Multiprotocol NAS access to NetApp Resources with the Help of ACLs

10August 2017


Multiprotocol NAS access to NetApp Resources with the Help of ACLs

A Short Foreword
The customer assigned a task to set up access via CIFS (SMB) protocols to several NFS exports stored at NetApp. It seemed easy, we just needed to create CIFS shares in qtree that had already been exported. Later, the subsequent requirement was received from the customer to granularly manage access to these file shares. This task could still be solved: the access can be managed both on the side of NetApp and with the help of Shared Folders tools (share permissions). Then it became clear that it is necessary to assign different access permissions to various subfolders stored at CIFS share. This turned out to be a sophisticated task because it required that the access control lists (ACLs) should be set for both CIFS and NFS governing access to shared data.
At first glance, standard Linux file permissions can be used. Each folder or file is assigned the following attributes: owner, owner group and other attributes. The example of the standard Linux file permissions is given below.

But what tool should be used if a more granularly controlled access is required? Perhaps POSIX ACLs? But NetApp doesn’t support them. In the end, NFSv4 ACLs appeared to be the only feasible solution.
This article describes how NFSv4 ACLs can be applied for Windows users. It includes succinct instructions for a guided setup. Let’s start!

Connecting NetApp to LDAP
It is expected that the existing infrastructure includes LDAP server where user authorization and authentication is performed. Therefore, mapping is not applied and subsequently no changes shall be made to usermap.cfg file. There will also be no need to make changes to passwd and group files since all user and group lists are retrieved from LDAP. The settings required for the normal linkup operation are given below:

These settings are to be applied to the target vFiler. Please, note that there are variations of these settings. Therefore, some of them might not work properly in your particular infrastructure. In our case, we established a link to Global Catalog AD DC with FSMO role. The sanity check of the NetApp-based linkup is performed with the help of getXXbyYY and wcc commands. These commands can be run only in advanced mode.
Examples of the correct operation of getXXbyYY command are given below:

However, if this command does not return a similar response, it indicates incorrect settings.
To continue reading, go to our corporate blog at Habrahabr.

Stay updated

Subscribe and get the news first uses cookies, and by continuing browsing the website you give your consent to the use of cookies by us. Otherwise you should leave our website after reading this.