Multiprotocol NAS Access to NetApp Resources with ACLs (Simple Guide)

Step-by-step guide for access via CIFS (SMB) to NFSv4 exports hosted on NetApp.

1) Integrating Netapp filer with LDAP:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

ldap.ADdomain                 ## here we set a domain to which we would like to join

ldap.base                    DC=com

ldap.enable                  on

ldap.fast_timeout.enable on

ldap.minimum_bind_level      simple

ldap.name                       ## from this account will be performed all requests to database

ldap.nssmap.attribute.homeDirectory unixHomeDirectory

ldap.nssmap.attribute.uid    sAMAccountName

ldap.nssmap.objectClass.posixAccount User

ldap.nssmap.objectClass.posixGroup Group

ldap.port                    3268

ldap.retry_delay         10

ldap.servers             ## domain controllers’ addresses

ldap.usermap.attribute.unixaccount uid

ldap.usermap.attribute.windowsaccount sAMAccountName

 

Run code above on target vFiler. Command options may vary depending on specific infrastructure (AD DC with FSMO role in this case).

2) Checking if this configuration works:

1

NetApp0*> vfiler run VFILER01 getXXbyYY getpwbyname_r smith

The output should look like:

1

2

3

4

5

6

7

===== VFILER01

pw_name = smith

pw_passwd = {{******}}

pw_uid = 10000, pw_gid = 10000

pw_gecos = smith, John

pw_dir = /home/smith

pw_shell = /bin/bash

getXXbyYY and wcc commands can be run only in advanced mode.

3) Updating/etc/nsswitch.conf permissions:

1

2

passwd: ldap nis files

group: ldap nis files

Add memberUid attribute for groups, that will have access both to Linux and Windows environments, memberUid attribute must be in lowercase!

4) Configuring NFSv4 on Netapp:

Create /Volume/qtree, export NFS there.

/etc/exports should look like

1

/vol/xxx_VFILER01_nfs_vol00/ACL_test -sec=sys,rw,root=192.168.1.1,nosuid

Switch on NFSv4 access control lists using these options

1

2

3

nfs.v4.acl.enable            on

nfs.v4.enable                on

nfs.v4.id.allow_numerics on

5) Configuring NFSv4 ACLs on Linux:

Mount export on the terminal Linux server using these options

1

nfs acl,defaults,intr,hard,bg,tcp,auto,rw 0 0

Set ACLs according to required needs

1

>$nfs4_setfacl –e example

Keep in mind, that A stands for Allow, D stands for Deny

6) Creating CIFS share on Netapp:

Use cifs setup to configure services. Next, create CIFS share on the /vol/qtree from step 4

1

NetApp0> vfiler run VFILER01 cifs shares -add ACL_test /vol/xxx_ VFILER01 _nfs_vol00/ACL_test

Keep EVERYONE/FULLCONTROL permission to avoid excessive restrictions at share level

1

2

3

NetApp0> vfiler run VFILER01 cifs shares

ACL_example /vol/xxx_ VFILER01 _nfs_vol00/ACL_example

                        everyone / Full Control

7) Final tweaking:

Set permissions with NFSv4 ACLs tool. Try Windows access using Linux credentials. Check Linux permissions by means of Secureshare utility.