05/2020 12:27 PM 4,973,780,992 Win2019-1M.iso
09/15/2017 08:18 PM <DIR> dynamicuid
04/08/2020 10:36 PM <DIR> silly
04/24/2020 02:59 PM <DIR> oracle
06/22/2020 12:51 PM <DIR> flexgroup
3 File(s) 4,973,780,992 bytes
14 Dir(s) 96,919,887,872 bytes free

 

View solution in original post

28 REPLIES 28

TMAC_CTG

You enabled NFSv4.0 ACLs, but NFSv4.1 ACLs are still disabled.

 

From your client, do a "mount" and/or cat /proc/mounts and look for your mount.

Verify it is using NFSv4. It may be using NFSv4.1 which is why you cannot set the ACL

Hermes
root@ubuntu:/# mount -t nfs4 -o nfsvers=4.0 10.0.0.5:/nfs_sftp/qtree_nfs_sftp /mnt
mount.nfs4: access denied by server while mounting 10.0.0.5:/nfs_sftp/qtree_nfs_sftp

thats part of the issue. for whatever reason I cant mount with nfs4.0

 

I suppose that Event is related to that issue

Details
Event:
secd.nfsAuth.noNameMap: vserver (SMB) Cannot map UNIX name to CIFS name. Error: Get user credentials procedure failed [ 0 ms] Determined UNIX id 0 is UNIX user 'root' [ 0] Trying to map 'root' to Windows user 'root' using implicit mapping [ 1] Unable to connect to LSA service on (Error: RESULT_ERROR_GENERAL_FAILURE) [ 1] Successfully connected to ip x.x.x.x, port 445 using TCP [ 12] Successfully authenticated with DC dc.domain [ 15] Could not find Windows name 'root' [ 15] Unable to map 'root'. No default Windows user defined. **[ 15] FAILURE: Name mapping for UNIX user 'root' failed. No mapping found
Message Name:
secd.nfsAuth.noNameMap
Sequence Number:
2194901
Description:
This message occurs when an NFS authorization attempt fails because of a UNIX to Windows name mapping issue.
Action:
Examine the failure details to determine corrective action. Common failures include no appropriate UNIX-to-Windows name mapping rules, no configured default Windows user, or the inability of the system to contact LDAP if LDAP is configured for name mapping.

It has, as seen here, something to do with the propper name mapping. I dont know exactly how to handle it for the local root user on my local Linux Box to be forwarded to allow him to mount the share without forwarding it to a windows user in my ldap as the goal here is to keep root as root.

TMAC_CTG

Your user mapping is wrong.

You have specified only a WIN-UNIX mapping. You need a UNIX-WIN mapping also.

Hermes

how do I propperly map the root user? I can route it to some Domain User. But doesnt that affect also Folder/File creation and replaces the owner with that domain user?

 

**EDIT

First of all, thank you for your assistance. I'm working on this issue now for quite a while and its driving me crazy.

Adding the Mapping in the other direction worked. Im not able to connect through NFS4.0 but I'm still not sure how it works and how it affects Folder/File creation.

parisi

@Hermes wrote:

**EDIT

First of all, thank you for your assistance. I'm working on this issue now for quite a while and its driving me crazy.

Adding the Mapping in the other direction worked. Im not able to connect through NFS4.0 but I'm still not sure how it works and how it affects Folder/File creation.


Root will write as root, regardless of security style.

 

Here I have a UNIX-WIN name mapping that maps root to administrator:

 

::*> vserver name-mapping show -vserver DEMO -direction unix-win

Vserver: DEMO
Direction: unix-win
Position Hostname IP Address/Mask
-------- ---------------- ----------------
1 - - Pattern: root
Replacement: NTAP\\administrator

 

I can check that mapping and creds with:

 

::*> access-check authentication show-creds -vserver DEMO -unix-user-name root
(vserver services access-check authentication show-creds)

UNIX UID: root <> Windows User: NTAP\Administrator (Windows Domain User)

GID: daemon
Supplementary GIDs:
daemon
wheel

Primary Group SID: NTAP\DomainUsers (Windows Domain group)

Windows Membership:
NTAP\Group Policy Creator Owners (Windows Domain group)
NTAP\Domain Admins (Windows Domain group)
NTAP\DomainUsers (Windows Domain group)
NTAP\ProfGroup (Windows Domain group)
NTAP\Enterprise Admins (Windows Domain group)
NTAP\Schema Admins (Windows Domain group)
NTAP\Denied RODC Password Replication Group (Windows Alias)
NTAP\local-group.ntap (Windows Alias)
Service asserted identity (Windows Well known group)
BUILTIN\Administrators (Windows Alias)
BUILTIN\Users (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x22b7):
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSecurityPrivilege
SeChangeNotifyPrivilege

I mount a volume with NTFS and UNIX style qtrees:

demo:/home on /mnt type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,local_lock=none,addr=x.x.x.x)

Here are the qtrees:

::*> qtree show -vserver DEMO -volume home
Vserver Volume Qtree Style Oplocks Status
---------- ------------- ------------ ------------ --------- --------
DEMO home "" unix enable normal
DEMO home dynamicuid unix enable normal
DEMO home ftp unix enable normal
DEMO home ftpuser ntfs enable normal
DEMO home git unix enable normal
DEMO home mtuser ntfs enable normal
DEMO home oracle unix enable normal
DEMO home prof1 unix enable normal
DEMO home root unix enable normal
DEMO home student1 unix enable normal
DEMO home student2 unix enable normal
11 entries were displayed.

When I write to the UNIX style qtree, root it root:

# cd /mnt
# cd prof1
# touch rootfile
# ls -la | grep rootfile
-rw-r--r-- 1 root root 0 Aug 6 10:03 rootfile

 

When I write to the NTFS qtree as root, root is root (though the group is daemon):

 

# cd /home/mtuser
[root@centos7 mtuser]# touch rootfile
[root@centos7 mtuser]# ls -la | grep rootfile
-rwxrwxrwx 1 root daemon 0 Aug 6 10:05 rootfile

Daemon is the group because it's what ONTAP sees as the primary group. (see the show-creds output above)

 

Daemon in ONTAP is 1, but is 2 on my client. But because NFSv4.x uses name strings, it's using daemon@NTAP.LOCAL as the group, rather than the numeric.

::*> unix-group show -vserver DEMO -name daemon

Vserver: DEMO
Group Name: daemon
Group ID: 1
Users: -



# ls -lan | grep rootfile
-rwxrwxrwx 1 0 2 0 Aug 6 10:05 rootfile


# getent group daemon
daemon:x:2:

parisi

Root squash is covered in TR-4067 on page 117.

 

https://www.netapp.com/us/media/tr-4067.pdf

Hermes

I know. I studied that part multiple times. tbh its quite poorly described how that feature works. As I understood you create the export policy and link to that export policy by creating a file in the root of the directory with the name the policy has.

 

vserver export-policy rule show -vserver SMB -policyname exp_NFS_SFTP -ruleindex 1    

                                    Vserver: SMB
                                Policy Name: exp_NFS_SFTP
                                 Rule Index: 1
                            Access Protocol: nfs
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 10.0.0.10
                             RO Access Rule: sys
                             RW Access Rule: sys
User ID To Which Anonymous Users Are Mapped: 65534
                   Superuser Security Types: any
               Honor SetUID Bits in SETATTR: true
                  Allow Creation of Devices: true

 

root@ubuntu:/mnt# ll
total 16
drwxr-xr-x  4 root root 4096 Aug  6 13:53 ./
drwxr-xr-x 21 root root 4096 Jul 22 09:18 ../
drwx------  3 root root 4096 Aug  6 13:04 SFTPdata/
-rwxrwxrwx  1 root root    0 Aug  6 11:37 exp_NFS_SFTP* << The File
drwxr-xr-x  2 root root 4096 Aug  6 13:53 testfolder/

 

parisi

I don't know how you got "create a file in the root of the directory" from that section. The file created is to show which policy was used in which instance. Nowhere did it say you need to create a file with the same name to make it work.

 

The part you need to pay attention to is:

 

Squashing Root

The following examples show how to squash root to anon in various configuration scenarios.
Example 1: Root is squashed to the anon user for all clients.
This approach uses superuser for all NFS clients using sec=sys; other sec types are denied access.

cluster::> vserver export-policy rule show –policyname root_squash -instance
(vserver export-policy rule show)
Vserver: vs0
Policy Name: root_squash
Rule Index: 1
Access Protocol: nfs <- only NFS is allowed (NFSv3 and v4)
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0 <- all clients
RO Access Rule: sys <- only AUTH_SYS is allowed
RW Access Rule: sys <- only AUTH_SYS is allowed
User ID To Which Anonymous Users Are Mapped: 65534 <- mapped to 65534
Superuser Security Types: none <- superuser (root) squashed to anon user
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true

 

And:

 

Example 2: Root is squashed to the anon user using superuser for a specific client.
In this example, sec=sys and sec=none are allowed.
cluster::> vserver export-policy rule show –policyname root_squash_client -instance
(vserver export-policy rule show)
Vserver: vs0
Policy Name: root_squash_client
118 NFS in NetApp ONTAP: Best Practices and Implementation Guide © 2020 NetApp, Inc. All Rights Reserved.
Rule Index: 1
Access Protocol: nfs <- only NFS is allowed (NFSv3 and v4)
Client Match Hostname, IP Address, Netgroup, or Domain: x.x.x.x <- just this client
RO Access Rule: sys,none <- AUTH_SYS and AUTH_NONE are allowed
RW Access Rule: sys,none <- AUTH_SYS and AUTH_NONE are allowed
User ID To Which Anonymous Users Are Mapped: 65534 <- mapped to 65534
Superuser Security Types: none <- superuser (root) squashed to anon user
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true

 

Hermes

ookay. So set "Allow Superuser Access" IS no_root_squash.

the part with "[root@nfsclient mnt]# touch root_allow_krb5_only" was misleading for me.

 

Then it seems with actually having set the propper name mapping all is done.

So far, with all those settings it works for me. I can mount and I can create files and so on.

There is only one thing left I dont understand.

 

Having UNIX set, mapped root to a domain user so if he needs windows authentication (for example to be able to mount the drive), folders created as root:root and so on .. how can I now set an acl on that folder.

 

vserver nfs show -vserver SMB -fields v4.0-acl 
vserver       v4.0-acl 
------------- -------- 
SMB           enabled 

 

root@ubuntu:/mnt# getfacl SFTPdata/
# file: SFTPdata/
# owner: root
# group: root
user::rwx
group::---
other::---

 

root@ubuntu:/mnt# setfacl -m g:Domänen-Admins@domain:rwx SFTPdata/
setfacl: SFTPdata/: Operation not supported

parisi

You can't set NFSv4.x ACLs on NTFS security styles. And you can't set NTFS ACLs on UNIX security styles.

 

Mixed allows you to set ACLs from either protocol, but it will toggle the effective security style each time, which changes how name mappings work.

 

So I'd recommend picking the way you want to set ACLs (either NFSv4 or NTFS) and set the security style to that.

Hermes

The Issue is: Now when I set root:root with 700 only root has access to that folder and sub folder. And I need a workaround for this for my Domain Admins. My thought was to add ACL's to not only have root:root but also x:domainadmin@domain but maybe I missunderstood how ACL works.

 

Can I workaround this with name mapping?

vserver name-mapping show -vserver SMB -direction win-unix 

Vserver:   SMB
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: Domain\\DomAdmin1
                                          Replacement: root
2       -                 -                   Pattern: Domain\\DomAdmin2
                                          Replacement: root
2 entries were displayed.

parisi

Your options are:

 

1) Keep NTFS security style and set ACLs for the user that root maps to, as well as the group you want.

2) Keep UNIX security style and set NFSv4 ACLs for root and the group.

 

If name mappings are working properly, then users will map across protocols and get the proper ACLs.

Hermes

After thinking about it I stay with UNIX mode.

I set the name mapping properly and I think I found kind of the issue why I still cant access the folder I set to root:root

 

vserver services access-check authentication show-creds -vserver SMB -win-name DomAdmin1

UNIX UID: root <> Windows User: Domain\DomAdmin1 (Windows Domain User)

 GID: daemon <<< I think the assigned group is the issue
 Supplementary GIDs: 
  daemon

 

I think it might be the issue that the GID is set to daemon? Am I in the right direction here?

It does map my user to root, but might it be possible that he is not part of the root group? And therefore cant open the Folder?

parisi

Also, it seems you have an NTFS security style volume, which is why root is trying to map to a Windows user.

 

If you don't want that behavior, use UNIX security styles. Otherwise, you can create a Windows user named "root" or map root to a valid Windows user of your choice. Depends on the permissions you want root to have.

TMAC_CTG

TMAC_CTG

What is the output from the following:

 

vol show -fields policy -volume nfs_sftp, <svm_root_vol>

vol qtree show -fields export-policy -volume nfs_sftp -qtree qtree_nfs_sftp

 

For mapping the root user to a windows user....you need to pick a user to map to. (maybe domain\administrator ?)

Yes. Whatever domain user/admin you map to, the unix user (root in your case) will use that user when it needs Windows security info. 

 

You should refer to this fantastic Tech Reports:

NFS in NetApp ONTAP Best Practice and Implementation Guide

https://www.netapp.com/us/media/tr-4067.pdf

 

Justins Blog:

Generally, from a security standpoint, not a good idea to use root unless you have lots of logging and sudo everything. I gernerally do not see that. Elevated users are the way to go (with logging)

Hermes

@parisi I alrdy changed this to mixed, just to be sure.

 

@TMAC_CTG 

vol show -fields policy -volume nfs_sftp 
vserver       volume   policy       
------------- -------- ------------ 
SMB           nfs_sftp exp_NFS_SFTP 
vol qtree show -fields export-policy -volume nfs_sftp -qtree qtree_nfs_sftp
vserver       volume   qtree          export-policy 
------------- -------- -------------- ------------- 
SMB           nfs_sftp qtree_nfs_sftp exp_NFS_SFTP 

 

You gave me quite some stuff to read through now, I need a bit for that

 

The usecase is an SFTP Server linked to my Domain. It manages authentication through Domain Groups and creates Home Directorys in a jailed environment - preferably on my mounted NFS share.

Therefore I need to be able to set root permissions on folders or the SSH Service cant redirect the users connecting through sftp in their jailed home folders.

parisi

Don't use mixed. You'll just confuse yourself further, as the effective security style toggles between NTFS and UNIX depending on who set the last permissions.

 

Pick either UNIX or NTFS.

paul_stejskal

To add to what Justin said, if you're using NFS, just use UNIX. It will be a lot easier.

 

Hermes

It is set to UNIX by now.

 

Waht im trying to achieve is:

Folder is set to root:root 700

I want to be able to look into that folder with Domain\DomAdmin1 to without changing root:root

 

I understood ACL as being able to have root:root and add a second group with "setfacl -m g:DomainAdminGrp:rwx" but that doesnt work (and Im sure because I dont understand it enough). My second approach was to add name mapping "Win-Unix Domain\DomAdmin1 -> root" but that also does not work.

 

 

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public