We are running OnTap 9.4, with a SWM that has NTFS permissions and is shared via CIFS and NFS. There is one special feature of this configuration I having trouble reproducing in a simulator. That is, it’s mountable of CentOS Linux systems as NFS (vers=3) with Kerberos security (sec=krb5).
example /etc/fstab entry:
nas.domain.com:/share /mnt/share nfs vers=3,rw,tcp,soft,sec=krb5,,,, 0 0
Does anyone a similarly configured NetApp that could help me identify what I'm missing in simulator configuration?
To provide some background, our production NetApp was setup a decade ago and while we’re on OnTap 9.4, it still uses DES for Kerberos authentication. We want to move to AES and then drop DES, so I’ve setup a simulator to work through all the steps. The simulator has been helpful, but I am stuck reproducing our Kerberos authentication for NFS shares. Unfortunately, there aren’t any notes describing the production configuration.
NFS configuration is very similar between production and the simulator.
- We are mapping root and pcuser (guest in production) to a local account on the SVM. This has allowed mounting the SVM root volume, but user access is denied on the simulator.
- LDAP profile uses Authentication Level: Simple and home grown schema based on RFC-2307. Do I need SASL?
- Kerberos on Production is joined to AD
Possible Problems:
- Basic permissions wrong on SVM (e.g. NFSv4 needs 777 for root)
- Malformed NFS request (e.g. SPN)
- Unix UID to NTFS name translation
- Kerberos system keytab presented to the NetApp
- User’s Kerberos Ticket
Any other suggestions of what to explore?