Randy -
I've experienced some issues when I've left other auth methods enabled in the export policy - check and make sure you haven't left krb turned on for example. You may also need to make sure that the volume policies match the export policy. Every mount
point under the export tree should be consistent, so if your security style is Unix, make sure volume policy is set to Unix and the export policy is set to Unix on every export, same for NTFS. If even one of those is not the same you might have problems mounting
the filesystem.
Look at TR-4073, it contains detailed description how cDOT is using (AD) LDAP to access netgroup information and how to configure it.
-----Original Message-----
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Rue, Randy
Sent: Monday, August 03, 2015 10:16 PM
To: 'toasters@teaparty.net'
Subject: stuck on a configuation puzzle: NFSv3 in 8.3, netgroups and export rules
Hello All,
Sent the below to our NetApp contacts but often you beautiful people have the answers I need, better and before the vendor does.
Need to limit an NFS export on an 8.3 SVM to either a NIS netgroup or an AD/LDAP nisNetgroup, preferably the LDAP. See the below.
Since I wrote the below, I've also determined that the working vserver appears to have a working copy of the netgroups in cache and the broken one does not:
gold::*> vserver export-policy netgroup cache show -vserver foo There are no entries matching your query.
gold::*> vserver export-policy netgroup cache show -vserver pyrite-gold
Vserver Netgroup State
-------- ---------- ------------
pyrite-gold
netgroup-cluster-rcs.fhcrc.org
ready
The documentation says that "One of the methods you can use to match clients in export policy rules is by using hosts listed in netgroups. You can load netgroups from a uniform resource identifier (URI) into Storage Virtual Machines (SVMs) as an alternative
to using netgroups stored in external name servers (vserver services name-service netgroup load)."
I'm specifically hung up on "as an alternative to using netgroups stored in external name servers." What is the method I'm missing that manually loading the netgroups via a URL (yuck) is an alternative to?
Hope to hear from you,
Randy in Seattle
(sent to NetApp)
-----------------------------------------------------------
Guys,
We're attempting to set up NFS access for an SVM to a NIS netgroup or its LDAP equivalent and while I was able to do this once on a test SVM we're now unable to recreate it.
On our old gear, we had some issues trying to make NIS work and eventually scripted a flat file dump of our netgroup file to the vFilers, then used the local file for hostgroup based access to NFS exports. That group name is @CLUSTER in /etc/exports
That same script also takes the members of our netgroup file and exports them to an LDAP object in our AD, a nisNetgroup object called
netgroup-cluster-rcs.xxx.org. That group is currently added to the export policy as @netgroup-cluster-rcs.xxx.org
Listing the AD object as above works for an SVM called pyrite-gold, a test vserver. My recollection is I set that one up pretty easily after realizing NIS wasn't working. I don't recall doing anything at the CLI. I can mount an export quickly and correctly
from a linux host that is a member of the group.
Now we're trying to set up the same config on other SVMs ("foo") and document the steps for production and can't make it work. We've compared the config on the new SVM and pyrite-gold every which way with no luck. Gone over the GUI config a handful of
times. I've also looked deeper from the CLI and found a few differences but changing them didn't solve the problem. When we try to mount the export, the attempt retries a handful of times and eventually times out:
[root@RANDINO mnt]# mount foo:foo_nfs foo/
mount: mount to NFS server 'foo' failed: timed out (retrying).
mount: mount to NFS server 'foo' failed: timed out (retrying).
mount: mount to NFS server 'foo' failed: timed out (retrying).
mount: mount to NFS server 'foo' failed: timed out (retrying).
mount: mount to NFS server 'foo' failed: timed out (giving up).
[root@RANDINO mnt]#
From the CLI, I did find that ns-switch for "foo" was set only for "files." Fixed that using vserver services modify with no improvement. Now all matches:
gold::*> vserver services name-service ns-switch show
Source
Vserver Database Order
--------------- ------------ ---------
foo hosts files,
dns
foo group files
foo passwd files
foo netgroup ldap,
nis,
files
foo namemap files
pyrite-gold hosts files,
dns
pyrite-gold group files
pyrite-gold passwd files
pyrite-gold netgroup ldap,
nis,
files
pyrite-gold namemap files
I also took a look at LDAP client settings:
gold::*> vserver services ldap client show -instance
Vserver: foo
Client Configuration Name: foo
LDAP Server List: xxx
Active Directory Domain: fhcrc.org
Preferred Active Directory Servers: xxx Bind Using the Vserver's CIFS Credentials: true
Schema Template: RFC-2307
LDAP Server Port: 389
Query Timeout (sec): 3
Minimum Bind Authentication Level: anonymous
Bind DN (User): sops-ldap
Base DN: dc-xxx,dc=org
Base Search Scope: subtree
User DN: -
User Search Scope: subtree
Group DN: -
Group Search Scope: subtree
Netgroup DN: -
Netgroup Search Scope: subtree
Vserver Owns Configuration: true
Use start-tls Over LDAP Connections: false Allow SSL for the TLS Handshake Protocol: false
Enable Netgroup-By-Host Lookup: false
Netgroup-By-Host DN: -
Netgroup-By-Host Scope: subtree
Vserver: pyrite-gold
Client Configuration Name: pyrite-gold
LDAP Server List: xxx
Active Directory Domain: fhcrc.org
Preferred Active Directory Servers: xxx Bind Using the Vserver's CIFS Credentials: true
Schema Template: RFC-2307
LDAP Server Port: 389
Query Timeout (sec): 3
Minimum Bind Authentication Level: anonymous
Bind DN (User): tinsel-ldap
Base DN: dc=xxx,dc=org
Base Search Scope: subtree
User DN: -
User Search Scope: subtree
Group DN: -
Group Search Scope: subtree
Netgroup DN: -
Netgroup Search Scope: subtree
Vserver Owns Configuration: true
Use start-tls Over LDAP Connections: false Allow SSL for the TLS Handshake Protocol: false
Enable Netgroup-By-Host Lookup: false
Netgroup-By-Host DN: -
Netgroup-By-Host Scope: subtree
2 entries were displayed.
gold::*>
Note that "Bind Using the Vserver's CIFS Credentials" was set to false for foo, but again, changing that from the CLI didn't make any difference. I know I never touched that setting on pyrite-gold, is it set that way because (maybe) I ran or re-ran CIFS
setup after setting up NIS?
We need help on this pretty quickly: either a way to make NIS work for netgroup control of an NFS export policy, or a way to make it work based on the AD nisNetgroup. Given a choice we'd prefer the LDAP way. Is there a NetApp doc I've overlooked?
Randy
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters