Mailing List Archive

Did you enable nfs-v4.1-acls?
https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9CC2F-9D07-4FAB-8E7B-E8A9B0C456BE.html


--tmac

*Tim McCarthy, **Principal Consultant*

*Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*



On Fri, Jun 5, 2020 at 4:18 PM Scott Classen <sclassen@lbl.gov> wrote:

> Hello fellow toasters,
>
> I’m deep into the NFSv4 wormhole and flailing miserably. Any help or
> advice would be greatly appreciated.
>
> I am exporting an NFSv4.1 volume from our filer (9.6P6). I can mount the
> volume on a CentOS7 client. I can make directories as root and chown them
> to a user in our LDAP directory. I can see the ACL with nfs4_getfacl, but I
> cannot set/edit the ACLs with nfs4_setfacl.
>
> I’ve read both of Justin Parisi’s TRs (TR-4835 - How to Configure LDAP in
> ONTAP, TR-4067 NFS Best Practice and Implementation Guide) so I think I’ve
> done everything correctly.
>
> I’ve configured both the NetApp and the client to talk to the same
> OpenLDAP server. Here are some relevant diagnostics:
>
> # on the client:
>
> [root@als-enable ~]# nfsstat -m
> /als/BL-831/data from ae10g-1:/BL831/ISPYB
> Flags:
> rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.40.38,local_lock=none,addr=192.168.40.100
>
> [root@als-enable ~]# nfs4_getfacl /als/BL-831/data/TEST/
> # file: /als/BL-831/data/TEST/
> A:d:nobody:rwaDxtTnNcCy
> A::OWNER@:rwaDxtTnNcCy
> A:g:GROUP@:rxtncy
> A::EVERYONE@:rxtncy
>
> [root@als-enable ~]# nfs4_setfacl -a A::
> classen@als-enable.bl1231.als.lbl.gov:rwaDxtTnNcCy /als/BL-831/data/TEST
> Failed setxattr operation: Invalid argument
>
> [root@als-enable ~]# nfs4_setfacl -a A::
> classen@ALS-ENABLE.BL1231.ALS.LBL.GOV:rwaDxtTnNcCy /als/BL-831/data/TEST
> Failed setxattr operation: Invalid argument
>
> I think nfsid mapping is working.
>
> [root@als-enable ~]# nfsidmap -l
> 4 .id_resolver keys found:
> gid:root@als-enable.bl1231.als.lbl.gov
> uid:root@als-enable.bl1231.als.lbl.gov
> gid:staff@als-enable.bl1231.als.lbl.gov
> uid:classen@als-enable.bl1231.als.lbl.gov
>
>
>
> on the filer:
>
> sibyls2::*> vserver nfs show -vserver als-enable-ds1 -fields
> v4.1-acl,v4-id-domain,v4.0-acl
> vserver v4.0-acl v4-id-domain v4.1-acl
> -------------- -------- ----------------------------- --------
> als-enable-ds1 enabled als-enable.bl1231.als.lbl.gov enabled
>
> sibyls2::*> vserver services name-service ns-switch show -vserver
> als-enable-ds1
>
> Source
> Vserver Database Order
> --------------- ------------ ---------
> als-enable-ds1 hosts files,
> dns
> als-enable-ds1 group files,
> ldap
> als-enable-ds1 passwd files,
> ldap
> als-enable-ds1 netgroup files
> als-enable-ds1 namemap files,
> ldap
>
>
> sibyls2::*> vserver services name-service ldap client show -client-config
> ae-ldap
>
> Vserver: als-enable-ds1
> Client Configuration Name: ae-ldap
> LDAP Server List: 192.168.40.38
> (DEPRECATED)-LDAP Server List: -
> Active Directory Domain: -
> Preferred Active Directory Servers: -
> Bind Using the Vserver's CIFS Credentials: false
> Schema Template: RFC-2307
> LDAP Server Port: 389
> Query Timeout (sec): 3
> Minimum Bind Authentication Level: anonymous
> Bind DN (User):
> cn=ldapadmin,dc=als-enable,dc=als,dc=lbl,dc=gov
> Base DN:
> dc=als-enable,dc=als,dc=lbl,dc=gov
> Base Search Scope: subtree
> User DN: -
> User Search Scope: subtree
> Group DN: -
> Group Search Scope: subtree
> Netgroup DN: -
> Netgroup Search Scope: subtree
> Vserver Owns Configuration: true
> Use start-tls Over LDAP Connections: true
> Enable Netgroup-By-Host Lookup: false
> Netgroup-By-Host DN: -
> Netgroup-By-Host Scope: subtree
> Client Session Security: none
> LDAP Referral Chasing: false
> Group Membership Filter:
>
>
>
>
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Scott Classen, Ph.D.
> ALS-ENABLE
> TomAlberTron Beamline 8.3.1
> SIBYLS Beamline 12.3.1
> Advanced Light Source
> Lawrence Berkeley National Laboratory
> 1 Cyclotron Rd
> MS6R2100
> Berkeley, CA 94720
> mobile 510.206.4418
> desk 510.495.2697
> beamline 510.495.2134
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> Toasters mailing list
> Toasters@www.teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters

Yes, both

sibyls2::*> nfs show -vserver als-enable-ds1 -fields v4.0-acl,v4.1-acl
vserver v4.0-acl v4.1-acl
-------------- -------- --------
als-enable-ds1 enabled enabled


Turns out that I had added an ACL while messing around with NFSv4.0 and it was preventing v4.1 ACLs from working:


sibyls2::*> file-directory show -vserver als-enable-ds1 -path /BL831/ISPYB/
(vserver security file-directory show)

Vserver: als-enable-ds1
File Path: /BL831/ISPYB/
File Inode Number: 64
Security Style: unix
Effective Style: unix
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 755
UNIX Mode Bits in Text: rwxr-xr-x
ACLs: NFSV4 Security Descriptor
Control:0x8014
DACL - ACEs
ALLOW-S-1-8-1000-0x1601ff-DI
ALLOW-OWNER@-0x1601ff
ALLOW-GROUP@-0x1200a9-IG
ALLOW-EVERYONE@-0x1200a9

Vserver: als-enable-ds1 (internal ID: 4)

Error: Lookup CIFS/NFSV4 account SID and translate to corresponding unix name procedure failed
[ 0 ms] Unix User ID found in Name Service Negative Cache
**[ 0] FAILURE: Unable to retrieve UNIX username for UID 1000
[ 0] Could not translate NFSv4 SID 'S-1-8-1000'
[ 0] Could not find Windows SID 'S-1-8-1000'
[ 0] SID lookup failed



I wasn’t sure how to clear this ACL from the filer command line so I just deleted the volume, created a new vol, and now nfs4_getfacl and setfacl are working as expected.

Thanks to Scott Gelb for the insight to use the "file-directory" show command.


Scott

> On Jun 5, 2020, at 2:06 PM, tmac <tmacmd@gmail.com> wrote:
>
> Did you enable nfs-v4.1-acls?
> https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9CC2F-9D07-4FAB-8E7B-E8A9B0C456BE.html <https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9CC2F-9D07-4FAB-8E7B-E8A9B0C456BE.html>
>
> --tmac
>
> Tim McCarthy, Principal Consultant
> Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>
>
>
> On Fri, Jun 5, 2020 at 4:18 PM Scott Classen <sclassen@lbl.gov <mailto:sclassen@lbl.gov>> wrote:
> Hello fellow toasters,
>
> I’m deep into the NFSv4 wormhole and flailing miserably. Any help or advice would be greatly appreciated.
>
> I am exporting an NFSv4.1 volume from our filer (9.6P6). I can mount the volume on a CentOS7 client. I can make directories as root and chown them to a user in our LDAP directory. I can see the ACL with nfs4_getfacl, but I cannot set/edit the ACLs with nfs4_setfacl.
>
> I’ve read both of Justin Parisi’s TRs (TR-4835 - How to Configure LDAP in ONTAP, TR-4067 NFS Best Practice and Implementation Guide) so I think I’ve done everything correctly.
>
> I’ve configured both the NetApp and the client to talk to the same OpenLDAP server. Here are some relevant diagnostics:
>
> # on the client:
>
> [root@als-enable ~]# nfsstat -m
> /als/BL-831/data from ae10g-1:/BL831/ISPYB
> Flags: rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.40.38,local_lock=none,addr=192.168.40.100
>
> [root@als-enable ~]# nfs4_getfacl /als/BL-831/data/TEST/
> # file: /als/BL-831/data/TEST/
> A:d:nobody:rwaDxtTnNcCy
> A::OWNER@:rwaDxtTnNcCy
> A:g:GROUP@:rxtncy
> A::EVERYONE@:rxtncy
>
> [root@als-enable ~]# nfs4_setfacl -a A::classen@als-enable.bl1231.als.lbl.gov <mailto:classen@als-enable.bl1231.als.lbl.gov>:rwaDxtTnNcCy /als/BL-831/data/TEST
> Failed setxattr operation: Invalid argument
>
> [root@als-enable ~]# nfs4_setfacl -a A::classen@ALS-ENABLE.BL1231.ALS.LBL.GOV <mailto:classen@ALS-ENABLE.BL1231.ALS.LBL.GOV>:rwaDxtTnNcCy /als/BL-831/data/TEST
> Failed setxattr operation: Invalid argument
>
> I think nfsid mapping is working.
>
> [root@als-enable ~]# nfsidmap -l
> 4 .id_resolver keys found:
> gid:root@als-enable.bl1231.als.lbl.gov <mailto:root@als-enable.bl1231.als.lbl.gov>
> uid:root@als-enable.bl1231.als.lbl.gov <mailto:root@als-enable.bl1231.als.lbl.gov>
> gid:staff@als-enable.bl1231.als.lbl.gov <mailto:staff@als-enable.bl1231.als.lbl.gov>
> uid:classen@als-enable.bl1231.als.lbl.gov <mailto:classen@als-enable.bl1231.als.lbl.gov>
>
>
>
> on the filer:
>
> sibyls2::*> vserver nfs show -vserver als-enable-ds1 -fields v4.1-acl,v4-id-domain,v4.0-acl
> vserver v4.0-acl v4-id-domain v4.1-acl
> -------------- -------- ----------------------------- --------
> als-enable-ds1 enabled als-enable.bl1231.als.lbl.gov <http://als-enable.bl1231.als.lbl.gov/> enabled
>
> sibyls2::*> vserver services name-service ns-switch show -vserver als-enable-ds1
> Source
> Vserver Database Order
> --------------- ------------ ---------
> als-enable-ds1 hosts files,
> dns
> als-enable-ds1 group files,
> ldap
> als-enable-ds1 passwd files,
> ldap
> als-enable-ds1 netgroup files
> als-enable-ds1 namemap files,
> ldap
>
>
> sibyls2::*> vserver services name-service ldap client show -client-config ae-ldap
>
> Vserver: als-enable-ds1
> Client Configuration Name: ae-ldap
> LDAP Server List: 192.168.40.38
> (DEPRECATED)-LDAP Server List: -
> Active Directory Domain: -
> Preferred Active Directory Servers: -
> Bind Using the Vserver's CIFS Credentials: false
> Schema Template: RFC-2307
> LDAP Server Port: 389
> Query Timeout (sec): 3
> Minimum Bind Authentication Level: anonymous
> Bind DN (User): cn=ldapadmin,dc=als-enable,dc=als,dc=lbl,dc=gov
> Base DN: dc=als-enable,dc=als,dc=lbl,dc=gov
> Base Search Scope: subtree
> User DN: -
> User Search Scope: subtree
> Group DN: -
> Group Search Scope: subtree
> Netgroup DN: -
> Netgroup Search Scope: subtree
> Vserver Owns Configuration: true
> Use start-tls Over LDAP Connections: true
> Enable Netgroup-By-Host Lookup: false
> Netgroup-By-Host DN: -
> Netgroup-By-Host Scope: subtree
> Client Session Security: none
> LDAP Referral Chasing: false
> Group Membership Filter:
>
>
>
>
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Scott Classen, Ph.D.
> ALS-ENABLE
> TomAlberTron Beamline 8.3.1
> SIBYLS Beamline 12.3.1
> Advanced Light Source
> Lawrence Berkeley National Laboratory
> 1 Cyclotron Rd
> MS6R2100
> Berkeley, CA 94720
> mobile 510.206.4418
> desk 510.495.2697
> beamline 510.495.2134
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> Toasters mailing list
> Toasters@www.teaparty.net <mailto:Toasters@www.teaparty.net>
> https://www.teaparty.net/mailman/listinfo/toasters <https://www.teaparty.net/mailman/listinfo/toasters>

What you likely saw was this:


* Extended GIDs was enabled (auth-sys-extended-groups)
* V4-numeric-ids enabled
* UID 1000 doesn’t exist in name services (local files or LDAP)

When you have auth-sys-extended-groups enabled with ID numerics, ONTAP will attempt to map the numeric ID to a name to resolve groups. If that numeric doesn’t exist, you get the error you saw.

I wrote up a section in the new TR-4067 update that is currently being reviewed.

See below:

Considerations for Numeric ID Authentication (NFSv3 and NFSv4.x)

NFSv3 using AUTH_SYS sends numeric ID information for users and groups to perform user authentication to NFS mounts for permission resolution.

NFSv4.x with ONTAP has a feature that allows NFSv4.x mounts to leverage numeric ID strings instead of name strings, which allows NFSv4.x operations without needing centralized name services, matching names/numeric IDs on client/server, matching ID domains, etc. (-v4-numeric-ids)

Enabling the -auth-sys-extended-groups option will cause numeric ID authentication to fail if the UNIX user numeric ID can’t be translated into a valid UNIX user name in name services. This will counteract the -v4-numeric-ids option, as ONTAP will need to query the incoming numeric user ID to search for any auxiliary groups for authentication. If the incoming numeric ID cannot be resolved to a valid UNIX user or the client’s UNIX numeric UID is different than the numeric UID ONTAP knows about, then the lookup will fail with secd.authsys.lookup.failed in the event log and ONTAP will respond to the client with the AUTH_ERROR “client must begin a new session,” which will appear as “Permission denied.”

To use both options, use the following guidance:

· If you require users and groups that either can not be queried from both NFS client and server or have mismatched numeric IDs, you can leverage NFS Kerberos and NFSv4.x ACLs to provide proper authentication with NFSv4.x, as clients will send name strings instead of numeric IDs.

· If you are using -auth-sys-extended-groups with AUTH_SYS and without NFSv4.x ACLs, any user that requires access via NFS will require a valid UNIX user in the name service database specified in ns-switch (can also be a local user).


From: Toasters <toasters-bounces@www.teaparty.net> On Behalf Of Scott Classen
Sent: Friday, June 5, 2020 5:30 PM
To: tmac <tmacmd@gmail.com>
Cc: Toasters <toasters@teaparty.net>
Subject: Re: nfs4_setfacl - Failed setxattr operation: Invalid argument

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Yes, both

sibyls2::*> nfs show -vserver als-enable-ds1 -fields v4.0-acl,v4.1-acl
vserver v4.0-acl v4.1-acl
-------------- -------- --------
als-enable-ds1 enabled enabled


Turns out that I had added an ACL while messing around with NFSv4.0 and it was preventing v4.1 ACLs from working:


sibyls2::*> file-directory show -vserver als-enable-ds1 -path /BL831/ISPYB/
(vserver security file-directory show)

Vserver: als-enable-ds1
File Path: /BL831/ISPYB/
File Inode Number: 64
Security Style: unix
Effective Style: unix
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 755
UNIX Mode Bits in Text: rwxr-xr-x
ACLs: NFSV4 Security Descriptor
Control:0x8014
DACL - ACEs
ALLOW-S-1-8-1000-0x1601ff-DI
ALLOW-OWNER@-0x1601ff
ALLOW-GROUP@-0x1200a9-IG
ALLOW-EVERYONE@-0x1200a9

Vserver: als-enable-ds1 (internal ID: 4)

Error: Lookup CIFS/NFSV4 account SID and translate to corresponding unix name procedure failed
[ 0 ms] Unix User ID found in Name Service Negative Cache
**[ 0] FAILURE: Unable to retrieve UNIX username for UID 1000
[ 0] Could not translate NFSv4 SID 'S-1-8-1000'
[ 0] Could not find Windows SID 'S-1-8-1000'
[ 0] SID lookup failed



I wasn’t sure how to clear this ACL from the filer command line so I just deleted the volume, created a new vol, and now nfs4_getfacl and setfacl are working as expected.

Thanks to Scott Gelb for the insight to use the "file-directory" show command.


Scott


On Jun 5, 2020, at 2:06 PM, tmac <tmacmd@gmail.com<mailto:tmacmd@gmail.com>> wrote:

Did you enable nfs-v4.1-acls?
https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-nfs/GUID-ECC9CC2F-9D07-4FAB-8E7B-E8A9B0C456BE.html

--tmac

Tim McCarthy, Principal Consultant
Proud Member of the #NetAppATeam<https://twitter.com/NetAppATeam>


On Fri, Jun 5, 2020 at 4:18 PM Scott Classen <sclassen@lbl.gov<mailto:sclassen@lbl.gov>> wrote:
Hello fellow toasters,

I’m deep into the NFSv4 wormhole and flailing miserably. Any help or advice would be greatly appreciated.

I am exporting an NFSv4.1 volume from our filer (9.6P6). I can mount the volume on a CentOS7 client. I can make directories as root and chown them to a user in our LDAP directory. I can see the ACL with nfs4_getfacl, but I cannot set/edit the ACLs with nfs4_setfacl.

I’ve read both of Justin Parisi’s TRs (TR-4835 - How to Configure LDAP in ONTAP, TR-4067 NFS Best Practice and Implementation Guide) so I think I’ve done everything correctly.

I’ve configured both the NetApp and the client to talk to the same OpenLDAP server. Here are some relevant diagnostics:

# on the client:

[root@als-enable ~]# nfsstat -m
/als/BL-831/data from ae10g-1:/BL831/ISPYB
Flags: rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.40.38,local_lock=none,addr=192.168.40.100

[root@als-enable ~]# nfs4_getfacl /als/BL-831/data/TEST/
# file: /als/BL-831/data/TEST/
A:d:nobody:rwaDxtTnNcCy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy

[root@als-enable ~]# nfs4_setfacl -a A::classen@als-enable.bl1231.als.lbl.gov<mailto:classen@als-enable.bl1231.als.lbl.gov>:rwaDxtTnNcCy /als/BL-831/data/TEST
Failed setxattr operation: Invalid argument

[root@als-enable ~]# nfs4_setfacl -a A::classen@ALS-ENABLE.BL1231.ALS.LBL.GOV<mailto:classen@ALS-ENABLE.BL1231.ALS.LBL.GOV>:rwaDxtTnNcCy /als/BL-831/data/TEST
Failed setxattr operation: Invalid argument

I think nfsid mapping is working.

[root@als-enable ~]# nfsidmap -l
4 .id_resolver keys found:
gid:root@als-enable.bl1231.als.lbl.gov<mailto:root@als-enable.bl1231.als.lbl.gov>
uid:root@als-enable.bl1231.als.lbl.gov<mailto:root@als-enable.bl1231.als.lbl.gov>
gid:staff@als-enable.bl1231.als.lbl.gov<mailto:staff@als-enable.bl1231.als.lbl.gov>
uid:classen@als-enable.bl1231.als.lbl.gov<mailto:classen@als-enable.bl1231.als.lbl.gov>



on the filer:

sibyls2::*> vserver nfs show -vserver als-enable-ds1 -fields v4.1-acl,v4-id-domain,v4.0-acl
vserver v4.0-acl v4-id-domain v4.1-acl
-------------- -------- ----------------------------- --------
als-enable-ds1 enabled als-enable.bl1231.als.lbl.gov<http://als-enable.bl1231.als.lbl.gov/> enabled

sibyls2::*> vserver services name-service ns-switch show -vserver als-enable-ds1
Source
Vserver Database Order
--------------- ------------ ---------
als-enable-ds1 hosts files,
dns
als-enable-ds1 group files,
ldap
als-enable-ds1 passwd files,
ldap
als-enable-ds1 netgroup files
als-enable-ds1 namemap files,
ldap


sibyls2::*> vserver services name-service ldap client show -client-config ae-ldap

Vserver: als-enable-ds1
Client Configuration Name: ae-ldap
LDAP Server List: 192.168.40.38
(DEPRECATED)-LDAP Server List: -
Active Directory Domain: -
Preferred Active Directory Servers: -
Bind Using the Vserver's CIFS Credentials: false
Schema Template: RFC-2307
LDAP Server Port: 389
Query Timeout (sec): 3
Minimum Bind Authentication Level: anonymous
Bind DN (User): cn=ldapadmin,dc=als-enable,dc=als,dc=lbl,dc=gov
Base DN: dc=als-enable,dc=als,dc=lbl,dc=gov
Base Search Scope: subtree
User DN: -
User Search Scope: subtree
Group DN: -
Group Search Scope: subtree
Netgroup DN: -
Netgroup Search Scope: subtree
Vserver Owns Configuration: true
Use start-tls Over LDAP Connections: true
Enable Netgroup-By-Host Lookup: false
Netgroup-By-Host DN: -
Netgroup-By-Host Scope: subtree
Client Session Security: none
LDAP Referral Chasing: false
Group Membership Filter:




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scott Classen, Ph.D.
ALS-ENABLE
TomAlberTron Beamline 8.3.1
SIBYLS Beamline 12.3.1
Advanced Light Source
Lawrence Berkeley National Laboratory
1 Cyclotron Rd
MS6R2100
Berkeley, CA 94720
mobile 510.206.4418
desk 510.495.2697
beamline 510.495.2134
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
Toasters mailing list
Toasters@www.teaparty.net<mailto:Toasters@www.teaparty.net>
https://www.teaparty.net/mailman/listinfo/toasters