I’m deep into the NFSv4 wormhole and flailing miserably. Any help or advice would be greatly appreciated.
I am exporting an NFSv4.1 volume from our filer (9.6P6). I can mount the volume on a CentOS7 client. I can make directories as root and chown them to a user in our LDAP directory. I can see the ACL with nfs4_getfacl, but I cannot set/edit the ACLs with nfs4_setfacl.
I’ve read both of Justin Parisi’s TRs (TR-4835 - How to Configure LDAP in ONTAP, TR-4067 NFS Best Practice and Implementation Guide) so I think I’ve done everything correctly.
I’ve configured both the NetApp and the client to talk to the same OpenLDAP server. Here are some relevant diagnostics:
# on the client:
[root@als-enable ~]# nfsstat -m
/als/BL-831/data from ae10g-1:/BL831/ISPYB
Flags:
rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.40.38,local_lock=none,addr=192.168.40.100
[root@als-enable ~]# nfs4_getfacl /als/BL-831/data/TEST/
# file: /als/BL-831/data/TEST/
A:d:nobody:rwaDxtTnNcCy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
[root@als-enable ~]# nfs4_setfacl -a A::
classen@als-enable.bl1231.als.lbl.gov:rwaDxtTnNcCy /als/BL-831/data/TEST
Failed setxattr operation: Invalid argument
[root@als-enable ~]# nfs4_setfacl -a A::
classen@ALS-ENABLE.BL1231.ALS.LBL.GOV:rwaDxtTnNcCy /als/BL-831/data/TEST
Failed setxattr operation: Invalid argument
I think nfsid mapping is working.
[root@als-enable ~]# nfsidmap -l
4 .id_resolver keys found:
gid:
root@als-enable.bl1231.als.lbl.gov uid:
root@als-enable.bl1231.als.lbl.gov gid:
staff@als-enable.bl1231.als.lbl.gov uid:
classen@als-enable.bl1231.als.lbl.govon the filer:
sibyls2::*> vserver nfs show -vserver als-enable-ds1 -fields v4.1-acl,v4-id-domain,v4.0-acl
vserver v4.0-acl v4-id-domain v4.1-acl
-------------- -------- ----------------------------- --------
als-enable-ds1 enabled
als-enable.bl1231.als.lbl.gov enabled
sibyls2::*> vserver services name-service ns-switch show -vserver als-enable-ds1
Source
Vserver Database Order
--------------- ------------ ---------
als-enable-ds1 hosts files,
dns
als-enable-ds1 group files,
ldap
als-enable-ds1 passwd files,
ldap
als-enable-ds1 netgroup files
als-enable-ds1 namemap files,
ldap
sibyls2::*> vserver services name-service ldap client show -client-config ae-ldap
Vserver: als-enable-ds1
Client Configuration Name: ae-ldap
LDAP Server List: 192.168.40.38
(DEPRECATED)-LDAP Server List: -
Active Directory Domain: -
Preferred Active Directory Servers: -
Bind Using the Vserver's CIFS Credentials: false
Schema Template: RFC-2307
LDAP Server Port: 389
Query Timeout (sec): 3
Minimum Bind Authentication Level: anonymous
Bind DN (User): cn=ldapadmin,dc=als-enable,dc=als,dc=lbl,dc=gov
Base DN: dc=als-enable,dc=als,dc=lbl,dc=gov
Base Search Scope: subtree
User DN: -
User Search Scope: subtree
Group DN: -
Group Search Scope: subtree
Netgroup DN: -
Netgroup Search Scope: subtree
Vserver Owns Configuration: true
Use start-tls Over LDAP Connections: true
Enable Netgroup-By-Host Lookup: false
Netgroup-By-Host DN: -
Netgroup-By-Host Scope: subtree
Client Session Security: none
LDAP Referral Chasing: false
Group Membership Filter: