Unsolved
This post is more than 5 years old
2 Intern
•
20.4K Posts
5
24173
How to configure NFSv4
Hello guys/gals,
This is my first endeavor into NFSv4 world so i have absolutely no experience where to begin (did some intensive googling prior ). At the moment i am using a virtual appliance, i enabled NFSv4 support, security type left at default (UNIX sys), domain (localdomain). I have created a brand new export to my RHEL 6.5 server and when i try to mount it i get this:
[root@rhel65 ~]# mount -t nfs4 -o proto=tcp isilon.mycompany.com:/ifs/data/nfs/test /mnt
mount.nfs4: access denied by server while mounting isilon.mycompany.com:/ifs/data/nfs/test
the minute i disable NFSv4 support i am able to mount the export. Where do i start folks ?
Thank you
markfoster1
22 Posts
0
June 25th, 2014 09:00
Check the permissions on each path component of /ifs/data/w2isilonpoc/nfs/sph
ls -led /ifs
ls -led /ifs/data
...
Make sure your user or group has rx permissions for each path component.
If there are any windows ACLs on the path, that can interfere as well.
Rdamal
2 Intern
2 Intern
•
165 Posts
0
June 28th, 2014 10:00
Hi Peter,
If Linux machine on which the NFSv4 export is to be mounted has local groups and users, how to define them in Isilon now ?Is there any other way to deal with local users and groups ?
Thanks
Damal
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
June 29th, 2014 20:00
Mark,
when i run ls -led on /ifs i see this:
w2isilonpoc-1# ls -led /ifs
drwxrwxrwx 5 root wheel 89 Jun 9 11:24 /ifs
OWNER: user:root
GROUP: group:wheel
SYNTHETIC ACL
0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
1: group:wheel allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child
2: everyone allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child
Do you see anything that could have caused the access denied error ? Is it even possible to use NFSv4 without Kerberos/LDAP authentication ?
Anonymous User
375 Posts
0
June 30th, 2014 00:00
Hi Dynamox,
I believe, we can do that, depending upon our need and protocols supported by client and server, security will be a little concern. Three security mechanisms are : Kerberos, LIPKEY, and SPKM-3, depending on the requirements.
NFSv4 new features (Network File System version 4) and NFS on-site training courses
Peter_Sero
1.2K Posts
0
June 30th, 2014 05:00
> Do you see anything that could have caused the access denied error ?
Dynamox:
The (strange) point is that it fails already at the mounting stage...
> Is it even possible to use NFSv4 without Kerberos/LDAP authentication ?
Yes, this is what I did with ease (no Kerberos, just plain LDAP),
and assumed you would to the same,
as you wrote you are using AUTH_SYS.
Are your cluster and/or your client configured with Kerberos?
I mean, it could be that with Kerberos active on one or on
both sides, the AUTH_SYS method might have... difficulties.
Again, I'd suggest to start with virtual/simulator nodes
as simple as possible; and then add features/complexity.
Peter_Sero
1.2K Posts
0
June 30th, 2014 05:00
Damal:
check out the Isilon "File Provider" for this, but be aware
that NFSv4 uses account and group *names* rather than the
numerics UIDs and GIDs. Additional confusion is created
by situation where a users are in differently named groups,
but with identical GID:
such as user root in group "root" (Linux, GID 0)
or in group "wheel" (Isilon, also GID 0).
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
June 30th, 2014 06:00
Peter,
i am using Isilon simulator and i have a brand new VM running RHEL 6.5. This VM is not configured for LDAP, is that my issue ? Do i need to configure both Isilon and this VM to use LDAP ?
peglarr
99 Posts
0
June 30th, 2014 07:00
Folks,
The key difference in NFSv4 authentication - without LDAP or any other external auth source - is to match usernames. Not UID/GID, but usernames.
So the first thing OneFS does is a user mapping - trying to match the supplied username. For example, I also have virtual Isilon, connected to a Mac (10.9.3). I have username 'rpeglar' defined on my Mac, so I defined a local user (system zone) named 'rpeglar' as well.
The second thing OneFS will do is ID mapping, which is not the same as user mapping.
Lastly, once ID mapping is complete, OneFS attempts to match the ID with the on-disk identity. Out of the box, this is set to 'native' - but older clusters which have migrated from 6.5 or below have 'unix' set as the on-disk identity.
So, no, one does not need LDAP to perform NFSv4. Assuming you have identical usernames, and have the ID and on-disk identity set correctly, it just works.
Cheers
Rob
Peter_Sero
1.2K Posts
0
June 30th, 2014 07:00
This is so weird.
Works for me with LDAP (both sides, our productions systems)
as well as right out of the box with minimal setup (fresh virtual stuff, no LDAP).
Haven't used that particular RHEL 6.5 version though.
"You're holding it wrong"
Even worse, the NFSv4 RFCs say somewhere, AUTH_SYS is not
required to work (or whatever the exact wording is).
So maybe...? But you should be able to find at least some
combination of Isilon+client that works, and then maybe start
tracing the network packets from there.
peglarr
99 Posts
0
June 30th, 2014 08:00
Hi Sergey,
I did indeed create a local user named 'rpeglar'. For the first test, I merely used the default export of /ifs, without any subdirectories. Worked perfectly either v3 or v4 to my Mac logged in as 'rpeglar'. Then I did subdirectories, with the appropriate permissions for user 'rpeglar'. Again, worked perfectly. Have not tried this with anything below 7.1, but 7.1 and above all worked as expected.
Cheers
Rob
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
June 30th, 2014 08:00
Hello Rob,
so you created a local account on Isilon "rpeglar" ? Did you modify permissions/owner on /ifs/
Thank you
markfoster1
22 Posts
0
June 30th, 2014 09:00
Dynamox, you really need to check EVERY path up the tree. Here's a script to do that, just provide the full path as an argument. i.e. perl pathcheck.pl /ifs/data/w2isilonpoc/nfs/sph
#!/usr/bin/perl -w
use strict;
my @fullpath = split("/", $ARGV[0]);
my $collector = "/";
while ($#fullpath > -1) {
my $p = shift(@fullpath);
next if ($p eq "");
$collector .= "$p/";
print `ls -led "$collector"`;
print '-' x 80;
}
Peter_Sero
1.2K Posts
0
July 2nd, 2014 03:00
> no firewalls, no typos ..NFSv4 gets disabled and mount the export without any issues. The path is different because in the first post because i changed in the post before i hit "Post", i was too lazy to change it in the output from isi nfs exports list.
Seems the "All (sub)Dirs" export option doesn't work for NFSv4.
Which makes sense, given NFSv4's philosophy of a presenting a file system.
"All Dirs: Yes" shows up in your screenshot of the export options,
but this will not allow mounting any deeper path,
which you might have tried.
Ran across this myself today...
MRWA
83 Posts
0
July 9th, 2014 10:00
Dynamox, did you get this working? If so I am really curious as to what was not correct.
Peter_Sero
1.2K Posts
0
July 11th, 2014 02:00
Same effect in this situation, but with plain (not All-Dirs) exports:
exporting /ifs/data/test
exporting /ifs/data/test/nfs4test
$ sudo mount -t nfs4 :/ifs/data/test/nfs4test /tmp/m
mount.nfs4: Permission denied