toasters May 2000

toasters@lists.teaparty.net

122 participants
148 discussions

NT + Unix access rights
by Michael van Elst 30 May '00

30 May '00

Hi, I'm using an F740 running 5.3.4R3. One volume uses a qtree with mixed security settings. Within that qtree I have a couple of files that cannot be accessed at all. The files were created by an NT client. On the UNIX side I can neither read nor touch the files. I cannot chmod or chown them. I cannot remove them. I could 'mv' them to a different directory once. I can create a hard link to them but which isn't deletable anymore. The file shows up with 0700 permissions. The directory where the file is located and all directories above were created by a UNIX client. This is true independent on wether I am working as root or as the files' owner (according to the usermap). On the NT side I cannot use the file either and I cannot even look at the security settings for the file. This is also independent of the user. Neither the owner nor the Administrator has access to the file. The usermap maps the UNIX 'root' account to the NT 'Administrator' account. The NT 'Administrator' account is mapped to an unprivileged UNIX account different from the file owner. I learned that the undocumented command 'rm' on the filers console (after rc_toggle_basic) allows to delete these files. Is there anything I can do ? Regards, -- i.A. Michael van Elst / phone: +49 721 9652 330 Xlink - Network Information Centre \/ fax: +49 721 9652 349 Emmy-Noether-Strasse 9 /\ link http://nic.xlink.net/ D-76131 Karlsruhe, Germany /_______ email: hostmaster(a)xlink.net [ KPNQwest Germany GmbH, Sitz Karlsruhe ] [ Amtsgericht Karlsruhe HRB 8161, Geschaeftsfuehrer: Koen Bertoen ]

2 4

RE: NT + Unix access rights
by Graham.Knight＠netapp.com 29 May '00

29 May '00

In NT you can set the ACL of a file so tight that the Administrator cannot read it. What you should try to do is map the drive as Administrator, then Take Ownership of the file. If that succeeds you should be able to set the ACL to whatever you want it to be, or delete the file. Another thing you might want to consider is setting this option: cifs.nfs_root_ignore_acl on This allows a root user on a root mounted NFS partition to do whatever it wants to a file with an ACL. I'm not 100% positive that the option above is available on 5.3.4R3. I know that it is available in 5.3.4R3P2. Graham -----Original Message----- From: Michael van Elst [mailto:mlelstv@xlink.net] Sent: Monday, May 29, 2000 10:48 AM To: toasters(a)mathworks.com Cc: Michael van Elst Subject: NT + Unix access rights Hi, I'm using an F740 running 5.3.4R3. One volume uses a qtree with mixed security settings. Within that qtree I have a couple of files that cannot be accessed at all. The files were created by an NT client. On the UNIX side I can neither read nor touch the files. I cannot chmod or chown them. I cannot remove them. I could 'mv' them to a different directory once. I can create a hard link to them but which isn't deletable anymore. The file shows up with 0700 permissions. The directory where the file is located and all directories above were created by a UNIX client. This is true independent on wether I am working as root or as the files' owner (according to the usermap). On the NT side I cannot use the file either and I cannot even look at the security settings for the file. This is also independent of the user. Neither the owner nor the Administrator has access to the file. The usermap maps the UNIX 'root' account to the NT 'Administrator' account. The NT 'Administrator' account is mapped to an unprivileged UNIX account different from the file owner. I learned that the undocumented command 'rm' on the filers console (after rc_toggle_basic) allows to delete these files. Is there anything I can do ? Regards, -- i.A. Michael van Elst / phone: +49 721 9652 330 Xlink - Network Information Centre \/ fax: +49 721 9652 349 Emmy-Noether-Strasse 9 /\ link http://nic.xlink.net/ D-76131 Karlsruhe, Germany /_______ email: hostmaster(a)xlink.net [ KPNQwest Germany GmbH, Sitz Karlsruhe ] [ Amtsgericht Karlsruhe HRB 8161, Geschaeftsfuehrer: Koen Bertoen ]

2 1

question about databases on NetApps
by Mike Kazar 28 May '00

28 May '00

Pardon my ignorance, but I have a question for people running databases on NetApp boxes. I've seen a number of notes in the past from people running Oracle or Sybase over NFS to a NetApp box, and I'm puzzled: why run a database over NFS instead of on top of a local disk? Are you running several instances of the database on several hosts, all sharing the same database over NFS? I'm surprised that works reasonably with a log file being hammered on by several different machines (and I don't really understand how it could work at all with several different log files). Also, I would have thought that NFS's loose cache consistency semantics would have prevented sharing a database from working at all, unless use of file locking disables caching appropriately. Or are you just running one database host, and using the NetApp to manage the database host's disk space. If so, what are the advantages you get from using the NetApp for disk space management instead of just using a local disk? Thanks in advance, Mike

3 2

Samba Vs CIFFS
by Philip Thomas 28 May '00

28 May '00

Hi, Why should some one pay good money to buy CIFFS license from NetApp when apparently the similar functionality is available "free", Samba? I am hoping folks out there, with experience in both products would be willing to share their knowledge as much their internal policy allows. I am specifically looking for pros and cons with respect to (a) performance (what ever than means) (b) scalibility (500+ users) (c) reliability (d) functionality (e) coexistence with Windows Terminal Server (f) 'cost' (not just dollars) (g) administration (h) interaction or lack of it with commercial apps ...any thing else ?? Perhaps this list is biased to CIFFS, by definition of the mailing list. But I have seen folks willing to speak out in the past. [BTW, please don't shoot the messenger:-)] Thanks. Philip Thomas Motorola - DDL-ITG, M/S M360 2200 W. Broadway Rd Mesa, AZ 85202 rxjs80(a)email.sps.mot.com (480) 655-3678 (480) 655-3881 (fax)

4 3

RE: Samba Vs CIFS
by paul.benn＠netapp.com 27 May '00

27 May '00

Philip, I take it that your going to use a filer anyway (NetApp CIFS/NFS vs. NetApp NFS + Samba)..?? Samba is an interesting application but there are limitations that you should be aware of, especially when considering deployment in a multiprotocol environment and from the perspective of NT only administrators. Since the underlying file system that Samba uses is a UNIX file system, the mocked up NTFS permissions that Samba provides will be based on UNIX and limited to a maximum of three ACEs (access control entries) for each ACL (access control list). One ACE for "owner," one for "group" and one for "world." Because of this, one must set NT file permissions using the individual bits under "Special Access" (you won't be able to use the canned ACEs like "Full Control, Change" etc.). Though not a problem for many, NT admins may not necessarily be comfortable with this. I've actually heard of NT admins who were unaware that the "Change," "Full Control" etc. entries actually represented the lower level permissions bits. NetApp's CIFS makes the filer look just like an NT member server rather than providing an NT facility to manipulate UNIX permissions. If one needs to manipulate UNIX permissions under NT, the SecureShare Access tool (available on NOW and on the DOT CD) can be installed. The tool adds a page to the file properties dialog. Share level ACLs are not only based on UNIX groups, they are set by editing the smb.conf file (by way of vi or SWAT), not Server Manager. Another possible issue for NT admins. Beginning with Data ONTAP 5.3, a limited implementation of Windows NT access logging became available. Success or failure of file reads or writes can be audited. Furthermore, auditing can be set up for files residing in "NTFS" or "Mixed" qtrees. Samba doesn't provide this. Samba also has weaknesses in a true multiprotocol environment. The DOS "archive," "system" and "hidden" bits are mapped to the UNIX "X" bits. If a UNIX admin removes an X bit or if an NT admin flips the archive bit, NT users will be in for a surprise when they can't execute program. Something else to consider is that when a Windows user hides a file, a leading period is not added and the file is NOT hidden for the UNIX user. The reverse _may_ also be true (files hidden with a leading period in UNIX may not be hidden from Windows users). Data ONTAP keeps track of these separately. Furthermore, WAFL keeps an archive bit for UNIX files so that an NT based backup program can do an "incremental" backup of UNIX data (backing up over CIFS retains NT ACLs as well as UNIX permissions). Multiprotocol environments add an interesting twist with respect to file permissions. Remember that Samba can only use UNIX permissions but NetApp filers can be configured to use UNIX and NTFS permissions. Another NT-like edge that WAFL has over Samba is inherited permissions. When a file is copied to a directory or a new file is created in a directory with NTFS-style permissions, that file inherits the permissions of the parent directory. This is also true (as of Data ONTAP 5.3) if a file with UNIX-style permissions is copied to a directory with NTFS-style permissions. The overhead of Samba's group mapping doesn't exist with filers. Because filers map _users_ on the fly, there is no need for group mapping (this is frequently misunderstood and viewed as a limitation). Consider centralized support and administration. If you were to use NetApp's CIFS, you'd have one stop shopping for support, bypassing being stuck between two vendors on some support issues. If Samba support beyond mailing lists is desired, there _is_ cost involved. Administration is centralized on the filer versus filer administration + Samba administration. Again, assuming that you're going to use a filer anyway: **Samba = UNIX rules + two levels of support and administration + painful for NT admins + multiprotocol weaknesses** **NetApp's CIFS = just like NT + centralized support and administration** Hope this helps. Best Regards, Paul Benn Network Appliance -----Original Message----- From: Philip Thomas [mailto:thomas@act.sps.mot.com] Sent: Friday, May 26, 2000 10:03 PM To: toasters(a)mathworks.com Subject: Samba Vs CIFFS Hi, Why should some one pay good money to buy CIFFS license from NetApp when apparently the similar functionality is available "free", Samba? I am hoping folks out there, with experience in both products would be willing to share their knowledge as much their internal policy allows. I am specifically looking for pros and cons with respect to (a) performance (what ever than means) (b) scalibility (500+ users) (c) reliability (d) functionality (e) coexistence with Windows Terminal Server (f) 'cost' (not just dollars) (g) administration (h) interaction or lack of it with commercial apps ...any thing else ?? Perhaps this list is biased to CIFFS, by definition of the mailing list. But I have seen folks willing to speak out in the past. [BTW, please don't shoot the messenger:-)] Thanks. Philip Thomas Motorola - DDL-ITG, M/S M360 2200 W. Broadway Rd Mesa, AZ 85202 rxjs80(a)email.sps.mot.com (480) 655-3678 (480) 655-3881 (fax)

1 0

Re: NIS problem with netgroup file
by Jagan Bearelly 26 May '00

26 May '00

Hi Steve, We also use the similar algorithm. Thanks. Jagan >From scl(a)sasha.acc.virginia.edu Fri May 26 14:10:59 2000 To: Cheryl Cruddace <cruddace(a)feather.llnl.gov> cc: jagan(a)netapp.com, toasters(a)mathworks.com Subject: Re: NIS problem with netgroup file Date: Fri, 26 May 2000 17:10:54 -0400 From: Steve Losen <scl(a)sasha.acc.virginia.edu> The NIS netgroup map can be problematic. From what I have been able to figure out, the NIS server builds a map called netgroup.byhost that is keyed by hostname and lists all the netgroups that that host is a member of. NIS map lookups must match the search key exactly, i.e., are case sensitive. In netgroup.byhost the lookup key is the hostname with ".*" appended to it, eg, "feather.llnl.gov.*". You can test your netgroup map with ypmatch "feather.llnl.gov.*" netgroup.byhost When a mount request comes in, the NFS server does a reverse DNS lookup on the IP address of the NFS client to get the client's hostname. The NFS server does a case sensitive lookup of the client's hostname in the NIS netgroup.byhost map to get a list of all the netgroups that the client belongs to. Then the exports list is consulted to see if the filesystem is exported to any of those netgroups. Because the NIS lookup in the netgroup.byhost map must mach exactly, you have to be very careful that the hostnames in your netgroup file match exactly what DNS returns in response to the reverse lookup of the client's IP address. This usually means that your NIS netgroup file must contain FQDNs. (I suppose it is possible that the NIS Makefile converts partial hostnames to FQDNs when creating the netgroup.byhost map, but I don't think it does.) We ran into some trouble with some SGI NFS servers because the SGIs were changing the result of the DNS lookup to all lower case. Our DNS servers return ".Virginia.EDU" and the SGIs were converting this to ".virginia.edu" for some unknown reason. Our NIS maps use ".Virginia.EDU" because that's what DNS returns, so when the SGIs converted to lower case, the NIS lookup failed and mounts were denied. We fixed the problem by modifying the NIS Makefile for our netgroup map. Our new Makefile creates two entries in netgroup.byhost for each host -- one keyed with the hostname returned by DNS and one keyed with the hostname in all lower case. That solved our SGI mount problems. I don't know if netapp filers use this same algorithm for checking mounts. It doesn't sound like it if there was a bug where FQDNs failed to work. You would think that only FQDNs could possibly work. > Jagan Bearelly wrote: > > >I am assuming you are using DNS. There should be case sensitive > >FQDN entry that matches the "nslookup" output for a given client > >and please see that dns.domainname is set with the same case > >sensitive value because "ypmatch" on NIS server is case sensitive. > > I am using DNS, I am not sure what you mean by case sensitive FQDN > or do you mean case insensitive? All combos of case seem to work > when I do an nslookup, i.e. feather, Feather, FEATHER...and none > of this mattered for the first 1-1/2 years so why now? The dns.domain > is set also. > > >Also, ONTAP version 5.3.4R3 doesn't have a fix for netgroup related > >issue (19922 netgroup lookups can fail with fully qualified domain > >name). This fix is available in 5.3.5, 5.3.5R1 and 5.3.5R2 which are > >the latest releases. > > > Thanks for the info. However, I went to the NOW site and the Data ONTAP > Release Advisor (a really neat tool I just found) said to go to 5.3.5r2. > So, is this not only the latest but also stable since stable is mucho > importante. I am running off to conquer new worlds in another week > and I can't get an unlisted number and hide since I will only be four > trailers away from where I am now. And, I don't want to leave a bunch > of limping filers as my legacy now do I??? > > Cheryl > Steve Losen scl(a)virginia.edu phone: 804-924-0640 University of Virginia ITC Unix Support

1 0

Re: NIS problem with netgroup file
by Cheryl Cruddace 26 May '00

26 May '00

Jagan Bearelly wrote: >I am assuming you are using DNS. There should be case sensitive >FQDN entry that matches the "nslookup" output for a given client >and please see that dns.domainname is set with the same case >sensitive value because "ypmatch" on NIS server is case sensitive. I am using DNS, I am not sure what you mean by case sensitive FQDN or do you mean case insensitive? All combos of case seem to work when I do an nslookup, i.e. feather, Feather, FEATHER...and none of this mattered for the first 1-1/2 years so why now? The dns.domain is set also. >Also, ONTAP version 5.3.4R3 doesn't have a fix for netgroup related >issue (19922 netgroup lookups can fail with fully qualified domain >name). This fix is available in 5.3.5, 5.3.5R1 and 5.3.5R2 which are >the latest releases. Thanks for the info. However, I went to the NOW site and the Data ONTAP Release Advisor (a really neat tool I just found) said to go to 5.3.5r2. So, is this not only the latest but also stable since stable is mucho importante. I am running off to conquer new worlds in another week and I can't get an unlisted number and hide since I will only be four trailers away from where I am now. And, I don't want to leave a bunch of limping filers as my legacy now do I??? Cheryl

2 1

RE: [foo@eek.org: Oracle and NTAP.]
by jeff.browning＠netapp.com 26 May '00

26 May '00

All: Re: "Specifically they mentioned a situation they had experienced while testing a netapp/oracle environment which would cause total corruption and require restoration from backup. The specific situation is a case where the filer loses power but the DB server doesn't. Their claim is that if this occurs there is no method to recover the DB other than from backup." I was responsible for testing Network Appliance filers to obtain certification for our storage products by Oracle corporation, as part of the Oracle Storage Compatibility Program (OSCP). See: http://www.oracle.com/database/storage/vendors.html. A major portion of the OSCP test suite had to do with abruptly powering off the filer while the database server stayed up (as well as powering off the database server while the filer stayed up, etc.). NetApp filers passed all of these tests to the satisfaction of Oracle Corporation. The position of Oracle Corporation today is that NetApp filers are an appropriate storage technology for storing Oracle database files, as evidenced by the URL I show above. If you have any further questions on this issue, please contact me directly. Jeff Browning O.C.P. M.C.S.E. Manager of Database Performance Network Appliance, Inc. ----- Forwarded message from foo <foo(a)eek.org> ----- From: foo <foo(a)eek.org> To: toasters(a)mathworks.com Subject: Oracle and NTAP. Ok, so we've been contemplating using one of our 760's for Oracle storage. Discussions with Netapp people made me feel relatively warm and fuzzy about doing this but discussions with our DBA consultants didn't. Specifically they mentioned a situation they had experienced while testing a netapp/oracle environment which would cause total corruption and require restoration from backup. The specific situation is a case where the filer loses power but the DB server doesn't. Their claim is that if this occurs there is no method to recover the DB other than from backup. Anyone had any experience with Oracle/Netapp or this specific situation? We plan to test this in the next few days, but I wanted to get any insights you all might have. Thanks, -Brian ----- End forwarded message -----

1 0

snap command
by Todd C. Merrill 26 May '00

26 May '00

I have a need to get lists of snapsnots on my filers. However, since the filers are heavily used, the snap command takes minutes to return. I suspect they take that long in order to calculate the usage statistics. Is there another way, a faster way, to just get a list of the snapshot names and timestamps? A listing of the directories under a .snapshot directory give the names, but not accurate timestamps. Until next time... Todd C. Merrill The Mathworks, Inc. 508-647-7000 x7792 3 Apple Hill Drive, Natick, MA 01760-2098 508-647-7001 FAX tmerrill(a)mathworks.com http://www.mathworks.com ---

3 2

RE: snap command
by Graham.Knight＠netapp.com 26 May '00

26 May '00

In the .snapshot directory an "ls -alu" will give you the correct times. Graham -----Original Message----- From: Todd C. Merrill [mailto:tmerrill@mathworks.com] Sent: Friday, May 26, 2000 7:04 AM To: toasters(a)mathworks.com Subject: snap command I have a need to get lists of snapsnots on my filers. However, since the filers are heavily used, the snap command takes minutes to return. I suspect they take that long in order to calculate the usage statistics. Is there another way, a faster way, to just get a list of the snapshot names and timestamps? A listing of the directories under a .snapshot directory give the names, but not accurate timestamps. Until next time... Todd C. Merrill The Mathworks, Inc. 508-647-7000 x7792 3 Apple Hill Drive, Natick, MA 01760-2098 508-647-7001 FAX tmerrill(a)mathworks.com http://www.mathworks.com ---

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

toasters May 2000