Look at TR-4073, it contains detailed description how cDOT is using (AD) LDAP to access netgroup information and how to configure it.
-----Original Message----- From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Rue, Randy Sent: Monday, August 03, 2015 10:16 PM To: 'toasters@teaparty.net' Subject: stuck on a configuation puzzle: NFSv3 in 8.3, netgroups and export rules
Hello All,
Sent the below to our NetApp contacts but often you beautiful people have the answers I need, better and before the vendor does.
Need to limit an NFS export on an 8.3 SVM to either a NIS netgroup or an AD/LDAP nisNetgroup, preferably the LDAP. See the below.
Since I wrote the below, I've also determined that the working vserver appears to have a working copy of the netgroups in cache and the broken one does not: gold::*> vserver export-policy netgroup cache show -vserver foo There are no entries matching your query.
gold::*> vserver export-policy netgroup cache show -vserver pyrite-gold Vserver Netgroup State -------- ---------- ------------ pyrite-gold netgroup-cluster-rcs.fhcrc.org ready
The documentation says that "One of the methods you can use to match clients in export policy rules is by using hosts listed in netgroups. You can load netgroups from a uniform resource identifier (URI) into Storage Virtual Machines (SVMs) as an alternative to using netgroups stored in external name servers (vserver services name-service netgroup load)."
I'm specifically hung up on "as an alternative to using netgroups stored in external name servers." What is the method I'm missing that manually loading the netgroups via a URL (yuck) is an alternative to?
Hope to hear from you,
Randy in Seattle
(sent to NetApp) ----------------------------------------------------------- Guys,
We're attempting to set up NFS access for an SVM to a NIS netgroup or its LDAP equivalent and while I was able to do this once on a test SVM we're now unable to recreate it.
On our old gear, we had some issues trying to make NIS work and eventually scripted a flat file dump of our netgroup file to the vFilers, then used the local file for hostgroup based access to NFS exports. That group name is @CLUSTER in /etc/exports
That same script also takes the members of our netgroup file and exports them to an LDAP object in our AD, a nisNetgroup object called netgroup-cluster-rcs.xxx.org. That group is currently added to the export policy as @netgroup-cluster-rcs.xxx.org
Listing the AD object as above works for an SVM called pyrite-gold, a test vserver. My recollection is I set that one up pretty easily after realizing NIS wasn't working. I don't recall doing anything at the CLI. I can mount an export quickly and correctly from a linux host that is a member of the group.
Now we're trying to set up the same config on other SVMs ("foo") and document the steps for production and can't make it work. We've compared the config on the new SVM and pyrite-gold every which way with no luck. Gone over the GUI config a handful of times. I've also looked deeper from the CLI and found a few differences but changing them didn't solve the problem. When we try to mount the export, the attempt retries a handful of times and eventually times out: [root@RANDINO mnt]# mount foo:foo_nfs foo/ mount: mount to NFS server 'foo' failed: timed out (retrying). mount: mount to NFS server 'foo' failed: timed out (retrying). mount: mount to NFS server 'foo' failed: timed out (retrying). mount: mount to NFS server 'foo' failed: timed out (retrying). mount: mount to NFS server 'foo' failed: timed out (giving up). [root@RANDINO mnt]#
From the CLI, I did find that ns-switch for "foo" was set only for "files." Fixed that using vserver services modify with no improvement. Now all matches:
gold::*> vserver services name-service ns-switch show Source Vserver Database Order --------------- ------------ --------- foo hosts files, dns foo group files foo passwd files foo netgroup ldap, nis, files foo namemap files pyrite-gold hosts files, dns pyrite-gold group files pyrite-gold passwd files pyrite-gold netgroup ldap, nis, files pyrite-gold namemap files
I also took a look at LDAP client settings: gold::*> vserver services ldap client show -instance
Vserver: foo Client Configuration Name: foo LDAP Server List: xxx Active Directory Domain: fhcrc.org Preferred Active Directory Servers: xxx Bind Using the Vserver's CIFS Credentials: true Schema Template: RFC-2307 LDAP Server Port: 389 Query Timeout (sec): 3 Minimum Bind Authentication Level: anonymous Bind DN (User): sops-ldap Base DN: dc-xxx,dc=org Base Search Scope: subtree User DN: - User Search Scope: subtree Group DN: - Group Search Scope: subtree Netgroup DN: - Netgroup Search Scope: subtree Vserver Owns Configuration: true Use start-tls Over LDAP Connections: false Allow SSL for the TLS Handshake Protocol: false Enable Netgroup-By-Host Lookup: false Netgroup-By-Host DN: - Netgroup-By-Host Scope: subtree
Vserver: pyrite-gold Client Configuration Name: pyrite-gold LDAP Server List: xxx Active Directory Domain: fhcrc.org Preferred Active Directory Servers: xxx Bind Using the Vserver's CIFS Credentials: true Schema Template: RFC-2307 LDAP Server Port: 389 Query Timeout (sec): 3 Minimum Bind Authentication Level: anonymous Bind DN (User): tinsel-ldap Base DN: dc=xxx,dc=org Base Search Scope: subtree User DN: - User Search Scope: subtree Group DN: - Group Search Scope: subtree Netgroup DN: - Netgroup Search Scope: subtree Vserver Owns Configuration: true Use start-tls Over LDAP Connections: false Allow SSL for the TLS Handshake Protocol: false Enable Netgroup-By-Host Lookup: false Netgroup-By-Host DN: - Netgroup-By-Host Scope: subtree 2 entries were displayed.
gold::*>
Note that "Bind Using the Vserver's CIFS Credentials" was set to false for foo, but again, changing that from the CLI didn't make any difference. I know I never touched that setting on pyrite-gold, is it set that way because (maybe) I ran or re-ran CIFS setup after setting up NIS?
We need help on this pretty quickly: either a way to make NIS work for netgroup control of an NFS export policy, or a way to make it work based on the AD nisNetgroup. Given a choice we'd prefer the LDAP way. Is there a NetApp doc I've overlooked?
Randy
_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters