What you likely saw was this:

 

 

When you have auth-sys-extended-groups enabled with ID numerics, ONTAP will attempt to map the numeric ID to a name to resolve groups. If that numeric doesn’t exist, you get the error you saw.

 

I wrote up a section in the new TR-4067 update that is currently being reviewed.

 

See below:

 

Considerations for Numeric ID Authentication (NFSv3 and NFSv4.x)

NFSv3 using AUTH_SYS sends numeric ID information for users and groups to perform user authentication to NFS mounts for permission resolution.

NFSv4.x with ONTAP has a feature that allows NFSv4.x mounts to leverage numeric ID strings instead of name strings, which allows NFSv4.x operations without needing centralized name services, matching names/numeric IDs on client/server, matching ID domains, etc. (-v4-numeric-ids)

Enabling the -auth-sys-extended-groups option will cause numeric ID authentication to fail if the UNIX user numeric ID can’t be translated into a valid UNIX user name in name services. This will counteract the -v4-numeric-ids option, as ONTAP will need to query the incoming numeric user ID to search for any auxiliary groups for authentication. If the incoming numeric ID cannot be resolved to a valid UNIX user or the client’s UNIX numeric UID is different than the numeric UID ONTAP knows about, then the lookup will fail with secd.authsys.lookup.failed in the event log and ONTAP will respond to the client with the AUTH_ERROR “client must begin a new session,” which will appear as “Permission denied.”

To use both options, use the following guidance:

·       If you require users and groups that either can not be queried from both NFS client and server or have mismatched numeric IDs, you can leverage NFS Kerberos and NFSv4.x ACLs to provide proper authentication with NFSv4.x, as clients will send name strings instead of numeric IDs.

·       If you are using -auth-sys-extended-groups with AUTH_SYS and without NFSv4.x ACLs, any user that requires access via NFS will require a valid UNIX user in the name service database specified in ns-switch (can also be a local user).

 

 

From: Toasters <toasters-bounces@www.teaparty.net> On Behalf Of Scott Classen
Sent: Friday, June 5, 2020 5:30 PM
To: tmac <tmacmd@gmail.com>
Cc: Toasters <toasters@teaparty.net>
Subject: Re: nfs4_setfacl - Failed setxattr operation: Invalid argument

 

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.



Yes, both 

 

sibyls2::*> nfs show -vserver als-enable-ds1 -fields v4.0-acl,v4.1-acl 
vserver        v4.0-acl v4.1-acl 
-------------- -------- -------- 
als-enable-ds1 enabled  enabled 

 

 

Turns out that I had added an ACL while messing around with NFSv4.0 and it was preventing v4.1 ACLs from working:

 

 

sibyls2::*> file-directory show -vserver als-enable-ds1 -path /BL831/ISPYB/         

  (vserver security file-directory show)

 

                Vserver: als-enable-ds1

              File Path: /BL831/ISPYB/

      File Inode Number: 64

         Security Style: unix

        Effective Style: unix

         DOS Attributes: 10

 DOS Attributes in Text: ----D---

Expanded Dos Attributes: -

           UNIX User Id: 0

          UNIX Group Id: 0

         UNIX Mode Bits: 755

 UNIX Mode Bits in Text: rwxr-xr-x

                   ACLs: NFSV4 Security Descriptor

                         Control:0x8014

                         DACL - ACEs

                           ALLOW-S-1-8-1000-0x1601ff-DI

                           ALLOW-OWNER@-0x1601ff

                           ALLOW-GROUP@-0x1200a9-IG

                           ALLOW-EVERYONE@-0x1200a9

 

Vserver: als-enable-ds1 (internal ID: 4)

 

Error: Lookup CIFS/NFSV4 account SID and translate to corresponding unix name procedure failed

  [  0 ms] Unix User ID found in Name Service Negative Cache

**[     0] FAILURE: Unable to retrieve UNIX username for UID 1000

  [     0] Could not translate NFSv4 SID 'S-1-8-1000'

  [     0] Could not find Windows SID 'S-1-8-1000'

  [     0] SID lookup failed

 

 

 

I wasn’t sure how to clear this ACL from the filer command line so I just deleted the volume, created a new vol, and now nfs4_getfacl and setfacl are working as expected.

 

Thanks to Scott Gelb for the insight to use the "file-directory" show command.

 

 

Scott



On Jun 5, 2020, at 2:06 PM, tmac <tmacmd@gmail.com> wrote:

 

Did you enable nfs-v4.1-acls?

 

--tmac

 

Tim McCarthy, Principal Consultant

Proud Member of the #NetAppATeam

 

 

On Fri, Jun 5, 2020 at 4:18 PM Scott Classen <sclassen@lbl.gov> wrote:

Hello fellow toasters,

 

I’m deep into the NFSv4 wormhole and flailing miserably. Any help or advice would be greatly appreciated.

 

I am exporting an NFSv4.1 volume from our filer (9.6P6). I can mount the volume on a CentOS7 client. I can make directories as root and chown them to a user in our LDAP directory. I can see the ACL with nfs4_getfacl, but I cannot set/edit the ACLs with nfs4_setfacl.

 

I’ve read both of Justin Parisi’s TRs (TR-4835 - How to Configure LDAP in ONTAP, TR-4067 NFS Best Practice and Implementation Guide) so I think I’ve done everything correctly.

 

I’ve configured both the NetApp and the client to talk to the same OpenLDAP server. Here are some relevant diagnostics:

 

# on the client:

[root@als-enable ~]# nfsstat -m
/als/BL-831/data from ae10g-1:/BL831/ISPYB
 Flags: rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.40.38,local_lock=none,addr=192.168.40.100

[root@als-enable ~]# nfs4_getfacl /als/BL-831/data/TEST/
# file: /als/BL-831/data/TEST/
A:d:nobody:rwaDxtTnNcCy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy

[root@als-enable ~]# nfs4_setfacl -a A::classen@als-enable.bl1231.als.lbl.gov:rwaDxtTnNcCy /als/BL-831/data/TEST
Failed setxattr operation: Invalid argument

[root@als-enable ~]# nfs4_setfacl -a A::classen@ALS-ENABLE.BL1231.ALS.LBL.GOV:rwaDxtTnNcCy /als/BL-831/data/TEST
Failed setxattr operation: Invalid argument

I think nfsid mapping is working.


[root@als-enable ~]# nfsidmap -l
4 .id_resolver keys found:
  gid:root@als-enable.bl1231.als.lbl.gov
  uid:root@als-enable.bl1231.als.lbl.gov
  gid:staff@als-enable.bl1231.als.lbl.gov
  uid:classen@als-enable.bl1231.als.lbl.gov



on the filer:

sibyls2::*> vserver nfs show -vserver als-enable-ds1 -fields v4.1-acl,v4-id-domain,v4.0-acl
vserver        v4.0-acl v4-id-domain                  v4.1-acl 
-------------- -------- ----------------------------- -------- 
als-enable-ds1 enabled  als-enable.bl1231.als.lbl.gov enabled 

sibyls2::*> vserver services name-service ns-switch show -vserver als-enable-ds1                                                                       
                               Source
Vserver         Database       Order
--------------- ------------   ---------
als-enable-ds1  hosts          files,
                               dns
als-enable-ds1  group          files,
                               ldap
als-enable-ds1  passwd         files,
                               ldap
als-enable-ds1  netgroup       files
als-enable-ds1  namemap        files,
                               ldap


sibyls2::*> vserver services name-service ldap client show -client-config ae-ldap

                                  Vserver: als-enable-ds1
                Client Configuration Name: ae-ldap
                         LDAP Server List: 192.168.40.38
            (DEPRECATED)-LDAP Server List: -
                  Active Directory Domain: -
       Preferred Active Directory Servers: -
Bind Using the Vserver's CIFS Credentials: false
                          Schema Template: RFC-2307
                         LDAP Server Port: 389
                      Query Timeout (sec): 3
        Minimum Bind Authentication Level: anonymous
                           Bind DN (User): cn=ldapadmin,dc=als-enable,dc=als,dc=lbl,dc=gov
                                  Base DN: dc=als-enable,dc=als,dc=lbl,dc=gov
                        Base Search Scope: subtree
                                  User DN: -
                        User Search Scope: subtree
                                 Group DN: -
                       Group Search Scope: subtree
                              Netgroup DN: -
                    Netgroup Search Scope: subtree
               Vserver Owns Configuration: true
      Use start-tls Over LDAP Connections: true
           Enable Netgroup-By-Host Lookup: false
                      Netgroup-By-Host DN: -
                   Netgroup-By-Host Scope: subtree
                  Client Session Security: none
                    LDAP Referral Chasing: false
                  Group Membership Filter: 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scott Classen, Ph.D.

ALS-ENABLE
TomAlberTron Beamline 8.3.1
SIBYLS Beamline 12.3.1
Advanced Light Source
Lawrence Berkeley National Laboratory
1 Cyclotron Rd
MS6R2100
Berkeley, CA 94720
mobile 510.206.4418
desk 510.495.2697
beamline 510.495.2134
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

_______________________________________________
Toasters mailing list
Toasters@www.teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters