How to configure NFSv4

Check the permissions on each path component of  /ifs/data/w2isilonpoc/nfs/sph

ls -led /ifs

ls -led /ifs/data

...

Make sure your user or group has rx permissions for each path component.

If there are any windows ACLs on the path, that can interfere as well.

Hi Peter,

If Linux machine on which the NFSv4 export is to be mounted has local groups and users, how to define them in Isilon now ?Is there any other way to deal with local users and groups ?

Thanks

Damal

Mark,

when i run ls -led on /ifs i see this:

w2isilonpoc-1# ls -led /ifs     

drwxrwxrwx    5 root  wheel  89 Jun  9 11:24 /ifs

OWNER: user:root

GROUP: group:wheel

SYNTHETIC ACL

0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child

1: group:wheel allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child

2: everyone allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child

Do you see anything that could have caused the access denied error ?  Is it even possible to use NFSv4 without Kerberos/LDAP authentication ?

Hi Dynamox,

I believe, we can do that, depending upon our need and protocols supported by client and server, security will be a little concern. Three security mechanisms are : Kerberos, LIPKEY, and SPKM-3, depending on the requirements.

NFSv4 new features (Network File System version 4) and NFS on-site training courses

> Do you see anything that could have caused the access denied error ?

Dynamox:

The (strange) point is that it fails already at the mounting stage...

> Is it even possible to use NFSv4 without Kerberos/LDAP authentication ?

Yes, this is what I did with ease (no Kerberos, just plain LDAP),

and assumed you would to the same,

as  you wrote you are using AUTH_SYS.

Are your cluster and/or your client configured with Kerberos?

I mean, it could be that with Kerberos active on one or on

both sides, the AUTH_SYS method might have... difficulties.

Again, I'd suggest to start with virtual/simulator nodes

as simple as possible; and then add features/complexity.

Damal:

check out the Isilon "File Provider" for this, but be aware

that NFSv4 uses account and group *names* rather than the

numerics UIDs and GIDs. Additional confusion is created

by situation where a users are in differently named groups,

but with identical GID:

such as user root in group "root" (Linux, GID 0)

or in group "wheel" (Isilon, also GID 0).

Peter,

i am using Isilon simulator and i have a brand new VM running RHEL 6.5.  This VM is not configured for LDAP, is that my issue ? Do i need to configure both Isilon and this VM to use LDAP ?

Folks,

The key difference in NFSv4 authentication - without LDAP or any other external auth source - is to match usernames.  Not UID/GID, but usernames.

So the first thing OneFS does is a user mapping - trying to match the supplied username.  For example, I also have virtual Isilon, connected to a Mac (10.9.3).  I have username 'rpeglar' defined on my Mac, so I defined a local user (system zone) named 'rpeglar' as well.

The second thing OneFS will do is ID mapping, which is not the same as user mapping.

Lastly, once ID mapping is complete, OneFS attempts to match the ID with the on-disk identity.  Out of the box, this is set to 'native' - but older clusters which have migrated from 6.5 or below have 'unix' set as the on-disk identity.

So, no, one does not need LDAP to perform NFSv4.  Assuming you have identical usernames, and have the ID and on-disk identity set correctly, it just works.

Cheers

Rob

This is so weird.

Works for me with LDAP (both sides, our productions systems)

as well as right out of the box with minimal setup (fresh virtual stuff, no LDAP).

Haven't used that particular RHEL 6.5 version though.

"You're holding it wrong"

Even worse, the NFSv4 RFCs say somewhere, AUTH_SYS is not

required to work  (or whatever the exact wording is).

So maybe...? But you should be able to find at least some

combination of Isilon+client that works, and then maybe start

tracing the network packets from there.

Hello Rob,

so you created a local account on Isilon "rpeglar"  ? Did you modify permissions/owner on /ifs/

Thank you

Dynamox, you really need to check EVERY path up the tree. Here's a script to do that, just provide the full path as an argument. i.e. perl pathcheck.pl /ifs/data/w2isilonpoc/nfs/sph

#!/usr/bin/perl -w

use strict;

my @fullpath = split("/", $ARGV[0]);
my $collector = "/";
while ($#fullpath > -1) {
my $p = shift(@fullpath);
next if ($p eq "");
$collector .= "$p/";
print `ls -led "$collector"`;
print '-' x 80;
}

> no firewalls, no typos ..NFSv4 gets disabled and mount the export without any issues. The path is different because in the first post because i changed in the post before i hit "Post",  i was too lazy to change it in the output from isi nfs exports list.

Seems the "All (sub)Dirs" export option doesn't work for NFSv4.

Which makes sense, given NFSv4's philosophy of a presenting a file system.

"All Dirs: Yes" shows up in your screenshot of the export options,

but this will not allow mounting any deeper path,

which you might have tried.

Ran across this myself today...

Dynamox, did you get this working? If so I am really curious as to what was not correct.

Same effect in this situation, but with plain (not All-Dirs) exports:

exporting /ifs/data/test

exporting /ifs/data/test/nfs4test

$ sudo mount   -t nfs4   :/ifs/data/test/nfs4test /tmp/m

mount.nfs4: Permission denied