Guys, I'm banging my head on the wall trying to setup an NFS filesystem on a cDOT 8.2 VServer to also be shared using CIFS. I can see the volume and look at it from Windows, but I can't create any files or directories.
Just to make sure I'm not smoking anything, here's what I did:
> vol create -vserver flsm-fs01 -vol data310 -size 1t -junction-path /data310 -aggr sas1n2
> vol modify -vserver flsm-fs01 -vol data310 -unix-permissions 777
And here's now it looks now:
flsm-ntap1::> vol show (volume show) Vserver Volume Aggregate State Type Size Available Used% --------- ------------ ------------ ---------- ---- ---------- ---------- ----- flsm-fs01 data310 sas1n2 online RW 5TB 4.75TB 5%
And I can see it just fine with NFS, etc. My unix username is 'stoffj' and my windows username is 'TAEC_IRV1\stoffj' so it should just map cleanly over using the defaults.
> cifs show Server Status Domain/Workgroup Authentication Vserver Name Admin Name Style ----------- --------------- --------- ---------------- -------------- flsm-fs01 FLSM-FS01 up TAEC_IRV1 domain
> cifs share show Vserver Share Path Properties Comment ACL -------------- ------------- ----------------- ---------- -------- ----------- flsm-fs01 data310 /data310 oplocks - Everyone / Full Control browsable changenotify
I even setup and looked at the "security trace" stuff to try and figure it out. And it complains that my UNIX security is messed up. I've tried to cut'n'paste this info, but all the tabs keep expanding in wierd ways and cause all kinds of havoc here.
Here's an example error:
n2 1 User: TAEC_IRV1\stoffj Access is denied by UNIX permissions while creating the directory. Security Style: UNIX permissions Path: /john/dir2/New folder
Now the interesting thing is that the path shown looks to be at the level UNDER the CIFS share. But it should be ok, right? Here's my permission settings:
flsm-ntap1::> file-directory show -vserver flsm-fs01 -path /data310/john/dir2 (vserver security file-directory show)
Vserver: flsm-fs01 File Path: /data310/john/dir2 Security Style: unix Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - Unix User Id: 61255 Unix Group Id: 4901 Unix Mode Bits: 2775 Unix Mode Bits in Text: rwxrwsr-x ACLs: -
The mode bits are what we want, so that directories and files inherit their group ownership properly. I haven't setup any local users or groups, nor have I done any mappings, since it supposedly will do that for me.
On the Unix side we're using NIS to authenticate, and that seems to be working just fine.
Any hints?
John
check your "export-policy" for all junctions involved..../ and /data310
vol show -fields policy
then look at the rules. export-policy rule show -policy <policy name>
Make sure your host access from has at least read access to / and the host has write access to /data310.
--tmac
*Tim McCarthy, **Principal Consultant*
On Fri, Apr 1, 2016 at 11:54 AM, John Stoffel john@stoffel.org wrote:
Guys, I'm banging my head on the wall trying to setup an NFS filesystem on a cDOT 8.2 VServer to also be shared using CIFS. I can see the volume and look at it from Windows, but I can't create any files or directories.
Just to make sure I'm not smoking anything, here's what I did:
> vol create -vserver flsm-fs01 -vol data310 -size 1t -junction-path/data310 -aggr sas1n2
> vol modify -vserver flsm-fs01 -vol data310 -unix-permissions 777And here's now it looks now:
flsm-ntap1::> vol show (volume show) Vserver VolumeAggregate State Type Size Available Used% --------- ------------
flsm-fs01 data310sas1n2 online RW 5TB 4.75TB 5%
And I can see it just fine with NFS, etc. My unix username is 'stoffj' and my windows username is 'TAEC_IRV1\stoffj' so it should just map cleanly over using the defaults.
> cifs show ServerStatus Domain/Workgroup Authentication
Vserver Name Admin Name Style
flsm-fs01 FLSM-FS01 up TAEC_IRV1 domain
> cifs share show Vserver Share Path Properties Comment ACL -------------- -------------
flsm-fs01 data310 /data310 oplocks - Everyone / Full Control browsable changenotifyI even setup and looked at the "security trace" stuff to try and figure it out. And it complains that my UNIX security is messed up. I've tried to cut'n'paste this info, but all the tabs keep expanding in wierd ways and cause all kinds of havoc here.
Here's an example error:
n2 1 User: TAEC_IRV1\stoffj Access is denied by UNIX permissions while creating the directory. Security Style: UNIX permissions Path: /john/dir2/New folderNow the interesting thing is that the path shown looks to be at the level UNDER the CIFS share. But it should be ok, right? Here's my permission settings:
flsm-ntap1::> file-directory show -vserverflsm-fs01 -path /data310/john/dir2 (vserver security file-directory show)
Vserver: flsm-fs01 FilePath: /data310/john/dir2
Security Style: unix Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - Unix User Id: 61255 Unix Group Id: 4901 Unix Mode Bits: 2775 Unix Mode Bits in Text: rwxrwsr-x ACLs: -The mode bits are what we want, so that directories and files inherit their group ownership properly. I haven't setup any local users or groups, nor have I done any mappings, since it supposedly will do that for me.
On the Unix side we're using NIS to authenticate, and that seems to be working just fine.
Any hints?
John _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
I don't think that's it, because I'm just using the default policy and it's wide open. The root vol and the data310 vol both use the default policy, and it's setup like this:
export-policy rule show -vserver flsm-fs01 -policyname default -fields rw,ro,clientmatch,protocol
(vserver export-policy rule show) vserver policyname ruleindex protocol clientmatch rorule rwrule --------- ---------- --------- -------- ----------- ------ ------ flsm-fs01 default 1 cifs,nfs 0.0.0.0/0 any any
which looks good to me. And I can browse via CIFS, go up and down levels. Just can't create anything.
tmac> check your "export-policy" for all junctions involved..../ and /data310 tmac> vol show -fields policy
tmac> then look at the rules. tmac> export-policy rule show -policy <policy name>
tmac> Make sure your host access from has at least read access to / tmac> and the host has write access to /data310.
tmac> --tmac
tmac> Tim McCarthy, Principal Consultant
tmac> On Fri, Apr 1, 2016 at 11:54 AM, John Stoffel john@stoffel.org wrote:
tmac> Guys, tmac> I'm banging my head on the wall trying to setup an NFS filesystem on a tmac> cDOT 8.2 VServer to also be shared using CIFS. I can see the volume tmac> and look at it from Windows, but I can't create any files or tmac> directories.
tmac> Just to make sure I'm not smoking anything, here's what I did:
tmac> > vol create -vserver flsm-fs01 -vol data310 -size 1t -junction-path /data310 -aggr sas1n2
tmac> > vol modify -vserver flsm-fs01 -vol data310 -unix-permissions 777
tmac> And here's now it looks now:
tmac> flsm-ntap1::> vol show tmac> (volume show) tmac> Vserver Volume Aggregate State tmac> Type Size Available Used% tmac> --------- ------------ ------------ ---------- tmac> ---- ---------- ---------- ----- tmac> flsm-fs01 data310 sas1n2 online tmac> RW 5TB 4.75TB 5%
tmac> And I can see it just fine with NFS, etc. My unix username is tmac> 'stoffj' and my windows username is 'TAEC_IRV1\stoffj' so it should tmac> just map cleanly over using the defaults.
tmac> > cifs show tmac> tmac> Server Status Domain/Workgroup Authentication tmac> Vserver Name tmac> Admin Name Style tmac> ----------- tmac> --------------- --------- ---------------- -------------- tmac> flsm-fs01 FLSM-FS01 tmac> up TAEC_IRV1 domain
tmac> > cifs share show tmac> Vserver Share Path Properties tmac> Comment ACL tmac> -------------- ------------- ----------------- ---------- tmac> -------- ----------- tmac> flsm-fs01 data310 /data310 oplocks - tmac> Everyone / Full Control tmac> tmac> tmac> tmac> tmac> tmac> browsable tmac> tmac> changenotify
tmac> I even setup and looked at the "security trace" stuff to try and tmac> figure it out. And it complains that my UNIX security is messed up. tmac> I've tried to cut'n'paste this info, but all the tabs keep expanding tmac> in wierd ways and cause all kinds of havoc here.
tmac> Here's an example error:
tmac> n2 1 User: TAEC_IRV1\stoffj Access is denied by UNIX tmac> permissions while creating tmac> tmac> tmac> tmac> tmac> the directory. tmac> tmac> Security tmac> Style: UNIX tmac> tmac> permissions tmac> tmac> Path: /john/ tmac> dir2/New tmac> tmac> folder
tmac> Now the interesting thing is that the path shown looks to be at the tmac> level UNDER the CIFS share. But it should be ok, right? Here's my tmac> permission settings:
tmac> flsm-ntap1::> file-directory show -vserver flsm-fs01 -path / tmac> data310/john/dir2 tmac> (vserver security file-directory show)
tmac> tmac> Vserver: flsm-fs01 tmac> tmac> File Path: /data310/john/dir2 tmac> tmac> Security Style: unix tmac> tmac> Effective Style: unix tmac> tmac> DOS Attributes: 10 tmac> DOS Attributes in Text: ----D--- tmac> Expanded Dos Attributes: - tmac> tmac> Unix User Id: 61255 tmac> tmac> Unix Group Id: 4901 tmac> tmac> Unix Mode Bits: 2775 tmac> Unix Mode Bits in Text: rwxrwsr-x tmac> tmac> tmac> ACLs: -
tmac> The mode bits are what we want, so that directories and files inherit tmac> their group ownership properly. I haven't setup any local users or tmac> groups, nor have I done any mappings, since it supposedly will do that tmac> for me.
tmac> On the Unix side we're using NIS to authenticate, and that seems to be tmac> working just fine.
tmac> Any hints?
tmac> John tmac> _______________________________________________ tmac> Toasters mailing list tmac> Toasters@teaparty.net tmac> http://www.teaparty.net/mailman/listinfo/toasters
Have you applied any different NTFS permissions from the Windows side? I see your share permissions are everyone / Full Control. Make sure and reset NTFS permissions to the same.
Regards, André M. Clark
On Apr 1, 2016, at 11:33, John Stoffel john@stoffel.org wrote:
I don't think that's it, because I'm just using the default policy and it's wide open. The root vol and the data310 vol both use the default policy, and it's setup like this:
export-policy rule show -vserver flsm-fs01 -policyname default -fields rw,ro,clientmatch,protocol
(vserver export-policy rule show) vserver policyname ruleindex protocol clientmatch rorule rwrule
flsm-fs01 default 1 cifs,nfs 0.0.0.0/0 any any
which looks good to me. And I can browse via CIFS, go up and down levels. Just can't create anything.
tmac> check your "export-policy" for all junctions involved..../ and /data310 tmac> vol show -fields policy
tmac> then look at the rules. tmac> export-policy rule show -policy <policy name>
tmac> Make sure your host access from has at least read access to / tmac> and the host has write access to /data310.
tmac> --tmac
tmac> Tim McCarthy, Principal Consultant
tmac> On Fri, Apr 1, 2016 at 11:54 AM, John Stoffel john@stoffel.org wrote:
tmac> Guys, tmac> I'm banging my head on the wall trying to setup an NFS filesystem on a tmac> cDOT 8.2 VServer to also be shared using CIFS. I can see the volume tmac> and look at it from Windows, but I can't create any files or tmac> directories.
tmac> Just to make sure I'm not smoking anything, here's what I did:
tmac> > vol create -vserver flsm-fs01 -vol data310 -size 1t -junction-path /data310 -aggr sas1n2
tmac> > vol modify -vserver flsm-fs01 -vol data310 -unix-permissions 777
tmac> And here's now it looks now:
tmac> flsm-ntap1::> vol show tmac> (volume show) tmac> Vserver Volume Aggregate State tmac> Type Size Available Used% tmac> --------- ------------ ------------ ---------- tmac> ---- ---------- ---------- ----- tmac> flsm-fs01 data310 sas1n2 online tmac> RW 5TB 4.75TB 5%
tmac> And I can see it just fine with NFS, etc. My unix username is tmac> 'stoffj' and my windows username is 'TAEC_IRV1\stoffj' so it should tmac> just map cleanly over using the defaults.
tmac> > cifs show tmac> tmac> Server Status Domain/Workgroup Authentication tmac> Vserver Name tmac> Admin Name Style tmac> ----------- tmac> --------------- --------- ---------------- -------------- tmac> flsm-fs01 FLSM-FS01 tmac> up TAEC_IRV1 domain
tmac> > cifs share show tmac> Vserver Share Path Properties tmac> Comment ACL tmac> -------------- ------------- ----------------- ---------- tmac> -------- ----------- tmac> flsm-fs01 data310 /data310 oplocks - tmac> Everyone / Full Control tmac> tmac> tmac> tmac> tmac> tmac> browsable tmac> tmac> changenotify
tmac> I even setup and looked at the "security trace" stuff to try and tmac> figure it out. And it complains that my UNIX security is messed up. tmac> I've tried to cut'n'paste this info, but all the tabs keep expanding tmac> in wierd ways and cause all kinds of havoc here.
tmac> Here's an example error:
tmac> n2 1 User: TAEC_IRV1\stoffj Access is denied by UNIX tmac> permissions while creating tmac> tmac> tmac> tmac> tmac> the directory. tmac> tmac> Security tmac> Style: UNIX tmac> tmac> permissions tmac> tmac> Path: /john/ tmac> dir2/New tmac> tmac> folder
tmac> Now the interesting thing is that the path shown looks to be at the tmac> level UNDER the CIFS share. But it should be ok, right? Here's my tmac> permission settings:
tmac> flsm-ntap1::> file-directory show -vserver flsm-fs01 -path / tmac> data310/john/dir2 tmac> (vserver security file-directory show)
tmac> tmac> Vserver: flsm-fs01 tmac> tmac> File Path: /data310/john/dir2 tmac> tmac> Security Style: unix tmac> tmac> Effective Style: unix tmac> tmac> DOS Attributes: 10 tmac> DOS Attributes in Text: ----D--- tmac> Expanded Dos Attributes: - tmac> tmac> Unix User Id: 61255 tmac> tmac> Unix Group Id: 4901 tmac> tmac> Unix Mode Bits: 2775 tmac> Unix Mode Bits in Text: rwxrwsr-x tmac> tmac> tmac> ACLs: -
tmac> The mode bits are what we want, so that directories and files inherit tmac> their group ownership properly. I haven't setup any local users or tmac> groups, nor have I done any mappings, since it supposedly will do that tmac> for me.
tmac> On the Unix side we're using NIS to authenticate, and that seems to be tmac> working just fine.
tmac> Any hints?
tmac> John tmac> _______________________________________________ tmac> Toasters mailing list tmac> Toasters@teaparty.net tmac> http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Hah! Found it. I can't do an export of 0.0.0.0/0 and have it be wide open. I needed to specify some more specific /8 and /16 subnets. Yes, I'm lazy and I should lock things down more tightly... in time.
John
-
"André M. Clark" -
John Stoffel -
tmac