Yes, both
sibyls2::*> nfs show -vserver als-enable-ds1 -fields v4.0-acl,v4.1-acl vserver v4.0-acl v4.1-acl -------------- -------- -------- als-enable-ds1 enabled enabled
Turns out that I had added an ACL while messing around with NFSv4.0 and it was preventing v4.1 ACLs from working:
sibyls2::*> file-directory show -vserver als-enable-ds1 -path /BL831/ISPYB/ (vserver security file-directory show)
Vserver: als-enable-ds1 File Path: /BL831/ISPYB/ File Inode Number: 64 Security Style: unix Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 755 UNIX Mode Bits in Text: rwxr-xr-x ACLs: NFSV4 Security Descriptor Control:0x8014 DACL - ACEs ALLOW-S-1-8-1000-0x1601ff-DI ALLOW-OWNER@-0x1601ff ALLOW-GROUP@-0x1200a9-IG ALLOW-EVERYONE@-0x1200a9
Vserver: als-enable-ds1 (internal ID: 4)
Error: Lookup CIFS/NFSV4 account SID and translate to corresponding unix name procedure failed [ 0 ms] Unix User ID found in Name Service Negative Cache **[ 0] FAILURE: Unable to retrieve UNIX username for UID 1000 [ 0] Could not translate NFSv4 SID 'S-1-8-1000' [ 0] Could not find Windows SID 'S-1-8-1000' [ 0] SID lookup failed
I wasn’t sure how to clear this ACL from the filer command line so I just deleted the volume, created a new vol, and now nfs4_getfacl and setfacl are working as expected.
Thanks to Scott Gelb for the insight to use the "file-directory" show command.
Scott
On Jun 5, 2020, at 2:06 PM, tmac tmacmd@gmail.com wrote:
Did you enable nfs-v4.1-acls? https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9... https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9CC2F-9D07-4FAB-8E7B-E8A9B0C456BE.html
--tmac
Tim McCarthy, Principal Consultant Proud Member of the #NetAppATeam https://twitter.com/NetAppATeam
On Fri, Jun 5, 2020 at 4:18 PM Scott Classen <sclassen@lbl.gov mailto:sclassen@lbl.gov> wrote: Hello fellow toasters,
I’m deep into the NFSv4 wormhole and flailing miserably. Any help or advice would be greatly appreciated.
I am exporting an NFSv4.1 volume from our filer (9.6P6). I can mount the volume on a CentOS7 client. I can make directories as root and chown them to a user in our LDAP directory. I can see the ACL with nfs4_getfacl, but I cannot set/edit the ACLs with nfs4_setfacl.
I’ve read both of Justin Parisi’s TRs (TR-4835 - How to Configure LDAP in ONTAP, TR-4067 NFS Best Practice and Implementation Guide) so I think I’ve done everything correctly.
I’ve configured both the NetApp and the client to talk to the same OpenLDAP server. Here are some relevant diagnostics:
# on the client:
[root@als-enable ~]# nfsstat -m /als/BL-831/data from ae10g-1:/BL831/ISPYB Flags: rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.40.38,local_lock=none,addr=192.168.40.100
[root@als-enable ~]# nfs4_getfacl /als/BL-831/data/TEST/ # file: /als/BL-831/data/TEST/ A:d:nobody:rwaDxtTnNcCy A::OWNER@:rwaDxtTnNcCy A:g:GROUP@:rxtncy A::EVERYONE@:rxtncy
[root@als-enable ~]# nfs4_setfacl -a A::classen@als-enable.bl1231.als.lbl.gov mailto:classen@als-enable.bl1231.als.lbl.gov:rwaDxtTnNcCy /als/BL-831/data/TEST Failed setxattr operation: Invalid argument
[root@als-enable ~]# nfs4_setfacl -a A::classen@ALS-ENABLE.BL1231.ALS.LBL.GOV mailto:classen@ALS-ENABLE.BL1231.ALS.LBL.GOV:rwaDxtTnNcCy /als/BL-831/data/TEST Failed setxattr operation: Invalid argument
I think nfsid mapping is working.
[root@als-enable ~]# nfsidmap -l 4 .id_resolver keys found: gid:root@als-enable.bl1231.als.lbl.gov mailto:root@als-enable.bl1231.als.lbl.gov uid:root@als-enable.bl1231.als.lbl.gov mailto:root@als-enable.bl1231.als.lbl.gov gid:staff@als-enable.bl1231.als.lbl.gov mailto:staff@als-enable.bl1231.als.lbl.gov uid:classen@als-enable.bl1231.als.lbl.gov mailto:classen@als-enable.bl1231.als.lbl.gov
on the filer:
sibyls2::*> vserver nfs show -vserver als-enable-ds1 -fields v4.1-acl,v4-id-domain,v4.0-acl vserver v4.0-acl v4-id-domain v4.1-acl
als-enable-ds1 enabled als-enable.bl1231.als.lbl.gov http://als-enable.bl1231.als.lbl.gov/ enabled
sibyls2::*> vserver services name-service ns-switch show -vserver als-enable-ds1 Source Vserver Database Order
als-enable-ds1 hosts files, dns als-enable-ds1 group files, ldap als-enable-ds1 passwd files, ldap als-enable-ds1 netgroup files als-enable-ds1 namemap files, ldap
sibyls2::*> vserver services name-service ldap client show -client-config ae-ldap
Vserver: als-enable-ds1 Client Configuration Name: ae-ldap LDAP Server List: 192.168.40.38 (DEPRECATED)-LDAP Server List: - Active Directory Domain: - Preferred Active Directory Servers: -Bind Using the Vserver's CIFS Credentials: false Schema Template: RFC-2307 LDAP Server Port: 389 Query Timeout (sec): 3 Minimum Bind Authentication Level: anonymous Bind DN (User): cn=ldapadmin,dc=als-enable,dc=als,dc=lbl,dc=gov Base DN: dc=als-enable,dc=als,dc=lbl,dc=gov Base Search Scope: subtree User DN: - User Search Scope: subtree Group DN: - Group Search Scope: subtree Netgroup DN: - Netgroup Search Scope: subtree Vserver Owns Configuration: true Use start-tls Over LDAP Connections: true Enable Netgroup-By-Host Lookup: false Netgroup-By-Host DN: - Netgroup-By-Host Scope: subtree Client Session Security: none LDAP Referral Chasing: false Group Membership Filter:
Scott Classen, Ph.D. ALS-ENABLE TomAlberTron Beamline 8.3.1 SIBYLS Beamline 12.3.1 Advanced Light Source Lawrence Berkeley National Laboratory 1 Cyclotron Rd MS6R2100 Berkeley, CA 94720 mobile 510.206.4418 desk 510.495.2697 beamline 510.495.2134
Toasters mailing list Toasters@www.teaparty.net mailto:Toasters@www.teaparty.net https://www.teaparty.net/mailman/listinfo/toasters https://www.teaparty.net/mailman/listinfo/toasters