Network and Storage Protocols

Yet another NFS permission denied

gspallis0
6,967 Views

Hello all,

This is yet another NFS permission denied thread. This is my setup: I 'm exporting a volume via NFS and CIFS with mixed mode security, since I want this to be accesible from both windoze and Linux hosts. As an NFS share it's mounting without problems, but when I 'm trying to cd I get a permission denied even as the root user of the Linux host. When in unix mode security there are no problems. This is my /etc/exports line for this volume:

/vol/Android    -sec=sys,rw=10.45.170.70,root=10.45.170.70

Please tell me if you need me to post anything more from the filer (I 'm new to the NetApp world, so please bare with me ). Thank you in advance for any response.

5 REPLIES 5

andrc
6,967 Views

Mixed mode security is a strange thing and very often throws up issues but you don't have to use it in order to have CIFS & NFS shares/exports on the same volume or qtree.

You can keep security style as Unix as long as for any Windows users accessing via CIFS there is a Unix user with exactly the same username. The filer will then map the Windows user to the Unix user using whichever Unix authentication is in place (check /etc/nsswitch.conf) and it then comes down to what permissions the Unix user has. You can also manually map users between Windows <=> Unix using the /etc/usermap.cfg file.

This can also be done with NTFS security style but the other way around i.e. any Unix users accessing must have a corresponding Windows user. Just be aware that Unix hosts sometimes have issues dealing with Windows ACLs whereas Windows hosts are fine with the Unix security model.

gspallis0
6,967 Views

Thank you.andrc! Indeed, I was looking the /etc/usermap.cfg file and the documentation for that. I 've put the Linux host under the AD domain by using likewise-open, so users can login to it with the same AD credentials they use for their windoze PCs. I guess that in this case the usermap.cfg should be something like that:

domain\* => *

or

domain\* == *

If that's the case, then I 'm pretty happy with leaving the security in unix mode and doing the mapping with usermap.cfg

andrc
6,967 Views

Usermap.cfg entries are only really needed if you want to map differing usernames to each other, if users on the Linux hosts are logging in with the same credentials as AD users then the filer will automatically map from Unix => Windows or vice versa (You can test this by entering `options cifs.trace_login on` and watching console ouput. Remember to enter `options cifs.trace_login off` when you're done)

Then it's just a case of ensuring folder/file permissions are correctly set as in any environment.

gspallis0
6,967 Views

Thank you for that andrc! Yes, I 've seen the relevant info from NetApp's manuals. I 've set it up now and it's working sweet. Thanx for your help once again.

mijohnst
6,967 Views

How about setting up the permissions the other way?  For instance, I want and NTFS qtree with Likewise Open so that permissions can be set from the Windows side.  I've been trying it and gotten support involved, but nobody seems to know what to make it work.  The windows side works perfect but when I try to access a qtree from from an mount NFS share I see the following message:

Thu Jun 27 11:00:50 CDT [netapp1a:auth.trace.authenticateUser.loginTraceMag:info]: Auth: Error in passwd look up of uid 1851786435 during login from 10.10.10.123


So it's not liking the UID that Likewise is providing it.  Are there options that need to be set to make it work?  If I accidentally figure it out I'll come back and post it here.

Public