Hi Randy,
I've seen this, when NIS was enabled in the SVM, but not working/configured correctly. From your description, it looks like you don't need NIS anymore. Just make sure all traces of it are gone. (E.g in the ns-switch config)
Alternatively, make sure it's working alright. From what you wrote to NetApp I also noticed the following entry in the foo LDAP config:
Bind DN (User): sops-ldap Base DN: dc-xxx,dc=org
it should be
Bind DN (User): sops-ldap Base DN: dc=xxx,dc=org
(the "equal" after dc...) Of course that could also be a typo from you 'cleaning up' the output... (I suppose you substituted something by the "xxx")
Hope that helps
Sebastian
On 8/3/2015 9:15 PM, Rue, Randy wrote:
Hello All,
Sent the below to our NetApp contacts but often you beautiful people have the answers I need, better and before the vendor does.
Need to limit an NFS export on an 8.3 SVM to either a NIS netgroup or an AD/LDAP nisNetgroup, preferably the LDAP. See the below.
Since I wrote the below, I've also determined that the working vserver appears to have a working copy of the netgroups in cache and the broken one does not: gold::*> vserver export-policy netgroup cache show -vserver foo There are no entries matching your query.
gold::*> vserver export-policy netgroup cache show -vserver pyrite-gold Vserver Netgroup State
pyrite-gold netgroup-cluster-rcs.fhcrc.org ready
The documentation says that "One of the methods you can use to match clients in export policy rules is by using hosts listed in netgroups. You can load netgroups from a uniform resource identifier (URI) into Storage Virtual Machines (SVMs) as an alternative to using netgroups stored in external name servers (vserver services name-service netgroup load)."
I'm specifically hung up on "as an alternative to using netgroups stored in external name servers." What is the method I'm missing that manually loading the netgroups via a URL (yuck) is an alternative to?
Hope to hear from you,
Randy in Seattle
(sent to NetApp)
Guys,
We're attempting to set up NFS access for an SVM to a NIS netgroup or its LDAP equivalent and while I was able to do this once on a test SVM we're now unable to recreate it.
On our old gear, we had some issues trying to make NIS work and eventually scripted a flat file dump of our netgroup file to the vFilers, then used the local file for hostgroup based access to NFS exports. That group name is @CLUSTER in /etc/exports
That same script also takes the members of our netgroup file and exports them to an LDAP object in our AD, a nisNetgroup object called netgroup-cluster-rcs.xxx.org. That group is currently added to the export policy as @netgroup-cluster-rcs.xxx.org
Listing the AD object as above works for an SVM called pyrite-gold, a test vserver. My recollection is I set that one up pretty easily after realizing NIS wasn't working. I don't recall doing anything at the CLI. I can mount an export quickly and correctly from a linux host that is a member of the group.
Now we're trying to set up the same config on other SVMs ("foo") and document the steps for production and can't make it work. We've compared the config on the new SVM and pyrite-gold every which way with no luck. Gone over the GUI config a handful of times. I've also looked deeper from the CLI and found a few differences but changing them didn't solve the problem. When we try to mount the export, the attempt retries a handful of times and eventually times out: [root@RANDINO mnt]# mount foo:foo_nfs foo/ mount: mount to NFS server 'foo' failed: timed out (retrying). mount: mount to NFS server 'foo' failed: timed out (retrying). mount: mount to NFS server 'foo' failed: timed out (retrying). mount: mount to NFS server 'foo' failed: timed out (retrying). mount: mount to NFS server 'foo' failed: timed out (giving up). [root@RANDINO mnt]#
From the CLI, I did find that ns-switch for "foo" was set only for "files." Fixed that using vserver services modify with no improvement. Now all matches:
gold::*> vserver services name-service ns-switch show Source Vserver Database Order
foo hosts files, dns foo group files foo passwd files foo netgroup ldap, nis, files foo namemap files pyrite-gold hosts files, dns pyrite-gold group files pyrite-gold passwd files pyrite-gold netgroup ldap, nis, files pyrite-gold namemap files
I also took a look at LDAP client settings: gold::*> vserver services ldap client show -instance
Vserver: foo Client Configuration Name: foo LDAP Server List: xxx Active Directory Domain: fhcrc.org Preferred Active Directory Servers: xxxBind Using the Vserver's CIFS Credentials: true Schema Template: RFC-2307 LDAP Server Port: 389 Query Timeout (sec): 3 Minimum Bind Authentication Level: anonymous Bind DN (User): sops-ldap Base DN: dc-xxx,dc=org Base Search Scope: subtree User DN: - User Search Scope: subtree Group DN: - Group Search Scope: subtree Netgroup DN: - Netgroup Search Scope: subtree Vserver Owns Configuration: true Use start-tls Over LDAP Connections: false Allow SSL for the TLS Handshake Protocol: false Enable Netgroup-By-Host Lookup: false Netgroup-By-Host DN: - Netgroup-By-Host Scope: subtree
Vserver: pyrite-gold Client Configuration Name: pyrite-gold LDAP Server List: xxx Active Directory Domain: fhcrc.org Preferred Active Directory Servers: xxxBind Using the Vserver's CIFS Credentials: true Schema Template: RFC-2307 LDAP Server Port: 389 Query Timeout (sec): 3 Minimum Bind Authentication Level: anonymous Bind DN (User): tinsel-ldap Base DN: dc=xxx,dc=org Base Search Scope: subtree User DN: - User Search Scope: subtree Group DN: - Group Search Scope: subtree Netgroup DN: - Netgroup Search Scope: subtree Vserver Owns Configuration: true Use start-tls Over LDAP Connections: false Allow SSL for the TLS Handshake Protocol: false Enable Netgroup-By-Host Lookup: false Netgroup-By-Host DN: - Netgroup-By-Host Scope: subtree 2 entries were displayed.
gold::*>
Note that "Bind Using the Vserver's CIFS Credentials" was set to false for foo, but again, changing that from the CLI didn't make any difference. I know I never touched that setting on pyrite-gold, is it set that way because (maybe) I ran or re-ran CIFS setup after setting up NIS?
We need help on this pretty quickly: either a way to make NIS work for netgroup control of an NFS export policy, or a way to make it work based on the AD nisNetgroup. Given a choice we'd prefer the LDAP way. Is there a NetApp doc I've overlooked?
Randy
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters