Simulator Discussions

nfs4_setfacl could not set netAPP NFS volume.

Wencheng
4,889 Views

NETAPP simulator version 9.0/9.5/9.7

Client: SuSE12 SP4 which install nfs4-acl-tools

 

Scenario:

1. I create a aggrgate and a volume which include CIFS and NFS protocols.

2. I try to use suse to mount it by using  mount.nfs4....it mount well.

007.png

After mount well...I  try to set nfs ACL by using nfs4_setfacl....

008_nfs4setACL_Fail.png

it show error message, whether parameter that I set mistake or something I forgot ??

 

 

Thanks!!

 

Wencheng

5 REPLIES 5

parisi
4,853 Views

Looks like you're doing a recursive v4 ACL.

 

Did you try without -R?

 

What is the security style of the volume?

Wencheng
4,840 Views

Hi Parisi

      as  screenshot, I try to remove -R to set ACL...it show permission...

and I try to chown command...still show permission deny

af06_掛載權限.png

sorry , I am not linux expert...

whether I should set user could for NetAPP's NFS volume ? or need other actions? to let could run nfs4 set ACL command well ??

 

thanks

Wencheng

parisi
4,796 Views

"nobody:nobody" means that your NFSv4 ID domain is likely mismatched.

 

What does /var/log/messages on your client show?

 

You're likely seeing messages like this:

2020-09-01T11:26:17.072485-04:00 sles15 nfsidmap[5338]: nss_getpwnam: name 'nobody' does not map into domain 'DOMAIN.COM'

 

NFSv4.x requires the following:

 

- domain set in idmapd.conf

- same domain set in the NFS server option v4-id-domain in ONTAP

- users and groups that match on both client and ONTAP SVM

 

For example, this is my client:

 

# cat /etc/idmapd.conf | grep Domain
Domain = NTAP.LOCAL

 

This is my SVM:

::> nfs show -vserver DEMO -fields v4-id-domain
vserver v4-id-domain
------- ------------
DEMO NTAP.LOCAL

 

My client can see a user named prof1 and its group ProfGroup (added locally in /etc/passwd and /etc/group):

 

# id prof1
uid=1102(prof1) gid=10002(ProfGroup) groups=10002(ProfGroup)

 

My SVM can also resolve that user (mine is using LDAP, but you can also manually add the user and group in the SVM):

 

::*> getxxbyyy getpwbyname -node ontap9-tme-8040-01 -vserver DEMO -username prof1
(vserver services name-service getxxbyyy getpwbyname)
pw_name: prof1
pw_passwd:
pw_uid: 1102
pw_gid: 10002
pw_gecos:
pw_dir:
pw_shell:

 

As a result, my client can see the proper user/group ownership. Also, note that there are other folders with "nobody:nobody" because these do not have valid mappings from client to server.

 

# ls -la
total 9752732
drwxrwxrwx 16 root root 4096 Aug 28 13:32 .
drwxr-xr-x 1 2087 30 462 May 14 20:33 ..
-rwxrwxrwx 1 nobody nobody 4973780992 Aug 5 12:27 Win2019-1M.iso
-rwxr-xr-x 1 root root 4973780992 Aug 17 16:31 Win2019.iso
d--------- 3 root root 4096 Aug 6 13:05 dir
drwxr-xr-x 2 root root 4096 Jun 22 12:51 flexgroup
drwxr-xr-x 3 root root 4096 Jul 10 2017 ftp
drwxrwxrwx 2 root root 4096 Jul 7 2017 ftpuser
d------r-x 2 nobody nobody 4096 May 18 12:32 git
drwxrwxrwx 3 root root 4096 Aug 12 10:24 mtuser
drwx------ 2 nobody nobody 4096 Oct 10 2019 nfs4
drwxr-xr-x 2 prof1 ProfGroup 4096 Aug 12 15:23 prof1
drwxr-xr-x 2 root root 4096 Jul 21 14:51 root
-rw-r--r-- 1 root root 0 May 21 13:27 rootfile
-rw-r--r-- 1 nobody daemon 0 May 21 13:53 rootfile2
drwxr-xr-x 2 root root 4096 Apr 8 22:36 silly
drwx---r-x 2 nobody nobody 4096 Apr 24 13:42 student1
drwxrwxrwx 2 nobody nobody 4096 Apr 24 13:54 student2
drwxrwxrwx 2 root daemon 4096 Feb 24 2017 test
drwxrwxr-x 2 prof1 ProfGroup 4096 Aug 28 13:32 testprof

 

However, in my other client, which is pointing to the same LDAP server as my SVM, I can see all the owners/groups properly:

 

# ls -la /mnt/nas
total 9752736
drwxrwxrwx 16 root root 4096 Aug 28 13:32 .
drwxr-xr-x. 14 root root 4096 Aug 17 16:29 ..
d--------- 3 root root 4096 Aug 6 13:05 dir
drwxr-xr-x 2 root root 4096 Jun 22 12:51 flexgroup
drwxr-xr-x 3 root root 4096 Jul 10 2017 ftp
drwxrwxrwx 2 root root 4096 Jul 7 2017 ftpuser
d------r-x 2 git git 4096 May 18 12:32 git
drwxrwxrwx 3 root root 4096 Aug 12 10:24 mtuser
drwx------ 2 nfs4 nfs4 4096 Oct 10 2019 nfs4
drwxr-xr-x 2 prof1 ProfGroup 4096 Aug 12 15:23 prof1
drwxr-xr-x 2 root root 4096 Jul 21 14:51 root
-rw-r--r-- 1 root root 0 May 21 13:27 rootfile
-rw-r--r-- 1 nobody daemon 0 May 21 13:53 rootfile2
drwxr-xr-x 2 root root 4096 Apr 8 22:36 silly
drwx---r-x 2 student1 group1 4096 Apr 24 13:42 student1
drwxrwxrwx 2 student2 group1 4096 Apr 24 13:54 student2
drwxrwxrwx 2 root daemon 4096 Feb 24 2017 test
drwxrwxr-x 2 prof1 ProfGroup 4096 Aug 28 13:32 testprof
-rwxrwxrwx 1 admin group1 4973780992 Aug 5 12:27 Win2019-1M.iso
-rwxr-xr-x 1 root root 4973780992 Aug 17 16:31 Win2019.iso

 

On the SUSE client, I can set NFSv4 ACLs for the user I can resolve (prof1):

sles15:/mnt # nfs4_setfacl -a U:fdSF:prof1@NTAP.LOCAL:rwaDxtTnNcCy /mnt/prof1
sles15:/mnt # nfs4_getfacl /mnt/prof1
A::EVERYONE@:rwaDxtTnNcy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rwaDxtTnNcy
U:fdSF:prof1@NTAP.LOCAL:rwaDxtTnNcCy

 

And I can set it for users only ONTAP knows about:

sles15:/mnt # nfs4_setfacl -a U:fdSF:student1@NTAP.LOCAL:rwaDxtTnNcCy /mnt/student1
sles15:/mnt # id student1
id: ‘student1’: no such user
sles15:/mnt # nfs4_getfacl /mnt/student1
A::OWNER@:rwaDxtTnNcCy
A::student1@NTAP.LOCAL:rwaDxtTnNcCy
A:g:group1@NTAP.LOCAL:rxtncy
A::EVERYONE@:rxtncy
U:fdSF:student1@NTAP.LOCAL:rwaDxtTnNcCy

 

This community isn't really the right place to get into the details of NFSv4.x, setup, etc if you're unfamiliar. I suggest you have a look at TR-4067:

 

https://www.netapp.com/us/media/tr-4067.pdf

 

Wencheng
4,778 Views

HI 

   thanks your document link...

I check v4-id-domain...Yes...I need modify

008_5.png

I have add LDAP setting on SVM_setting from WebConsole...this v4-id-domain could been modify from web console ??

 

Wencheng

parisi
4,747 Views

it's definitely in the GUI in 9.8:

 

parisi_0-1599052738350.png

 

Probably is in 9.7 as well (in the NFS config section).

 

Older System Manager likely has this as well.

Public