2 Bronze

OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export

Jump to solution

Dear community,

 

We have configured an access zone with Windows AD and NIS authentication providers, both of them were set with "Lookup Normalize" users and groups to Yes.

 

created a default mapping rule "*\* &= * []" to join users from two "worlds", all of them have same user naming format, and the mapping token looks fine when "isi auth mapping token" is run.

 

We created a CIFS share with everyone full access and granted an AD group "GroupA" with "Modify" permissions at file system level. Then this folder was exported by NFSv3, and set "map lookup id" to Yes.

 

When a member of GroupA tries to access the exported NFS for first time, it receives "access denied". The only way to get access for this user is by accessing through CIFS for first time and remounting the export from the linux side.

 

CIFS access always works as expected. 

 

NFS access works only if the user have accessed through CIFS at least one time.

 

It feels like the access token is created only when user access by CIFS, and it enables the access on remaining protocols, in this case NFSv3.

 

Does it has any sense? There is something that we can check or some additional configuration considerations to take into account? 

 

We look forward to hearing from your valuable experience.

Kind regards,

Ariel.

0 Kudos
1 Solution

Accepted Solutions
2 Bronze

Re: OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export

Jump to solution

Dear all,

First of all, thanks for your suggestions and help, I really appreciate that.

Finally the issue was just in the user mapping rule:
The original *\* &= * []

The definitive one AD_Domain_Name\* &= * []

It seems that the "general" first rule was causing the annoying "authentication" behavior. Once replaced, the user tokens from both sides looked similar (although I was told that it wasn't necessary)

I hope this helps other people.

Regards.

View solution in original post

0 Kudos
6 Replies

Re: OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export

Jump to solution

Hi Ariel,

Does reloading cached export config change anything? https://dell.to/3201tOF


Thanks,
DELL-Josh Cr
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
#IWork4Dell
0 Kudos
2 Bronze

Re: OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export

Jump to solution

Thanks for replying Josh!

Unfortunately reloading the cache didn't change this behavior. Any other suggestion will be very appreciated.

Kind regards,

Ariel.

0 Kudos
3 Zinc

Re: OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export

Jump to solution

@Ariel.Florio 

What is the posix permissions of the file before and after you touch the file in SMB?

0 Kudos
2 Bronze

Re: OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export

Jump to solution

@PhilLam 

Thanks for replying!

Actually, users do not touch any file at first attempt, they only access the CIFS and after this, they are granted to access the NFS export "magically", only by accesing the CIFS withtout any other action.

It seems that OneFS generates the user token when user accesses the CIFS share for first time, and it doesn't happen when user accesses via NFS. If user tries to access by NFS for first time, and run "ls -l" to list files, an access denied is received. To solve this, user must access CIFS first (without touching any file), then his access is granted “magically” after remounting the NFS export.

Tried to check logs files such as nfs, lsass, lwio, auth, but found nothing. I opened a service request also, but still waiting for a CE's diagnostic.

I am missing some configuration step perhaps?
Thanks in advance!

 

0 Kudos
2 Bronze

Re: OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export

Jump to solution

Dear all,

First of all, thanks for your suggestions and help, I really appreciate that.

Finally the issue was just in the user mapping rule:
The original *\* &= * []

The definitive one AD_Domain_Name\* &= * []

It seems that the "general" first rule was causing the annoying "authentication" behavior. Once replaced, the user tokens from both sides looked similar (although I was told that it wasn't necessary)

I hope this helps other people.

Regards.

View solution in original post

0 Kudos
3 Zinc

Re: OneFS 8.2.1 - Multiprotocol User must access by CIFS first to get access in NFS export

Jump to solution

@Ariel.Florio 

I usually use the following mapping rule with no issues.

*\* += * [group,groups]