Simulator Discussions

Highlighted

nfs4_setfacl could not set netAPP NFS volume.

NETAPP simulator version 9.0/9.5/9.7

Client: SuSE12 SP4 which install nfs4-acl-tools

 

Scenario:

1. I create a aggrgate and a volume which include CIFS and NFS protocols.

2. I try to use suse to mount it by using  mount.nfs4....it mount well.

007.png

After mount well...I  try to set nfs ACL by using nfs4_setfacl....

008_nfs4setACL_Fail.png

it show error message, whether parameter that I set mistake or something I forgot ??

 

 

Thanks!!

 

Wencheng

5 REPLIES 5
Highlighted

Re: nfs4_setfacl could not set netAPP NFS volume.

Looks like you're doing a recursive v4 ACL.

 

Did you try without -R?

 

What is the security style of the volume?

Highlighted

Re: nfs4_setfacl could not set netAPP NFS volume.

Hi Parisi

      as  screenshot, I try to remove -R to set ACL...it show permission...

and I try to chown command...still show permission deny

af06_掛載權限.png

sorry , I am not linux expert...

whether I should set user could for NetAPP's NFS volume ? or need other actions? to let could run nfs4 set ACL command well ??

 

thanks

Wencheng

Highlighted

Re: nfs4_setfacl could not set netAPP NFS volume.

"nobody:nobody" means that your NFSv4 ID domain is likely mismatched.

 

What does /var/log/messages on your client show?

 

You're likely seeing messages like this:

2020-09-01T11:26:17.072485-04:00 sles15 nfsidmap[5338]: nss_getpwnam: name 'nobody' does not map into domain 'DOMAIN.COM'

 

NFSv4.x requires the following:

 

- domain set in idmapd.conf

- same domain set in the NFS server option v4-id-domain in ONTAP

- users and groups that match on both client and ONTAP SVM

 

For example, this is my client:

 

# cat /etc/idmapd.conf | grep Domain
Domain = NTAP.LOCAL

 

This is my SVM:

::> nfs show -vserver DEMO -fields v4-id-domain
vserver v4-id-domain
------- ------------
DEMO NTAP.LOCAL

 

My client can see a user named prof1 and its group ProfGroup (added locally in /etc/passwd and /etc/group):

 

# id prof1
uid=1102(prof1) gid=10002(ProfGroup) groups=10002(ProfGroup)

 

My SVM can also resolve that user (mine is using LDAP, but you can also manually add the user and group in the SVM):

 

::*> getxxbyyy getpwbyname -node ontap9-tme-8040-01 -vserver DEMO -username prof1
(vserver services name-service getxxbyyy getpwbyname)
pw_name: prof1
pw_passwd:
pw_uid: 1102
pw_gid: 10002
pw_gecos:
pw_dir:
pw_shell:

 

As a result, my client can see the proper user/group ownership. Also, note that there are other folders with "nobody:nobody" because these do not have valid mappings from client to server.

 

# ls -la
total 9752732
drwxrwxrwx 16 root root 4096 Aug 28 13:32 .
drwxr-xr-x 1 2087 30 462 May 14 20:33 ..
-rwxrwxrwx 1 nobody nobody 4973780992 Aug 5 12:27 Win2019-1M.iso
-rwxr-xr-x 1 root root 4973780992 Aug 17 16:31 Win2019.iso
d--------- 3 root root 4096 Aug 6 13:05 dir
drwxr-xr-x 2 root root 4096 Jun 22 12:51 flexgroup
drwxr-xr-x 3 root root 4096 Jul 10 2017 ftp
drwxrwxrwx 2 root root 4096 Jul 7 2017 ftpuser
d------r-x 2 nobody nobody 4096 May 18 12:32 git
drwxrwxrwx 3 root root 4096 Aug 12 10:24 mtuser
drwx------ 2 nobody nobody 4096 Oct 10 2019 nfs4
drwxr-xr-x 2 prof1 ProfGroup 4096 Aug 12 15:23 prof1
drwxr-xr-x 2 root root 4096 Jul 21 14:51 root
-rw-r--r-- 1 root root 0 May 21 13:27 rootfile
-rw-r--r-- 1 nobody daemon 0 May 21 13:53 rootfile2
drwxr-xr-x 2 root root 4096 Apr 8 22:36 silly
drwx---r-x 2 nobody nobody 4096 Apr 24 13:42 student1
drwxrwxrwx 2 nobody nobody 4096 Apr 24 13:54 student2
drwxrwxrwx 2 root daemon 4096 Feb 24 2017 test
drwxrwxr-x 2 prof1 ProfGroup 4096 Aug 28 13:32 testprof

 

However, in my other client, which is pointing to the same LDAP server as my SVM, I can see all the owners/groups properly:

 

# ls -la /mnt/nas
total 9752736
drwxrwxrwx 16 root root 4096 Aug 28 13:32 .
drwxr-xr-x. 14 root root 4096 Aug 17 16:29 ..
d--------- 3 root root 4096 Aug 6 13:05 dir
drwxr-xr-x 2 root root 4096 Jun 22 12:51 flexgroup
drwxr-xr-x 3 root root 4096 Jul 10 2017 ftp
drwxrwxrwx 2 root root 4096 Jul 7 2017 ftpuser
d------r-x 2 git git 4096 May 18 12:32 git
drwxrwxrwx 3 root root 4096 Aug 12 10:24 mtuser
drwx------ 2 nfs4 nfs4 4096 Oct 10 2019 nfs4
drwxr-xr-x 2 prof1 ProfGroup 4096 Aug 12 15:23 prof1
drwxr-xr-x 2 root root 4096 Jul 21 14:51 root
-rw-r--r-- 1 root root 0 May 21 13:27 rootfile
-rw-r--r-- 1 nobody daemon 0 May 21 13:53 rootfile2
drwxr-xr-x 2 root root 4096 Apr 8 22:36 silly
drwx---r-x 2 student1 group1 4096 Apr 24 13:42 student1
drwxrwxrwx 2 student2 group1 4096 Apr 24 13:54 student2
drwxrwxrwx 2 root daemon 4096 Feb 24 2017 test
drwxrwxr-x 2 prof1 ProfGroup 4096 Aug 28 13:32 testprof
-rwxrwxrwx 1 admin group1 4973780992 Aug 5 12:27 Win2019-1M.iso
-rwxr-xr-x 1 root root 4973780992 Aug 17 16:31 Win2019.iso

 

On the SUSE client, I can set NFSv4 ACLs for the user I can resolve (prof1):

sles15:/mnt # nfs4_setfacl -a U:fdSF:prof1@NTAP.LOCAL:rwaDxtTnNcCy /mnt/prof1
sles15:/mnt # nfs4_getfacl /mnt/prof1
A::EVERYONE@:rwaDxtTnNcy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rwaDxtTnNcy
U:fdSF:prof1@NTAP.LOCAL:rwaDxtTnNcCy

 

And I can set it for users only ONTAP knows about:

sles15:/mnt # nfs4_setfacl -a U:fdSF:student1@NTAP.LOCAL:rwaDxtTnNcCy /mnt/student1
sles15:/mnt # id student1
id: ‘student1’: no such user
sles15:/mnt # nfs4_getfacl /mnt/student1
A::OWNER@:rwaDxtTnNcCy
A::student1@NTAP.LOCAL:rwaDxtTnNcCy
A:g:group1@NTAP.LOCAL:rxtncy
A::EVERYONE@:rxtncy
U:fdSF:student1@NTAP.LOCAL:rwaDxtTnNcCy

 

This community isn't really the right place to get into the details of NFSv4.x, setup, etc if you're unfamiliar. I suggest you have a look at TR-4067:

 

https://www.netapp.com/us/media/tr-4067.pdf

 

Highlighted

Re: nfs4_setfacl could not set netAPP NFS volume.

HI 

   thanks your document link...

I check v4-id-domain...Yes...I need modify

008_5.png

I have add LDAP setting on SVM_setting from WebConsole...this v4-id-domain could been modify from web console ??

 

Wencheng

Highlighted

Re: nfs4_setfacl could not set netAPP NFS volume.

it's definitely in the GUI in 9.8:

 

parisi_0-1599052738350.png

 

Probably is in 9.7 as well (in the NFS config section).

 

Older System Manager likely has this as well.

Check out the KB!
NetApp Insights To Action
All Community Forums