Did you enable nfs-v4.1-acls? https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9...
--tmac
*Tim McCarthy, **Principal Consultant*
*Proud Member of the #NetAppATeam https://twitter.com/NetAppATeam*
On Fri, Jun 5, 2020 at 4:18 PM Scott Classen sclassen@lbl.gov wrote:
Hello fellow toasters,
I’m deep into the NFSv4 wormhole and flailing miserably. Any help or advice would be greatly appreciated.
I am exporting an NFSv4.1 volume from our filer (9.6P6). I can mount the volume on a CentOS7 client. I can make directories as root and chown them to a user in our LDAP directory. I can see the ACL with nfs4_getfacl, but I cannot set/edit the ACLs with nfs4_setfacl.
I’ve read both of Justin Parisi’s TRs (TR-4835 - How to Configure LDAP in ONTAP, TR-4067 NFS Best Practice and Implementation Guide) so I think I’ve done everything correctly.
I’ve configured both the NetApp and the client to talk to the same OpenLDAP server. Here are some relevant diagnostics:
# on the client:
[root@als-enable ~]# nfsstat -m /als/BL-831/data from ae10g-1:/BL831/ISPYB Flags: rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.40.38,local_lock=none,addr=192.168.40.100
[root@als-enable ~]# nfs4_getfacl /als/BL-831/data/TEST/ # file: /als/BL-831/data/TEST/ A:d:nobody:rwaDxtTnNcCy A::OWNER@:rwaDxtTnNcCy A:g:GROUP@:rxtncy A::EVERYONE@:rxtncy
[root@als-enable ~]# nfs4_setfacl -a A:: classen@als-enable.bl1231.als.lbl.gov:rwaDxtTnNcCy /als/BL-831/data/TEST Failed setxattr operation: Invalid argument
[root@als-enable ~]# nfs4_setfacl -a A:: classen@ALS-ENABLE.BL1231.ALS.LBL.GOV:rwaDxtTnNcCy /als/BL-831/data/TEST Failed setxattr operation: Invalid argument
I think nfsid mapping is working.
[root@als-enable ~]# nfsidmap -l 4 .id_resolver keys found: gid:root@als-enable.bl1231.als.lbl.gov uid:root@als-enable.bl1231.als.lbl.gov gid:staff@als-enable.bl1231.als.lbl.gov uid:classen@als-enable.bl1231.als.lbl.gov
on the filer:
sibyls2::*> vserver nfs show -vserver als-enable-ds1 -fields v4.1-acl,v4-id-domain,v4.0-acl vserver v4.0-acl v4-id-domain v4.1-acl
als-enable-ds1 enabled als-enable.bl1231.als.lbl.gov enabled
sibyls2::*> vserver services name-service ns-switch show -vserver als-enable-ds1
SourceVserver Database Order
als-enable-ds1 hosts files, dns als-enable-ds1 group files, ldap als-enable-ds1 passwd files, ldap als-enable-ds1 netgroup files als-enable-ds1 namemap files, ldap
sibyls2::*> vserver services name-service ldap client show -client-config ae-ldap
Vserver: als-enable-ds1 Client Configuration Name: ae-ldap LDAP Server List: 192.168.40.38 (DEPRECATED)-LDAP Server List: - Active Directory Domain: - Preferred Active Directory Servers: -Bind Using the Vserver's CIFS Credentials: false Schema Template: RFC-2307 LDAP Server Port: 389 Query Timeout (sec): 3 Minimum Bind Authentication Level: anonymous Bind DN (User): cn=ldapadmin,dc=als-enable,dc=als,dc=lbl,dc=gov Base DN: dc=als-enable,dc=als,dc=lbl,dc=gov Base Search Scope: subtree User DN: - User Search Scope: subtree Group DN: - Group Search Scope: subtree Netgroup DN: - Netgroup Search Scope: subtree Vserver Owns Configuration: true Use start-tls Over LDAP Connections: true Enable Netgroup-By-Host Lookup: false Netgroup-By-Host DN: - Netgroup-By-Host Scope: subtree Client Session Security: none LDAP Referral Chasing: false Group Membership Filter:
Scott Classen, Ph.D. ALS-ENABLE TomAlberTron Beamline 8.3.1 SIBYLS Beamline 12.3.1 Advanced Light Source Lawrence Berkeley National Laboratory 1 Cyclotron Rd MS6R2100 Berkeley, CA 94720 mobile 510.206.4418 desk 510.495.2697 beamline 510.495.2134
Toasters mailing list Toasters@www.teaparty.net https://www.teaparty.net/mailman/listinfo/toasters