5 Posts
0
1887
OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export
Dear community,
We have configured an access zone with Windows AD and NIS authentication providers, both of them were set with "Lookup Normalize" users and groups to Yes.
created a default mapping rule "*\* &= * []" to join users from two "worlds", all of them have same user naming format, and the mapping token looks fine when "isi auth mapping token" is run.
We created a CIFS share with everyone full access and granted an AD group "GroupA" with "Modify" permissions at file system level. Then this folder was exported by NFSv3, and set "map lookup id" to Yes.
When a member of GroupA tries to access the exported NFS for first time, it receives "access denied". The only way to get access for this user is by accessing through CIFS for first time and remounting the export from the linux side.
CIFS access always works as expected.
NFS access works only if the user have accessed through CIFS at least one time.
It feels like the access token is created only when user access by CIFS, and it enables the access on remaining protocols, in this case NFSv3.
Does it has any sense? There is something that we can check or some additional configuration considerations to take into account?
We look forward to hearing from your valuable experience.
Kind regards,
Ariel.
Ariel.Florio
5 Posts
0
July 8th, 2020 13:00
Dear all,
First of all, thanks for your suggestions and help, I really appreciate that.
Finally the issue was just in the user mapping rule:
The original *\* &= * []
The definitive one AD_Domain_Name\* &= * []
It seems that the "general" first rule was causing the annoying "authentication" behavior. Once replaced, the user tokens from both sides looked similar (although I was told that it wasn't necessary)
I hope this helps other people.
Regards.
DELL-Josh Cr
Moderator
Moderator
•
8.5K Posts
0
July 7th, 2020 10:00
Hi Ariel,
Does reloading cached export config change anything? https://dell.to/3201tOF
Ariel.Florio
5 Posts
0
July 7th, 2020 12:00
Thanks for replying Josh!
Unfortunately reloading the cache didn't change this behavior. Any other suggestion will be very appreciated.
Kind regards,
Ariel.
Phil.Lam
1 Rookie
1 Rookie
•
567 Posts
0
July 7th, 2020 14:00
@Ariel.Florio
What is the posix permissions of the file before and after you touch the file in SMB?
Ariel.Florio
5 Posts
0
July 8th, 2020 11:00
@PhilLam
Thanks for replying!
Actually, users do not touch any file at first attempt, they only access the CIFS and after this, they are granted to access the NFS export "magically", only by accesing the CIFS withtout any other action.
It seems that OneFS generates the user token when user accesses the CIFS share for first time, and it doesn't happen when user accesses via NFS. If user tries to access by NFS for first time, and run "ls -l" to list files, an access denied is received. To solve this, user must access CIFS first (without touching any file), then his access is granted “magically” after remounting the NFS export.
Tried to check logs files such as nfs, lsass, lwio, auth, but found nothing. I opened a service request also, but still waiting for a CE's diagnostic.
I am missing some configuration step perhaps?
Thanks in advance!
Phil.Lam
1 Rookie
1 Rookie
•
567 Posts
1
July 8th, 2020 22:00
@Ariel.Florio
I usually use the following mapping rule with no issues.
*\* += * [group,groups]