sibyls2::*> file-directory show -vserver als-enable-ds1 -path /BL831/ISPYB/         

  (vserver security file-directory show)

                Vserver: als-enable-ds1

              File Path: /BL831/ISPYB/

      File Inode Number: 64

         Security Style: unix

        Effective Style: unix

         DOS Attributes: 10

 DOS Attributes in Text: ----D---

Expanded Dos Attributes: -

           UNIX User Id: 0

          UNIX Group Id: 0

         UNIX Mode Bits: 755

 UNIX Mode Bits in Text: rwxr-xr-x

                   ACLs: NFSV4 Security Descriptor

                         Control:0x8014

                         DACL - ACEs

                           ALLOW-S-1-8-1000-0x1601ff-DI

                           ALLOW-OWNER@-0x1601ff

                           ALLOW-GROUP@-0x1200a9-IG

                           ALLOW-EVERYONE@-0x1200a9

Vserver: als-enable-ds1 (internal ID: 4)

Error: Lookup CIFS/NFSV4 account SID and translate to corresponding unix name procedure failed

  [  0 ms] Unix User ID found in Name Service Negative Cache

**[     0] FAILURE: Unable to retrieve UNIX username for UID 1000

  [     0] Could not translate NFSv4 SID 'S-1-8-1000'

  [     0] Could not find Windows SID 'S-1-8-1000'

  [     0] SID lookup failed

Scott

On Jun 5, 2020, at 2:06 PM, tmac <tmacmd@gmail.com> wrote:

Did you enable nfs-v4.1-acls?
https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9CC2F-9D07-4FAB-8E7B-E8A9B0C456BE.html

--tmac

Tim McCarthy, Principal Consultant
Proud Member of the #NetAppATeam

On Fri, Jun 5, 2020 at 4:18 PM Scott Classen <sclassen@lbl.gov> wrote:
Hello fellow toasters,

I’m deep into the NFSv4 wormhole and flailing miserably. Any help or advice would be greatly appreciated.

I am exporting an NFSv4.1 volume from our filer (9.6P6). I can mount the volume on a CentOS7 client. I can make directories as root and chown them to a user in our LDAP directory. I can see the ACL with nfs4_getfacl, but I cannot set/edit the ACLs with nfs4_setfacl.

I’ve read both of Justin Parisi’s TRs (TR-4835 - How to Configure LDAP in ONTAP, TR-4067 NFS Best Practice and Implementation Guide) so I think I’ve done everything correctly.

I’ve configured both the NetApp and the client to talk to the same OpenLDAP server. Here are some relevant diagnostics:

# on the client:

[root@als-enable ~]# nfsstat -m
/als/BL-831/data from ae10g-1:/BL831/ISPYB
Flags: rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.40.38,local_lock=none,addr=192.168.40.100

[root@als-enable ~]# nfs4_getfacl /als/BL-831/data/TEST/
# file: /als/BL-831/data/TEST/
A:d:nobody:rwaDxtTnNcCy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy

[root@als-enable ~]# nfs4_setfacl -a A::classen@als-enable.bl1231.als.lbl.gov:rwaDxtTnNcCy /als/BL-831/data/TEST
Failed setxattr operation: Invalid argument

[root@als-enable ~]# nfs4_setfacl -a A::classen@ALS-ENABLE.BL1231.ALS.LBL.GOV:rwaDxtTnNcCy /als/BL-831/data/TEST
Failed setxattr operation: Invalid argument

I think nfsid mapping is working.

[root@als-enable ~]# nfsidmap -l
4 .id_resolver keys found:
  gid:root@als-enable.bl1231.als.lbl.gov
  uid:root@als-enable.bl1231.als.lbl.gov
  gid:staff@als-enable.bl1231.als.lbl.gov
  uid:classen@als-enable.bl1231.als.lbl.gov

on the filer:

sibyls2::*> vserver nfs show -vserver als-enable-ds1 -fields v4.1-acl,v4-id-domain,v4.0-acl
vserver   v4.0-acl v4-id-domain   v4.1-acl
-------------- -------- ----------------------------- --------
als-enable-ds1 enabled  als-enable.bl1231.als.lbl.gov enabled

sibyls2::*> vserver services name-service ns-switch show -vserver als-enable-ds1
Source
Vserver     Database     Order
--------------- ------------   ---------
als-enable-ds1  hosts   files,
dns
als-enable-ds1  group   files,
ldap
als-enable-ds1  passwd     files,
ldap
als-enable-ds1  netgroup     files
als-enable-ds1  namemap   files,
ldap

sibyls2::*> vserver services name-service ldap client show -client-config ae-ldap

  Vserver: als-enable-ds1
  Client Configuration Name: ae-ldap
LDAP Server List: 192.168.40.38
  (DEPRECATED)-LDAP Server List: -
  Active Directory Domain: -
Preferred Active Directory Servers: -
Bind Using the Vserver's CIFS Credentials: false
  Schema Template: RFC-2307
LDAP Server Port: 389
  Query Timeout (sec): 3
  Minimum Bind Authentication Level: anonymous
Bind DN (User): cn=ldapadmin,dc=als-enable,dc=als,dc=lbl,dc=gov
  Base DN: dc=als-enable,dc=als,dc=lbl,dc=gov
  Base Search Scope: subtree
  User DN: -
  User Search Scope: subtree
Group DN: -
Group Search Scope: subtree
  Netgroup DN: -
  Netgroup Search Scope: subtree
Vserver Owns Configuration: true
  Use start-tls Over LDAP Connections: true
Enable Netgroup-By-Host Lookup: false
  Netgroup-By-Host DN: -
Netgroup-By-Host Scope: subtree
  Client Session Security: none
  LDAP Referral Chasing: false
  Group Membership Filter:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scott Classen, Ph.D.
ALS-ENABLE
TomAlberTron Beamline 8.3.1
SIBYLS Beamline 12.3.1
Advanced Light Source
Lawrence Berkeley National Laboratory
1 Cyclotron Rd
MS6R2100
Berkeley, CA 94720
mobile 510.206.4418
desk 510.495.2697
beamline 510.495.2134
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
Toasters mailing list
Toasters@www.teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters