nfs4_setfacl could not set netAPP NFS volume.

Wencheng · ‎2020-08-31

NETAPP simulator version 9.0/9.5/9.7

Client: SuSE12 SP4 which install nfs4-acl-tools

Scenario:

1. I create a aggrgate and a volume which include CIFS and NFS protocols.

2. I try to use suse to mount it by using mount.nfs4....it mount well.

After mount well...I try to set nfs ACL by using nfs4_setfacl....

it show error message, whether parameter that I set mistake or something I forgot ??

Thanks!!

Wencheng

parisi · ‎2020-08-31

Looks like you're doing a recursive v4 ACL.

Did you try without -R?

What is the security style of the volume?

Wencheng · ‎2020-08-31

Hi Parisi

as screenshot, I try to remove -R to set ACL...it show permission...

and I try to chown command...still show permission deny

sorry , I am not linux expert...

whether I should set user could for NetAPP's NFS volume ? or need other actions? to let could run nfs4 set ACL command well ??

thanks

Wencheng

parisi · ‎2020-09-01

"nobody:nobody" means that your NFSv4 ID domain is likely mismatched.

What does /var/log/messages on your client show?

You're likely seeing messages like this:

2020-09-01T11:26:17.072485-04:00 sles15 nfsidmap[5338]: nss_getpwnam: name 'nobody' does not map into domain 'DOMAIN.COM'

NFSv4.x requires the following:

- domain set in idmapd.conf

- same domain set in the NFS server option v4-id-domain in ONTAP

- users and groups that match on both client and ONTAP SVM

For example, this is my client:

# cat /etc/idmapd.conf | grep Domain
Domain = NTAP.LOCAL

This is my SVM:

::> nfs show -vserver DEMO -fields v4-id-domain
vserver v4-id-domain
------- ------------
DEMO NTAP.LOCAL

My client can see a user named prof1 and its group ProfGroup (added locally in /etc/passwd and /etc/group):

# id prof1
uid=1102(prof1) gid=10002(ProfGroup) groups=10002(ProfGroup)

My SVM can also resolve that user (mine is using LDAP, but you can also manually add the user and group in the SVM):

::*> getxxbyyy getpwbyname -node ontap9-tme-8040-01 -vserver DEMO -username prof1
(vserver services name-service getxxbyyy getpwbyname)
pw_name: prof1
pw_passwd:
pw_uid: 1102
pw_gid: 10002
pw_gecos:
pw_dir:
pw_shell:

As a result, my client can see the proper user/group ownership. Also, note that there are other folders with "nobody:nobody" because these do not have valid mappings from client to server.

# ls -la
total 9752732
drwxrwxrwx 16 root root 4096 Aug 28 13:32 .
drwxr-xr-x 1 2087 30 462 May 14 20:33 ..
-rwxrwxrwx 1 nobody nobody 4973780992 Aug 5 12:27 Win2019-1M.iso
-rwxr-xr-x 1 root root 4973780992 Aug 17 16:31 Win2019.iso
d--------- 3 root root 4096 Aug 6 13:05 dir
drwxr-xr-x 2 root root 4096 Jun 22 12:51 flexgroup
drwxr-xr-x 3 root root 4096 Jul 10 2017 ftp
drwxrwxrwx 2 root root 4096 Jul 7 2017 ftpuser
d------r-x 2 nobody nobody 4096 May 18 12:32 git
drwxrwxrwx 3 root root 4096 Aug 12 10:24 mtuser
drwx------ 2 nobody nobody 4096 Oct 10 2019 nfs4
drwxr-xr-x 2 prof1 ProfGroup 4096 Aug 12 15:23 prof1
drwxr-xr-x 2 root root 4096 Jul 21 14:51 root
-rw-r--r-- 1 root root 0 May 21 13:27 rootfile
-rw-r--r-- 1 nobody daemon 0 May 21 13:53 rootfile2
drwxr-xr-x 2 root root 4096 Apr 8 22:36 silly
drwx---r-x 2 nobody nobody 4096 Apr 24 13:42 student1
drwxrwxrwx 2 nobody nobody 4096 Apr 24 13:54 student2
drwxrwxrwx 2 root daemon 4096 Feb 24 2017 test
drwxrwxr-x 2 prof1 ProfGroup 4096 Aug 28 13:32 testprof

However, in my other client, which is pointing to the same LDAP server as my SVM, I can see all the owners/groups properly:

# ls -la /mnt/nas
total 9752736
drwxrwxrwx 16 root root 4096 Aug 28 13:32 .
drwxr-xr-x. 14 root root 4096 Aug 17 16:29 ..
d--------- 3 root root 4096 Aug 6 13:05 dir
drwxr-xr-x 2 root root 4096 Jun 22 12:51 flexgroup
drwxr-xr-x 3 root root 4096 Jul 10 2017 ftp
drwxrwxrwx 2 root root 4096 Jul 7 2017 ftpuser
d------r-x 2 git git 4096 May 18 12:32 git
drwxrwxrwx 3 root root 4096 Aug 12 10:24 mtuser
drwx------ 2 nfs4 nfs4 4096 Oct 10 2019 nfs4
drwxr-xr-x 2 prof1 ProfGroup 4096 Aug 12 15:23 prof1
drwxr-xr-x 2 root root 4096 Jul 21 14:51 root
-rw-r--r-- 1 root root 0 May 21 13:27 rootfile
-rw-r--r-- 1 nobody daemon 0 May 21 13:53 rootfile2
drwxr-xr-x 2 root root 4096 Apr 8 22:36 silly
drwx---r-x 2 student1 group1 4096 Apr 24 13:42 student1
drwxrwxrwx 2 student2 group1 4096 Apr 24 13:54 student2
drwxrwxrwx 2 root daemon 4096 Feb 24 2017 test
drwxrwxr-x 2 prof1 ProfGroup 4096 Aug 28 13:32 testprof
-rwxrwxrwx 1 admin group1 4973780992 Aug 5 12:27 Win2019-1M.iso
-rwxr-xr-x 1 root root 4973780992 Aug 17 16:31 Win2019.iso

On the SUSE client, I can set NFSv4 ACLs for the user I can resolve (prof1):

sles15:/mnt # nfs4_setfacl -a U:fdSF:prof1@NTAP.LOCAL:rwaDxtTnNcCy /mnt/prof1
sles15:/mnt # nfs4_getfacl /mnt/prof1
A::EVERYONE@:rwaDxtTnNcy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rwaDxtTnNcy
U:fdSF:prof1@NTAP.LOCAL:rwaDxtTnNcCy

And I can set it for users only ONTAP knows about:

sles15:/mnt # nfs4_setfacl -a U:fdSF:student1@NTAP.LOCAL:rwaDxtTnNcCy /mnt/student1
sles15:/mnt # id student1
id: ‘student1’: no such user
sles15:/mnt # nfs4_getfacl /mnt/student1
A::OWNER@:rwaDxtTnNcCy
A::student1@NTAP.LOCAL:rwaDxtTnNcCy
A:g:group1@NTAP.LOCAL:rxtncy
A::EVERYONE@:rxtncy
U:fdSF:student1@NTAP.LOCAL:rwaDxtTnNcCy

This community isn't really the right place to get into the details of NFSv4.x, setup, etc if you're unfamiliar. I suggest you have a look at TR-4067:

https://www.netapp.com/us/media/tr-4067.pdf

Wencheng · ‎2020-09-01

HI

thanks your document link...

I check v4-id-domain...Yes...I need modify

I have add LDAP setting on SVM_setting from WebConsole...this v4-id-domain could been modify from web console ??

Wencheng

parisi · ‎2020-09-02

it's definitely in the GUI in 9.8:

Probably is in 9.7 as well (in the NFS config section).

Older System Manager likely has this as well.