Why when I create a share on the Unified Storage System, that after the share is NFS mounted from a Solaris 10 client that all the files and directories created are owned by user "nobody" and I although I've read elsewhere that I can change the permissions on the files/directories, I can not seem to change ownership of the files/directories to any other account? I've been working on this off an on for the past 2 months and no matter which BigAdmin PDF document I use as a guide to create the share that the NFS permissions are always the same. Recently I changed the max NFS version from 4 to 3 in hopes that that would make a difference. Nothing has changed. I want to setup a simple /export/home share with permissions on the underlying folders specific to users as they would be their home directories. The system is attached to an Active Directory as well as using LDAP mappings with Sun Directory Server. CIFS seems to be working fine on other shares, however I haven't let the system out of my hands yet as the NFS shares are not working as expected. Anyone have ANY idea on how to get started on making this work? I could call in a support ticket for this but from what I read this "Unified Storage System" should be "easy" to setup and use. Please show me that it is. BTW. a basic BigAdmin article explaining the permissions on shares in the Unified Storage System would do wonders for us trying to understand the underlying workings of this box that has so much potential.

Thanks,
Brian.

 

 

What error do you get when you run a chown?

Are you using default share ACLs?

How did you force max version to 3? I had this issue with NFSv4 but it went away after forcing client mounts to vers=3 in vfstab (NFS domain mismatch issues that I still haven't managed to resolve), but if you forced NFSv3 this shouldn't be the issue.

 

 

Brian,

Let make it simple to share this file system to NFS only.
Thing we need to have are:
1. Name service (NIS or LDAP) From your note you indicated that this 7000 is in LDAP configuration.
Do you know if it's actually authenticated properly ?
One way to check is to create a share and assign that share to a user in your LDAP configuration. If the 7000 does not know who that user is, then that issue must be corrected first.

2. NFSv4 will works better with other feature such as Shadow Migration, and sharing to CIFS clients.
When sharing NFSv4 you want to make sure that NFSv4 Domain are matches between NFS clients and 7000 system. This setting is in Configuration Services NFS.
You can use DNS to resolve the name, but it can be problem if you have more than one Domain Name. If "Use DNS domain as NFSv4 Identity domain" check box is checked. The entry in the box bellow that check box will not take affect.

3. In addition, if you want "root" to be "root" in NFS client NFS exception need to be configured. It's in NFS protocol setting of the share.

4. Once those above requirement is met, try to take owner ship of the share, or directory or files from NFS client to see how it work. Please place console log in your reply.

Regards,
Giang

 

 

Giang,

I'd like to test what you are proposing in #1.

To make sure I'm doing exactly as you suggest can you give me a step by step on creating this share and assigning the share to a user. I suspect that this is where my issue is so if you can give me a hand on this I will probably solve all of my issues. There does not seem to be an easy way to test if authentication is actually happening properly.

I've created a new share from the default Project.
I've assigned the Root Directory Access as User 'bdgregg'.
The Permissions on the Root Directory are 700.
I've NFS mounted the filesystem from another system as root.
root on the client system can not access the filesystem, however I as 'bdgregg' can, and I can make directories, etc.

Does this mean that the system is authenticating properly?

Thanks,
Brian Gregg.

 

 

Giang,
I am in the process to configure 7210 Unified storage using LDAP. I have configured the LDAP services page on 7210. Do I still need to create users in Users tab under Directory option. How can I test if AUTHENTICATION is happening from client (7210) to LDAP server.

Please include step by step instructions.
Thank you.

 

 

Brian,

That's good news.
Yes, if that user 'bdgregg' was not authenticated then the system may not be able to recognize the user name when you assigned the "bdgregg" to the share.
Plus, other user can't access it but 'bdgregg' .

So, you got #1 down.

Keep good the good work :)

Giang

 

 

Noshud,


There are more than 1 way to test for Aunthentication, but if you check out the previous post one method is there.

The idea of having LDAP or NIS is to centralize user information and authentication. When users access shares from 7210 user information will be validated on LDAP server. In this case you do not need to add users on 7210.

It also depends on what you want to do with the appliance. For instance if you want to add different user other than root to perform certain administration task that's when you add additional user in Configuration Users. Here you can add users from Directory service or Local user to the 7210.

Hope that clarified your question.

Regards,
Giang

 

 

Giang,
Thank you for your REPLY. I have followed below steps to check the authentication. Please let me know if they are correct.

I have configured the LDAP configuration page on 7210. Created a share and than tried to assign that share to a user in LDAP directory.
On 7210

Under Root Directory ACL ---- Named User --- "up244" (username in LDAP directory)

but I am getting an ERROR on 7210 saying USER: UNKNOWN OR INVALID USER


does that mean that authentication from 7210 (ldap client) to LDAP server is not working properly???

Should i re check my configuration on 7210 under LDAP?

Thank you.

 

 

Noshud,
Is this share authenticating to an Windows Active Directory server via LDAP? If so, the main issue I had was making sure the base_dn and proxy_dn were pointing to the correct objects within active directory it had to be exact.
Example: OU=Accounts, DC=Sun, DC=com

I also had to add a server as well under ldap and just used the last portion of the domain name -
mydomain.com:389

Jake

 

 

Zyban03
the share is authenticating to an LDAP server.

my BASE_SEARCH_DN: ou=People,o=nyu.edu,o=nyu
Proxy DN: uid=scps_fs_user,ou=Special Users,o=nyu.edu,o=nyu


server
dir.nyu.edu:636


Is anything wrong with those settings?

 

 

GIANG,
any update about my post....

Thank you.

 

 

Hi Noshud,

From what you reported, the 7000 was not able to identify that user name. So, you'd need to check you LDAP configuration.
First thing you want to review is the document under the Help link on the top right of the BUI.
Please review it at least 3 times to ensure you follow the document correctly.

From CLI run
:> configuration services ldap show

or please run a support bundle, then give me the file name.
I'll review logs .

When was the last time you tried to assign a LDAP user to a share?

Giang

 

 

Hey Giang,
can you please include your email, so I can send that information to your email.

You can send your email to me at up244@nyu.edu

Thank you.

 

 

Hey Giang,

support bundle name is: /cores/ak.faee16a9-f647-6acb-e625-d2e5dceb20f7.tar.gz
Please let me know what you will find. I tried to assign a LDAP user to a share about 10 mins ago.

here is the print out of >configuration services ldap show

SCPSfiles:> configuration services ldap show
Properties:
<status> = online
default_servers = dir.nyu.edu
proxy_dn = uid=scps_fs_user,ou=Special Users,o=nyu.edu,o=n
proxy_password = *************
base_dn = ou=People,o=nyu.edu,o=nyu
search_scope = sub
cred_level = proxy
auth_method = simple
use_tls = true
user_mapattr =
user_mapobjclass =
user_search = ou=People,o=nyu.edu,o=nyu
group_mapattr =
group_mapobjclass =
group_search =

Servers:

SERVER ADDRESS SOURCE EXPIRES
server-000 dir.nyu.edu:636 server Jun 14 23:59:59 2010 GMT

 

 

Noshud,
Here is what I have configured under my settings. For some reason when I think back it was case sensitive as well. I also think I needed to make sure that the CIFS account was authenticating as well.
Regards,
Jake


dfiatxaambr01:> configuration services ldap show
Properties:
<status> = online
default_servers = ent.mydomain.com:389
proxy_dn = CN=VDIDeployment,OU=Service Accounts,OU=VDIDeployment,DC=home,DC=ent,DC=mydomain,DC=com
proxy_password = ******
base_dn = OU=Accounts,DC=US1,DC=ent,DC=mydomain,DC=com
search_scope = sub
cred_level = proxy
auth_method = simple
use_tls = false
user_mapattr =
user_mapobjclass =
user_search =
group_mapattr =
group_mapobjclass =
group_search =

Servers:

SERVER ADDRESS SOURCE EXPIRES
server-000 ent.mydomain.com:389 none

Edited by: Zyban03 on Nov 2, 2009 8:52 AM