Hello everyone. I've got a permission issue with NFS (ONTap 9.7). Let me try to explain a little of the set up and what we're trying to do.
We have linux systems joined to an AD domain using SSSD, and because of that, each user is a member of a bunch of groups (could vary, but definitely more than 16). The AD server is not under my control, and has no Unix Attributes associated with any accounts. We've worked around the issue in a couple of ways in the past (using a system that also had a 16 group limitation for NFS).
- Had the users perform a newgrp command before accessing the storage, setting their primary group to be the one with the correct permissions
- Modified the SSSD configuration to only return groups that we care about for accessing the storage (this works ok and actually speeds up group enumeration as it only returns a few groups)
With the Netapp we'd like to move forward past these methods of workarounds and use the extended group settings, so to assist with that, I set up an LDAP server whose sole function it is is to grab the SSSD user/group info and store it so that the Netapp can do user lookups with the correct UIDs/GIDs for the domain joined systems. I believe I have this working as doing:
vserver services name-service getxxbyyy getpwbyname/getgrbyname -vserver svm-mystuff -node node1 -username(groupname) myuser(or group)
returns the correct info. The groups list multiple users, the users resolve UIDs, so I thought we'd be good.
I set the NFS server settings to use extended groups, and set it to 256, LDAP to use RFC2307, name services is set to files,ldap for passwd and group.
But when I mount the NFS volume on a linux client, I get a permission denied trying to access a group-owned directory unless I do a newgrp first.
I tried to run a trace, and did see this, and am wondering if this indicates anything:
[000.001.053] info : Determined UNIX id 1444 is UNIX user 'myuser' { in secd_rpc_auth_user_id_to_unix_ext_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:971 }
00000017.0009bde5 05ebdb82 Fri Sep 24 2021 07:14:06 -04:00 [kern_secd:info:9547] | [000.001.061] debug: unixCredFlags=1, domainId=0, uid=1444, gid=1440, additionalGids=1 { in secd_rpc_auth_user_id_to_unix_ext_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1024 }
I see that the user is resolved, and that it found the primary gid ok, but I noticed it said 'additionalGids=1'. That concerns me, is it still not looking up the secondary groups?
Thanks for any insight anyone might have.