Mailing List Archive

cDOT 8.2: share NFS volume with CIFS too problems
Guys,
I'm banging my head on the wall trying to setup an NFS filesystem on a
cDOT 8.2 VServer to also be shared using CIFS. I can see the volume
and look at it from Windows, but I can't create any files or
directories.

Just to make sure I'm not smoking anything, here's what I did:

> vol create -vserver flsm-fs01 -vol data310 -size 1t -junction-path /data310 -aggr sas1n2

> vol modify -vserver flsm-fs01 -vol data310 -unix-permissions 777

And here's now it looks now:

flsm-ntap1::> vol show
(volume show)
Vserver Volume Aggregate State Type Size Available Used%
--------- ------------ ------------ ---------- ---- ---------- ---------- -----
flsm-fs01 data310 sas1n2 online RW 5TB 4.75TB 5%


And I can see it just fine with NFS, etc. My unix username is
'stoffj' and my windows username is 'TAEC_IRV1\stoffj' so it should
just map cleanly over using the defaults.

> cifs show
Server Status Domain/Workgroup Authentication
Vserver Name Admin Name Style
----------- --------------- --------- ---------------- --------------
flsm-fs01 FLSM-FS01 up TAEC_IRV1 domain

> cifs share show
Vserver Share Path Properties Comment ACL
-------------- ------------- ----------------- ---------- -------- -----------
flsm-fs01 data310 /data310 oplocks - Everyone / Full Control
browsable
changenotify


I even setup and looked at the "security trace" stuff to try and
figure it out. And it complains that my UNIX security is messed up.
I've tried to cut'n'paste this info, but all the tabs keep expanding
in wierd ways and cause all kinds of havoc here.

Here's an example error:

n2 1 User: TAEC_IRV1\stoffj Access is denied by UNIX
permissions while creating
the directory.
Security Style: UNIX
permissions
Path: /john/dir2/New
folder



Now the interesting thing is that the path shown looks to be at the
level UNDER the CIFS share. But it should be ok, right? Here's my
permission settings:

flsm-ntap1::> file-directory show -vserver flsm-fs01 -path /data310/john/dir2
(vserver security file-directory show)

Vserver: flsm-fs01
File Path: /data310/john/dir2
Security Style: unix
Effective Style: unix
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
Unix User Id: 61255
Unix Group Id: 4901
Unix Mode Bits: 2775
Unix Mode Bits in Text: rwxrwsr-x
ACLs: -


The mode bits are what we want, so that directories and files inherit
their group ownership properly. I haven't setup any local users or
groups, nor have I done any mappings, since it supposedly will do that
for me.

On the Unix side we're using NIS to authenticate, and that seems to be
working just fine.

Any hints?

John
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
Re: cDOT 8.2: share NFS volume with CIFS too problems [ In reply to ]
check your "export-policy" for all junctions involved..../ and /data310

vol show -fields policy

then look at the rules.
export-policy rule show -policy <policy name>

Make sure your host access from has at least read access to /
and the host has write access to /data310.


--tmac

*Tim McCarthy, **Principal Consultant*


On Fri, Apr 1, 2016 at 11:54 AM, John Stoffel <john@stoffel.org> wrote:

>
> Guys,
> I'm banging my head on the wall trying to setup an NFS filesystem on a
> cDOT 8.2 VServer to also be shared using CIFS. I can see the volume
> and look at it from Windows, but I can't create any files or
> directories.
>
> Just to make sure I'm not smoking anything, here's what I did:
>
> > vol create -vserver flsm-fs01 -vol data310 -size 1t -junction-path
> /data310 -aggr sas1n2
>
> > vol modify -vserver flsm-fs01 -vol data310 -unix-permissions 777
>
> And here's now it looks now:
>
> flsm-ntap1::> vol show
> (volume show)
> Vserver Volume
> Aggregate State Type Size Available Used%
> --------- ------------
> ------------ ---------- ---- ---------- ---------- -----
> flsm-fs01 data310
> sas1n2 online RW 5TB 4.75TB 5%
>
>
> And I can see it just fine with NFS, etc. My unix username is
> 'stoffj' and my windows username is 'TAEC_IRV1\stoffj' so it should
> just map cleanly over using the defaults.
>
> > cifs show
>
> Server
> Status Domain/Workgroup Authentication
>
> Vserver Name Admin Name Style
>
> ----------- --------------- --------- ---------------- --------------
>
> flsm-fs01 FLSM-FS01 up TAEC_IRV1 domain
>
> > cifs share show
> Vserver Share Path
> Properties Comment ACL
> -------------- -------------
> ----------------- ---------- -------- -----------
> flsm-fs01 data310 /data310
> oplocks - Everyone / Full Control
>
>
>
>
>
>
> browsable
>
>
> changenotify
>
>
> I even setup and looked at the "security trace" stuff to try and
> figure it out. And it complains that my UNIX security is messed up.
> I've tried to cut'n'paste this info, but all the tabs keep expanding
> in wierd ways and cause all kinds of havoc here.
>
> Here's an example error:
>
> n2 1 User: TAEC_IRV1\stoffj Access is denied by UNIX
> permissions while creating
>
>
>
>
>
> the directory.
>
>
> Security Style: UNIX
>
>
> permissions
>
>
> Path: /john/dir2/New
>
>
> folder
>
>
>
> Now the interesting thing is that the path shown looks to be at the
> level UNDER the CIFS share. But it should be ok, right? Here's my
> permission settings:
>
> flsm-ntap1::> file-directory show -vserver
> flsm-fs01 -path /data310/john/dir2
> (vserver security
> file-directory show)
>
>
>
> Vserver: flsm-fs01
>
> File
> Path: /data310/john/dir2
>
> Security Style: unix
>
> Effective Style: unix
>
> DOS Attributes: 10
> DOS Attributes in Text: ----D---
> Expanded Dos Attributes: -
>
> Unix User Id: 61255
>
> Unix Group Id: 4901
>
> Unix Mode Bits: 2775
> Unix Mode Bits in Text: rwxrwsr-x
>
>
> ACLs: -
>
>
> The mode bits are what we want, so that directories and files inherit
> their group ownership properly. I haven't setup any local users or
> groups, nor have I done any mappings, since it supposedly will do that
> for me.
>
> On the Unix side we're using NIS to authenticate, and that seems to be
> working just fine.
>
> Any hints?
>
> John
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
Re: cDOT 8.2: share NFS volume with CIFS too problems [ In reply to ]
I don't think that's it, because I'm just using the default policy and
it's wide open. The root vol and the data310 vol both use the default
policy, and it's setup like this:

> export-policy rule show -vserver flsm-fs01 -policyname default -fields rw,ro,clientmatch,protocol
(vserver export-policy rule show)
vserver policyname ruleindex protocol clientmatch rorule rwrule
--------- ---------- --------- -------- ----------- ------ ------
flsm-fs01 default 1 cifs,nfs 0.0.0.0/0 any any

which looks good to me. And I can browse via CIFS, go up and down
levels. Just can't create anything.

tmac> check your "export-policy" for all junctions involved..../ and /data310
tmac> vol show -fields policy


tmac> then look at the rules.
tmac> export-policy rule show -policy <policy name>

tmac> Make sure your host access from has at least read access to / 
tmac> and the host has write access to /data310.

tmac> --tmac

tmac> Tim McCarthy, Principal Consultant

tmac> On Fri, Apr 1, 2016 at 11:54 AM, John Stoffel <john@stoffel.org> wrote:

tmac> Guys,
tmac> I'm banging my head on the wall trying to setup an NFS filesystem on a
tmac> cDOT 8.2 VServer to also be shared using CIFS.  I can see the volume
tmac> and look at it from Windows, but I can't create any files or
tmac> directories.

tmac> Just to make sure I'm not smoking anything, here's what I did:

tmac>     > vol create -vserver flsm-fs01 -vol data310 -size 1t -junction-path /data310 -aggr sas1n2

tmac>     > vol modify -vserver flsm-fs01 -vol data310 -unix-permissions 777

tmac> And here's now it looks now:

tmac>                                 flsm-ntap1::> vol show
tmac>                                                 (volume show)
tmac>                                                 Vserver   Volume       Aggregate    State     
tmac> Type       Size  Available Used%
tmac>                                                 --------- ------------ ------------ ----------
tmac> ---- ---------- ---------- -----
tmac>                                                 flsm-fs01 data310      sas1n2       online   
tmac>  RW          5TB     4.75TB    5%

tmac> And I can see it just fine with NFS, etc.  My unix username is
tmac> 'stoffj' and my windows username is 'TAEC_IRV1\stoffj' so it should
tmac> just map cleanly over using the defaults.

tmac>                                 > cifs show
tmac>                                                                                              
tmac>                                   Server          Status    Domain/Workgroup Authentication
tmac>                                                                         Vserver     Name     
tmac>       Admin     Name             Style
tmac>                                                                         -----------
tmac> --------------- --------- ---------------- --------------
tmac>                                                                         flsm-fs01   FLSM-FS01 
tmac>      up        TAEC_IRV1        domain

tmac>                                 > cifs share show
tmac>                                 Vserver        Share         Path              Properties
tmac> Comment  ACL
tmac>                                 -------------- ------------- ----------------- ----------
tmac> -------- -----------
tmac>                                 flsm-fs01      data310       /data310          oplocks    -   
tmac>     Everyone / Full Control
tmac>                                                                                              
tmac>                                                                                              
tmac>                                                                                              
tmac>                                                                                              
tmac>                                                                                              
tmac>                                           browsable
tmac>                                                                                              
tmac>                                                                   changenotify

tmac> I even setup and looked at the "security trace" stuff to try and
tmac> figure it out.  And it complains that my UNIX security is messed up.
tmac> I've tried to cut'n'paste this info, but all the tabs keep expanding
tmac> in wierd ways and cause all kinds of havoc here.

tmac> Here's an example error:

tmac>     n2            1   User: TAEC_IRV1\stoffj     Access is denied by UNIX
tmac>                                                  permissions while creating
tmac>                                                                                              
tmac>                                                                                              
tmac>                                                                                              
tmac>                                                                                              
tmac>                 the directory.
tmac>                                                                                              
tmac>                                                                                   Security
tmac> Style: UNIX
tmac>                                                                                              
tmac>                                                                                   permissions
tmac>                                                                                              
tmac>                                                                                   Path: /john/
tmac> dir2/New
tmac>                                                                                              
tmac>                                                                                   folder

tmac> Now the interesting thing is that the path shown looks to be at the
tmac> level UNDER the CIFS share.  But it should be ok, right?  Here's my
tmac> permission settings:

tmac>                                 flsm-ntap1::> file-directory show -vserver flsm-fs01 -path /
tmac> data310/john/dir2
tmac>                                                 (vserver security file-directory show)

tmac>                                                                                              
tmac>                                                                   Vserver: flsm-fs01
tmac>                                                                                              
tmac>                                                   File Path: /data310/john/dir2
tmac>                                                                                              
tmac>           Security Style: unix
tmac>                                                                                              
tmac>   Effective Style: unix
tmac>                                                                                              
tmac>           DOS Attributes: 10
tmac>                                         DOS Attributes in Text: ----D---
tmac>                                 Expanded Dos Attributes: -
tmac>                                                                                              
tmac>                           Unix User Id: 61255
tmac>                                                                                              
tmac>                   Unix Group Id: 4901
tmac>                                                                                              
tmac>           Unix Mode Bits: 2775
tmac>                                         Unix Mode Bits in Text: rwxrwsr-x
tmac>                                                                                              
tmac>                                                                                          
tmac> ACLs: -

tmac> The mode bits are what we want, so that directories and files inherit
tmac> their group ownership properly.  I haven't setup any local users or
tmac> groups, nor have I done any mappings, since it supposedly will do that
tmac> for me.

tmac> On the Unix side we're using NIS to authenticate, and that seems to be
tmac> working just fine.

tmac> Any hints?

tmac> John
tmac> _______________________________________________
tmac> Toasters mailing list
tmac> Toasters@teaparty.net
tmac> http://www.teaparty.net/mailman/listinfo/toasters


_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
Re: cDOT 8.2: share NFS volume with CIFS too problems [ In reply to ]
Have you applied any different NTFS permissions from the Windows side? I see your share permissions are everyone / Full Control. Make sure and reset NTFS permissions to the same.

Regards,
André M. Clark

> On Apr 1, 2016, at 11:33, John Stoffel <john@stoffel.org> wrote:
>
>
> I don't think that's it, because I'm just using the default policy and
> it's wide open. The root vol and the data310 vol both use the default
> policy, and it's setup like this:
>
>> export-policy rule show -vserver flsm-fs01 -policyname default -fields rw,ro,clientmatch,protocol
> (vserver export-policy rule show)
> vserver policyname ruleindex protocol clientmatch rorule rwrule
> --------- ---------- --------- -------- ----------- ------ ------
> flsm-fs01 default 1 cifs,nfs 0.0.0.0/0 any any
>
> which looks good to me. And I can browse via CIFS, go up and down
> levels. Just can't create anything.
>
> tmac> check your "export-policy" for all junctions involved..../ and /data310
> tmac> vol show -fields policy
>
>
> tmac> then look at the rules.
> tmac> export-policy rule show -policy <policy name>
>
> tmac> Make sure your host access from has at least read access to /
> tmac> and the host has write access to /data310.
>
> tmac> --tmac
>
> tmac> Tim McCarthy, Principal Consultant
>
> tmac> On Fri, Apr 1, 2016 at 11:54 AM, John Stoffel <john@stoffel.org> wrote:
>
> tmac> Guys,
> tmac> I'm banging my head on the wall trying to setup an NFS filesystem on a
> tmac> cDOT 8.2 VServer to also be shared using CIFS. I can see the volume
> tmac> and look at it from Windows, but I can't create any files or
> tmac> directories.
>
> tmac> Just to make sure I'm not smoking anything, here's what I did:
>
> tmac> > vol create -vserver flsm-fs01 -vol data310 -size 1t -junction-path /data310 -aggr sas1n2
>
> tmac> > vol modify -vserver flsm-fs01 -vol data310 -unix-permissions 777
>
> tmac> And here's now it looks now:
>
> tmac> flsm-ntap1::> vol show
> tmac> (volume show)
> tmac> Vserver Volume Aggregate State
> tmac> Type Size Available Used%
> tmac> --------- ------------ ------------ ----------
> tmac> ---- ---------- ---------- -----
> tmac> flsm-fs01 data310 sas1n2 online
> tmac> RW 5TB 4.75TB 5%
>
> tmac> And I can see it just fine with NFS, etc. My unix username is
> tmac> 'stoffj' and my windows username is 'TAEC_IRV1\stoffj' so it should
> tmac> just map cleanly over using the defaults.
>
> tmac> > cifs show
> tmac>
> tmac> Server Status Domain/Workgroup Authentication
> tmac> Vserver Name
> tmac> Admin Name Style
> tmac> -----------
> tmac> --------------- --------- ---------------- --------------
> tmac> flsm-fs01 FLSM-FS01
> tmac> up TAEC_IRV1 domain
>
> tmac> > cifs share show
> tmac> Vserver Share Path Properties
> tmac> Comment ACL
> tmac> -------------- ------------- ----------------- ----------
> tmac> -------- -----------
> tmac> flsm-fs01 data310 /data310 oplocks -
> tmac> Everyone / Full Control
> tmac>
> tmac>
> tmac>
> tmac>
> tmac>
> tmac> browsable
> tmac>
> tmac> changenotify
>
> tmac> I even setup and looked at the "security trace" stuff to try and
> tmac> figure it out. And it complains that my UNIX security is messed up.
> tmac> I've tried to cut'n'paste this info, but all the tabs keep expanding
> tmac> in wierd ways and cause all kinds of havoc here.
>
> tmac> Here's an example error:
>
> tmac> n2 1 User: TAEC_IRV1\stoffj Access is denied by UNIX
> tmac> permissions while creating
> tmac>
> tmac>
> tmac>
> tmac>
> tmac> the directory.
> tmac>
> tmac> Security
> tmac> Style: UNIX
> tmac>
> tmac> permissions
> tmac>
> tmac> Path: /john/
> tmac> dir2/New
> tmac>
> tmac> folder
>
> tmac> Now the interesting thing is that the path shown looks to be at the
> tmac> level UNDER the CIFS share. But it should be ok, right? Here's my
> tmac> permission settings:
>
> tmac> flsm-ntap1::> file-directory show -vserver flsm-fs01 -path /
> tmac> data310/john/dir2
> tmac> (vserver security file-directory show)
>
> tmac>
> tmac> Vserver: flsm-fs01
> tmac>
> tmac> File Path: /data310/john/dir2
> tmac>
> tmac> Security Style: unix
> tmac>
> tmac> Effective Style: unix
> tmac>
> tmac> DOS Attributes: 10
> tmac> DOS Attributes in Text: ----D---
> tmac> Expanded Dos Attributes: -
> tmac>
> tmac> Unix User Id: 61255
> tmac>
> tmac> Unix Group Id: 4901
> tmac>
> tmac> Unix Mode Bits: 2775
> tmac> Unix Mode Bits in Text: rwxrwsr-x
> tmac>
> tmac>
> tmac> ACLs: -
>
> tmac> The mode bits are what we want, so that directories and files inherit
> tmac> their group ownership properly. I haven't setup any local users or
> tmac> groups, nor have I done any mappings, since it supposedly will do that
> tmac> for me.
>
> tmac> On the Unix side we're using NIS to authenticate, and that seems to be
> tmac> working just fine.
>
> tmac> Any hints?
>
> tmac> John
> tmac> _______________________________________________
> tmac> Toasters mailing list
> tmac> Toasters@teaparty.net
> tmac> http://www.teaparty.net/mailman/listinfo/toasters
>
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters


_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
Re: cDOT 8.2: share NFS volume with CIFS too problems [ In reply to ]
Hah! Found it. I can't do an export of 0.0.0.0/0 and have it be wide
open. I needed to specify some more specific /8 and /16 subnets.
Yes, I'm lazy and I should lock things down more tightly... in time.

John
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters