Guys,
We've just migrated our 7=mode "home drives" vFiler using 7MTT to a new 8.3 cluster and so far the process has been less than blissful.
One immediate hurdle is each division in our organization has mostly CIFS/Windows users and some NFS/Linux users, with some overlap between them (users that need NFS access to NTFS data and vice versa). This means each division has an NTFS volume, with a UNIX qtree within it. And both areas are served via both CIFS and NFS.
CIFS access to both file systems seems to be fine. NFS access to the UNIX qtrees is fine. Where we're flailing is getting NFS access to the NTFS volumes. The exports mount just fine (LDAP is set up for the vserver, and client machines are in a nisNetgroup object in our AD). But NFS users connecting to their NTFS home folders get "permission denied," they can't even cd into them.
Done some digging with and without NA support with little luck so far. User mapping is correctly configured so that unix user names are mapping to AD names. But the filer isn't getting as far as mapping an incoming NFS connections UID to a user name. NA support seems to think we need to configure an LDAP client for this. But my recollection of setting up our 7-mode system (five years ago) was that none of this was necessary, I think that joining the vfiler's CIFS server to our AD was enough for this to work (it is for Isilon, anyway).
Now I'm on the phone with support (literally) while we flail through a bunch of old KB's saying we need to modify our AD schema (vanilla 2K8 RFC-2307) or install MS SFU on our DC's (never needed to before) or create a custom schema for the vserver to accept our obviously exotic RFC-2307. And they're not exactly clear on how we do that.
To add to the fun, we're finding that many/most changes to the existing LDAP client settings breaks our so-far-working-OK Export Policies/Rules controlling access to the NFS exports.
So. Has anyone set up a vserver with NFS connections to an NTFS volume? How do you map connections?
Hope to hear from you very soon...
Randy in Seattle
If you have an incoming UID number, it needs to resolve to a valid UNIX user name. That allows unix-win name mapping to take place.
The UID number translation can take place in LDAP, NIS or local files. Your call. :)
Essentially, if a user "joe" comes in as UID 1000 to access a NTFS sec style volume, then the filer would need to be able to figure out who UID 1000 is to ensure a valid windows name mapping to discern the ACL. No user called DOMAIN\1000 would exist in most cases.
This worked the same in 7mode; you needed at least a local entry in the passwd file to allow access.
Try to create a local user on the cDOT system with the UID/GID and create the group with the correct GID as well:
::> unix-user create ::> unix-group create
-----Original Message----- From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Rue, Randy Sent: Tuesday, September 22, 2015 3:02 PM To: 'toasters@teaparty.net' Subject: NFS access to NTFS in 8.3?
Guys,
We've just migrated our 7=mode "home drives" vFiler using 7MTT to a new 8.3 cluster and so far the process has been less than blissful.
One immediate hurdle is each division in our organization has mostly CIFS/Windows users and some NFS/Linux users, with some overlap between them (users that need NFS access to NTFS data and vice versa). This means each division has an NTFS volume, with a UNIX qtree within it. And both areas are served via both CIFS and NFS.
CIFS access to both file systems seems to be fine. NFS access to the UNIX qtrees is fine. Where we're flailing is getting NFS access to the NTFS volumes. The exports mount just fine (LDAP is set up for the vserver, and client machines are in a nisNetgroup object in our AD). But NFS users connecting to their NTFS home folders get "permission denied," they can't even cd into them.
Done some digging with and without NA support with little luck so far. User mapping is correctly configured so that unix user names are mapping to AD names. But the filer isn't getting as far as mapping an incoming NFS connections UID to a user name. NA support seems to think we need to configure an LDAP client for this. But my recollection of setting up our 7-mode system (five years ago) was that none of this was necessary, I think that joining the vfiler's CIFS server to our AD was enough for this to work (it is for Isilon, anyway).
Now I'm on the phone with support (literally) while we flail through a bunch of old KB's saying we need to modify our AD schema (vanilla 2K8 RFC-2307) or install MS SFU on our DC's (never needed to before) or create a custom schema for the vserver to accept our obviously exotic RFC-2307. And they're not exactly clear on how we do that.
To add to the fun, we're finding that many/most changes to the existing LDAP client settings breaks our so-far-working-OK Export Policies/Rules controlling access to the NFS exports.
So. Has anyone set up a vserver with NFS connections to an NTFS volume? How do you map connections?
Hope to hear from you very soon...
Randy in Seattle
_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
-
Parisi, Justin -
Rue, Randy