Deploying HPE 3PAR StoreServ File Controller in a Linux/UNIX

Deploying HPE 3PAR StoreServ File
Controller in a Linux/UNIX
environment
Technical white paper
Technical white paper
Contents
Introduction ...................................................................................................................................................................................................................................................................................................................................................3
Objective of this white paper.........................................................................................................................................................................................................................................................................................................3
NFS protocol versions ..........................................................................................................................................................................................................................................................................................................................3
Selecting NFS protocol........................................................................................................................................................................................................................................................................................................................4
NFS user mapping methods ..........................................................................................................................................................................................................................................................................................................5
NFS authentication methods.........................................................................................................................................................................................................................................................................................................8
Configuring server for NFS and NFS shares....................................................................................................................................................................................................................................................................8
Configuring user mapping method ...................................................................................................................................................................................................................................................................................9
Creating NFS Shares...................................................................................................................................................................................................................................................................................................................21
Client specific configurations .................................................................................................................................................................................................................................................................................................... 31
Configuring UNIX/Linux client for NTP client ..................................................................................................................................................................................................................................................... 31
Configuring UNIX/Linux client for DNS client ..................................................................................................................................................................................................................................................... 32
Adding a Linux system to Windows Active Directory.................................................................................................................................................................................................................................. 32
Configure identity mapping daemon (idmapd) ................................................................................................................................................................................................................................................. 33
Configuring Kerberos 5 authentications .................................................................................................................................................................................................................................................................. 34
Mounting NFS Shares on clients ............................................................................................................................................................................................................................................................................................ 39
Use case deployment #1 .............................................................................................................................................................................................................................................................................................................. 43
Creating home directories ..................................................................................................................................................................................................................................................................................................... 43
Use case deployment #2 .............................................................................................................................................................................................................................................................................................................. 45
Issues with NFS export in UNIX .............................................................................................................................................................................................................................................................................................. 47
1. Enable NTFS Filename Case Sensitivity ............................................................................................................................................................................................................................................................. 47
2. NFS Filename Character Translation- .................................................................................................................................................................................................................................................................. 49
Illegal NTFS File Characters ................................................................................................................................................................................................................................................................................................. 49
NFS-Translation.txt......................................................................................................................................................................................................................................................................................................................50
Verify- ......................................................................................................................................................................................................................................................................................................................................................51
Data migration ........................................................................................................................................................................................................................................................................................................................................52
Pre-checks ...........................................................................................................................................................................................................................................................................................................................................52
Examples ...............................................................................................................................................................................................................................................................................................................................................52
Troubleshooting ...................................................................................................................................................................................................................................................................................................................................53
Permission Denied issues ...................................................................................................................................................................................................................................................................................................... 53
Issues with mount operations, NFS, or authentication daemons ....................................................................................................................................................................................................... 54
Summary ......................................................................................................................................................................................................................................................................................................................................................54
Technical white paper
Page 3
Introduction
Network File System (NFS) is a network file sharing protocol that allows remote access to files over a network. NFS implementations include an
NFS server component, which shares files for use by other networked computers and an NFS client component, which accesses files shared by
NFS servers. HPE 3PAR StoreServ File Controller systems generally perform the role of an NFS server, although NFS client capability is available
as well. NFS is typically used in networks with computers running UNIX®, Linux®, or Mac OS operating systems.
Objective of this white paper
This white paper provides:
• An overview to NFS deployment on HPE 3PAR StoreServ File Controller using different protocol versions, user mapping methods, and
authentication methods.
• A quick guide to configure NFS Shares with different user mapping methods using both GUI and CLI.
• Two deployment use cases explains migration of user data, and lists some troubleshooting tips to resolve issues commonly faced with NFS.
This white paper also discusses about the NFS clients running UNIX OSs. However, the same functionality is applicable to other OSs, such as
Windows® or Mac OS operating systems.
NFS protocol versions
HPE 3PAR StoreServ File Controller systems support NFSv2, NFSv3, and NFSv4.1 protocol versions.
NFS is a distributed file system protocol allowing a user on a client computer to access files over a network in a manner similar to how local
storage is accessed. The NFS protocol has evolved from being simple and stateless in NFSv2 to being stateful and secure in NFSv4.1.
Under normal conditions, when using NFSv2 or NFSv3 with User Datagram Protocol (UDP), the stateless UDP connection has less protocol
overhead than TCP. This can translate into better performance on clean and non-congested networks. However, UDP is stateless, if the server
goes down unexpectedly, UDP clients continue to saturate the network with requests for the server. In addition, when a frame is lost with UDP,
the entire Remote Procedure Call (RPC) request must be retransmitted; with TCP, only the lost frame needs to be resent. For these reasons, TCP
is the preferred protocol when connecting to an NFS server.
NFSv4.1 adds significant capability to improve weaknesses within NFSv4. NFSv4.1 builds a session layer on top of the transport layer to improve
the reliability of the NFSv4 protocol.
NFSV2
NFSV3
NFSV4.1
Personality
Stateless
Stateless
Stateful connection
Authentication
Weak
Moderate (AUTH_SYS, Kerberos -
Strong (Kerberos -
RPC_GSS_SVC_NONE &
RPC_GSS_SVC_INTEGRITY)
RPC_GSS_SVC_NONE,
RPC_GSS_SVC_INTEGRITY and
RPC_GSS_SVC_PRIVACY)
Identification
32-bit UID/GID
32-bit UID/GID
string based (user@domain.com)
Transport
UDP
UDP, TCP
TCP—Less network chatter and
WAN friendly
Continuous availability
No
Yes
No
Performance
Moderate
Moderate
Out-of-box performance
If you do not have a specific need requiring NFSv2 or NFSv3 and your client systems support NFSv4.1, HPE recommends NFSv4.1 for better
performance and security.
Technical white paper
Page 4
Selecting NFS protocol
1. Go to Server Manager > File and Storage Services > Servers
2. Right click on Server > NFS Settings
3. Select your desired protocol(s)
If you decide not to use NFSv2 and NFSv3, you may turn them off or you can leave the default of all NFS protocols enabled. Selection of NFS
protocols is a system wide setting. It implies that if you have multiple NFS servers created in a cluster environment, this setting gets applied to all.
Technical white paper
Page 5
NFS user mapping methods
HPE 3PAR StoreServ File Controller runs the Windows Storage Server 2012 or above OS, which represent users and groups with a
unique Security Identifier (SID), while UNIX OSs represent users with User Identifier (UID) and Group Identifier (GID). Account mapping is the
process of correlating the UNIX UIDs and GIDs to corresponding Windows user and group SIDs.
After configuring the Services for NFS role service, you must select and configure the appropriate NFS account mapping method. After
completing this task, users on computers with an NFS client can access files and folders stored on HPE 3PAR StoreServ File Controller using the
NFS protocol.
Broadly, there are two categories of user mapping methods: Mapped and unmapped user access.
UNIX
NFS clients
Linux
NFS clients
Mac OS
NFS clients
HPE 3PAR StoreServ File Controller
NFS shared
resources
Running services for NFS
NFS Account mappingmethods
AD DS mapped
user access
AD LDS mapped
user access
Mapped user access
Figure 1. NFS user mapping methods.
Passwd and
group files
Unmapped UNIX
user access
Anonymous
Unmapped user access
Technical white paper
Page 6
Mapped user access includes:
• Active Directory Domain Services (AD DS) mapped user access, which maps UNIX identities to Windows identities. UNIX identities to Windows
identities mapping information is stored in AD DS.
• Active Directory Lightweight Directory Services (AD LDS) mapped user access, which maps UNIX identities to Windows identities. UNIX
identities to Windows identities mapping information stored in AD LDS.
• Local password and group mapping files.
Unmapped user access includes:
• Unmapped UNIX User Access (UUUA), which maps UNIX identities to automatically generated Windows SID.
• Anonymous user access, which allows access without providing valid credentials.
Determining which solution is appropriate for a given situation requires the administrator to select from the available mechanisms according to
the tradeoffs applicable to the expected environment.
Mapped user access
• This method is typically used when files and folders are shared using both the NFS and Server Message Block (SMB) protocols.
• Use AD DS user mapping when UNIX UIDs and GIDs need to be mapped to specific Windows domain user or group accounts.
• Use AD LDS user mapping when you have multiple computers running services for NFS that need to share the same mapping information,
such as computers that are members of a workgroup. The client/server/cluster must use Active Directory (AD) to manage NFS/UNIX user
permissions.
• High-availability (HA) NFS using AD LDS is not recommended.
• Use local password and group mapping files when files and folders are shared comparably in smaller configurations where mapping between
UID/GID and Windows accounts are still required. It is mainly used where clients and server for NFS are standalone configuration and Windows
domains are not readily available. This method of user mapping access can also be used for domain joined systems.
Unmapped access
• This method is typically used when the files and folders are shared using only the NFS protocol.
• Use when you want to grant user access to NFS shares without requiring the administrative overhead of administering user account mapping.
– Use unmapped user access when you want to identify the users and groups that own files or that access files, unlike anonymous access.
– Anonymous access method is appropriate in instances where user authentication is not necessary, such as providing read-only access to
document templates or for quickly provisioning scratch shares that host non-sensitive or temporary data.
Technical white paper
UNIX
NFS clients
Page 7
AD DS
User: john_smith
UID: 101, GID: 201
1
4
NFS shared
resoures
/etc/passwd
User: john_smith
UID: 101, GID: 201
2
User: jsmith
UID: 101, GID: 201
3
AD DS User objects
User name
uid
SAM Account name uid umber
User3
100
User3
100
john_smith
101
jsmith
101
AD DS security group objects
/etc/group
Group name
uid
SAM Account name uid umber
User3_group
100
jsmith_group
201
john_smith_group
101
user3_group
200
Figure 2. How NFS access request works.
1. The user “john_smith” on the NFS client requests access to an NFS share on a computer running Server for NFS.
– Access request includes the UID and GID of the user initiating the access request.
2. Server for NFS sends a Lightweight Directory Access Protocol (LDAP) query to AD DS for a user object that has a uidNumber attribute that
matches the UID provided, or for a group object that has a gidNumber attribute that matches the GID provided.
3. Server for NFS receives the corresponding mapped SAM Account name.
4. Server for NFS grants access to the file resources in the NFS shared directory:
– Based on the credentials returned from the LDAP query.
– If the NTFS permissions for the share allow access to that user.
Note
1. NFSv2 and NFSv3 are stateless protocols. Each subsequent access uses the same process.
2. For NFSv4.1, you must use the same user name on the UNIX and HPE 3PAR StoreServ File Controller, as NFSv4.1 uses the user name for
identification. For NFSv4.1, user and group identities are string based and in the form of user@domain.com.
Technical white paper
Page 8
NFS authentication methods
There are three primary mechanisms available for NFS authentication on HPE 3PAR StoreServ File Controller systems:
1. The AUTH_NONE mechanism is an anonymous method of authentication and has no means of identifying either user or group. Server for NFS
will treat all accesses using AUTH_NONE as anonymous access attempts, which may or may not succeed depending upon whether the export
is configured to allow them.
2. The AUTH_SYS mechanism is the most commonly used method and involves identifying both the user and the group by means of 32-bit
unsigned integers known as UID and GID respectively. Special meaning is attached to the UID value of “0” (ZERO) which is used to indicate
the “root” super user.
3. The RPCSEC_GSS mechanism is a Kerberos v5 based protocol, which uses Kerberos credentials to identify the user. It provides several levels
of protection to the connection between an NFS client and an NFS server, namely:
– RPC_GSS_SVC_NONE where the request identifies the user and sessions between the client and server are mutually authenticated. This
identification is not based on UIDs and GIDs as provided by AUTH_SYS.
– RPC_GSS_SVC_INTEGRITY where not only the client and server are mutually authenticated, but the messages have their integrity
validated.
– RPC_GSS_SVC_PRIVACY where not only are the client and server mutually authenticated, but the message integrity is enforced and the
message payloads are encrypted.
Traditionally, NFS clients and servers use AUTH_SYS security. In this authentication, each NFS request has the UID/GID of the UNIX user
specified in the incoming request. This method of authentication provides minimal security as the client can spoof the request by specifying the
UID/GID of a different user. This method of authentication is also vulnerable to tampering of the NFS request by some third party between the
client and server on the network.
HPE 3PAR StoreServ File Controller currently provides support for all three Kerberos authentication:
• Plain Kerberos (krb5): The most basic level of security provided by Kerberos allows for clients and servers to prove to one another machine,
application, and user identity in a manner that prevents a variety of network misuses with minimal overhead. This level of security prevents
most forms of mounted-NFS abuse.
• Kerberos integrity (krb5i): Has all the features of the basic krb5, but also employs a checksum technique to verify the integrity of the RPC
data transmitted. This level of security prevents transmission alteration.
• Kerberos privacy (krb5p): Has all the features of krb5i, but also employs encryption to protect the NFS payload data. This level of security
prevents intermediaries from reading the RPC packets. This is the most secure authentication, but also incurs the most processing overhead.
Configuring server for NFS and NFS shares
Configuring server for NFS and NFS share involves four major steps:
1. Configuring user mapping method
2. Selecting authentication method
3. Setting up NFS permissions for clients
4. Setting up NTFS permissions for users
Technical white paper
Page 9
Configuring user mapping method
AD DS
If you are implementing mapped user access using AD DS, follow these steps:
1. Join your HPE 3PAR StoreServ File Controller serving as NFS server to an AD domain. This can be done from Initial Configuration Tasks (ICT).
2. HPE 3PAR StoreServ File Controller is preinstalled with Server for NFS. However, this can be verified in Server Manager.
Go to Server Roles > File And Storage Services > File and iSCSI Services.
3. Press the Start button, invoke Services for NFS, right click on Server of NFS, select Properties and go to the Netgroups tab. Configure the
Active Directory domain to be used by Server for NFS for identity lookup.
Technical white paper
4. Go to Server Manager > File and Storage Services > Servers.
5. Right click Server > NFS Settings > Identity Mapping Source.
Page 10
Technical white paper
Page 11
Here is the procedure to create identity mapping for users using PowerShell Cmdlets. Note the UID and GID for the user and group for which you
want to create the mapped identity.
[[root@ubuntu ~]# groupadd team2
[root@ubuntu ~]# useradd newuser2 -g team2
[root@ubuntu ~]# tail –1 /etc/group
team2:x:1007
[root@ubuntu ~]# tail –1 /etc/passwd
newuser2:x:1005:1007::/home/newuser
[root@ubuntu ~]#
Check the current list of mapped identities available:
PS C:\> Get-NfsMappedIdentity –AccountType user
UserIdentifier
GroupIdentifier
UserName
PrimaryGroup
SupplementaryGroups
: 0
: 0
: root
:
:
Below is an example command that creates a mapped identity for a UNIX user account_user1 and maps it to the Windows account named
NAS\newuser2. The mapped identity is created in the AD domain named DOMAIN.COM. If the user account or the group does not exist, the
command will create them, assign UID to user and GID to group, and add the user to the group.
PS C:\> New-NfsMappedIdentity -MappingStore “AD” –Server “NAS.LAB” -UserName “newuser2” -UserIdentifier 1005 GroupIdentifier 1007 -PrimaryGroup “team2”
PS C:\> Get-NfsMappedIdentity -at user
UserIdentifier
GroupIdentifier
UserName
PrimaryGroup
SupplementaryGroups
: 0
: 0
: root
:
:
UserIdentifier
GroupIdentifier
UserName
PrimaryGroup
: 505
: 506
: account_user1
:
SupplementaryGroups
:
A shortcut option -at can also be used in place of –AccountType.
PS C:\> Test-NfsMappedIdentity -AccountName newuser2
Test commands provide an output only if the test fails.
PS C:\> Test-NfsMappedIdentity -an user2
WARNING: No matching entry found
PS C:\> New-NfsMappedIdentity -MappingStore “AD” –Server “NAS.LAB”
-UserName “user1” -UserIdentifier 501 -GroupIdentifier 501
-PrimaryGroup “group1”
PS C:\> Test-NfsMappedIdentity -AccountName user1
Technical white paper
Page 12
If you have a large number of users, the following PowerShell script can be used to create Users, Groups, and their mapped identity on the
domain:
$users = Get-Content “<UNIX style password filename>”
$groups = Get-Content “<UNIX style group filename>”
foreach ($user_line in $users)
{
$each_user = $user_line.split(“:”)
foreach ($group_line in $groups)
{
$each_group = $group_line.split(“:”)
if ( $each_group[2] -eq
$each_user[3] )
{
New-NfsMappedIdentity -MappingStore “AD” –Server “<Domain Name>”
-UserName $each_user[0] -UserIdentifier $each_user[2]
-GroupIdentifier $each_user[3] -PrimaryGroup $each_group[0]
}
}
}
Before you execute the script, specify the location of the UNIX style password and group files and Domain Name at the place where they are
indicated.
You can copy /etc/passwd and /etc/group files from the NFS client and manually modify them to remove or add users and groups as per
your plan. To avoid any error, ensure each user’s GID is available in the group file.
Note
User names in the password file cannot match group names in the group file. Windows does not allow user names and group names to be the
same. An example of this is the root user, which typically belongs to the root group on a UNIX system. You would need to rename one of these.
For example, in the group file, you might rename the root group to rootgroup.
To run the script:
Set-ExecutionPolicy Unrestricted –scope process
<Run the Script. Policy changes apply only to that PowerShell session>
Set-ExecutionPolicy Restricted
Technical white paper
Alternatively, you can create a mapped identity from the GUI.
1. Go to Server Manager > File and Storage Services > Servers.
2. Right click on Server > NFS Identify Mapping.
Page 13
Technical white paper
Page 14
AD LDS
Using AD LDS for a clustered solution is not recommended unless the AD LDS instance is hosted on a system separate from the cluster. It is
important to have a highly available AD LDS instance. If you decide to implement mapped user access using AD LDS, then it can be configured
through Server Manager or PowerShell.
Technical white paper
Page 15
Using Server Manager
1. To install the AD LDS role, click on “Add Roles and Features”, the second task mentioned in the Quick Start pane. Select “Active Directory
Lightweight Directory Services” role highlighted below in the screenshot and install it. Follow the instruction and proceed.
Note
While installing AD LDS, note down the port number and partition name (CN and DC). Select MS-InetOrgPerson.LDF and MS-User.ldf file to
import in “Importing LDIF files page”.
2. After installing AD LDS instance, extend the AD LDS schema.
a. Open PowerShell or command prompt. (Run as administrator)
b. Navigate to the C:\WINDOWS\ADAM directory, and then type the following command:
ldifde -i -u -f MS-AdamSchemaW2K8.LDF -s localhost:389 -j . -c “cn=Configuration,dc=X” “#configurationNamingContext”
Technical white paper
Page 16
Note
The strings “cn=Configuration, dc=X” and “#configurationNamingContext” should not be modified.
3. Set a default instance name for Active Directory Lightweight Directory Services (AD LDS) Instances.
a. Go to Server Manager >Tools > ADSI Edit.
b. In the console tree, right click ADSI Edit and then click Connect to. This opens the Connection Settings dialog box.
c. Under Connection Point, select the Select a well-known Naming Context option, and then select Configuration from the drop-down
menu.
d. Under Computer, choose the Select or type a domain or server option, and then type the following in the text box: servername:389.
e. Click OK.
f.
In the resulting tree, under the Configuration node, click CN=Configuration, click CN=Sites, click
CN=Default-First-Site-Name, click CN=Servers, click CN=servername$ nfsadldsinstance, and then click CN=NTDS Settings.
g. Right click CN=NTDS Settings, and then click Properties.
h. In the Properties dialog box, click msDs-DefaultNamingContext, and then click Edit.
i.
In the String Attribute Editor, in the Value text box, type CN=partition name, dc=servername, and then click OK. (Provide the same
name, which is given at the time of creation of AD LDS instance)
j.
Close ADSI Edit.
4. Update the AD LDS Schema.
a. Open PowerShell. (Run as Administrator)
b. Navigate to the C:\WINDOWS\ADAM directory, and then type the following command: regsvr32 schmmgmt.dll. This command enables
the AD plug-in, schmmgmt.dll
c. Click Start, click Run, and type MMC to open the Microsoft® Management Console (MMC).
d. On the File menu, click Add/Remove Snap-in.
e. In the Add or Remove Snap-ins dialog box, click Active Directory Schema, click Add, and then click OK.
Technical white paper
f.
Page 17
Right click the Active Directory Schema node, and then click Change Active Directory Domain Controller to connect to the AD LDS
instance that was previously created.
g. In the Change Directory Server dialog box, under Change to, click This Domain Controller or AD LDS instance.
h. In the Name column, replace the placeholder text <Type a Directory Server name[:port] here> with the server and port number (for
example, localhost:389), and then click OK.
i.
Add the gidNumber and uidNumber attributes to the user class. Expand the class > user > properties > attributes > add > select
uidNumber and gidNumber.
j.
Add the gidNumber attribute to the group class. Expand the class > group > properties > attributes > add > select gidNumber.
k. Click OK and save the MMC console. Exit MMC.
5. Map UNIX users to Windows.
a. Create same user and group, which is created in UNIX client, in Administrative Tool > Computer Management > Local User and Group.
b. Go to Server Manager > File and Storage Services > Server > Server Name > right click and go to NFS Settings. Provide the value,
which is given at the time of creation of partition. Server name should be your hostname.
Go to Server Manager > File and Storage Services > Server > Server Name > right click and go to NFS Identity Mapping. Add group and user.
By default, in Linux, the group name for root is root only. Change the group name in Linux from root to rootgroup.
Technical white paper
6. Start PowerShell. Run below commands.
a. Set-NfsMappingStore -LdapServer servername:389.
b. dsacls “\\servername:389\CN=partition name,dc=servername” /G everyone:GR /I:T.
Note
Server name should be your machine hostname.
Page 18
Technical white paper
Page 19
7. Run below command in PowerShell to verify.
Resolve-NfsMappedIdentity -id 0 -AccountType user
8. Mount NFS share in Linux machine.
Using PowerShell:
1. To Install AD LDS run below command.
PS C:\ > Install-NfsMappingStore -InstanceName “NFSMappingStore” –LdapPort 389
Successfully created AD LDS instance named NFSMappingStore on server NFSSERVER2, the instance is running on port 389 and the
partition is CN=nfs,DC=nfs
PS C:\ >
2. To set Identity Mapping Source to AD LDS, run below command.
Set-NfsMappingStore –EnableLdapLookup $true -LdapNamingContext “CN=nfs,DC=nfs” -LdapServer hostname:389
Note
Replace hostname with your machine name.
3. Map UNIX users to Windows. Run below command.
New-NfsMappedIdentity -UserName “user_name” -UserIdentifier user_id -GroupIdentifier
group_id -PrimaryGroup “group_name”
Example: New-NfsMappedIdentity -UserName “root” -UserIdentifier 0 -GroupIdentifier 0 -PrimaryGroup “rootgroup”
Note
If the user account or the group does not exist, the command will create them, assign UID to user and GID to group, and add the user to the
group.
4. Run below command to grant the Everyone group read access to the mapping datastore.
dsacls “\\hostname:389\CN=nfs,dc=nfs” /G everyone:GR /I:T
Note
Replace hostname with your machine name.
Technical white paper
Page 20
Here is an example command that creates a mapped identity for a UNIX user account_user1 and maps it to the Windows account named
localhost\account_user1. The mapped identity is created in the AD LDS. If the user account or the group does not exist, the command will
create them, assign UID to user and GID to group, and add the user to the group.
PS C:\ > New-NfsMappedIdentity -MappingStore “Ldap” –Server “localhost:389”
-UserName “account_user1” -UserIdentifier 505 -GroupIdentifier 506
-PrimaryGroup “account_team”
PS C:\ >
PS C:\ >
PS C:\ > Get-NfsMappedIdentity –AccountType user
UserIdentifier
: 505
GroupIdentifier
: 506
UserName
: account_user1
PrimaryGroup
:
SupplementaryGroups :
PS C:\ >
If you have a large number of users, the same PowerShell script described under the AD DS section can be used to create Users, Groups, and
their mapped identities. You need to use a MappingStore option Ldap instead of AD and localhost:389 in place of Domain Name.
Alternatively, a mapped identity can also be created from the GUI.
1. Go to Server Manager > File and Storage Services > Servers.
2. Right click Server > NFS Identity Mapping.
Local user mapping
• Local files mapping feature is enabled if both the following files exist:
– %SystemRoot%\system32\drivers\etc\passwd
– %SystemRoot%\system32\drivers\etc\group
• If the above files do not exist, NFS Server must be a domain member
• Create a user with the same name on localhost for the first configuration or on Domain for domain Joined member
• For NFSv4 onwards, you must run idmapd. In /etc/idmapd.conf, set Domain = <NetBIOS Name>
Enable unmapped access
Unmapped UNIX User Access (UUUA) can be used when AUTH_SYS authentication method is enabled. If an NFS share is configured to enable
UUUA and there is no existing user account mapping available in either AD DS or AD LDS, then Server for NFS automatically generates a custom
SID based on the owner and group information of the UNIX user. Files created by this UNIX user are automatically assigned a security descriptor
consisting of the generated SIDs.
Unmapped user accounts use custom SIDs generated by the Server for NFS for accessing the NFS share.
Technical white paper
Page 21
Enable unmapped anonymous access
In order to allow anonymous users to access the shares, enable Network access: Let Everyone permissions apply to anonymous users from
Security policy.
Creating NFS Shares
The remaining three configurations, Authentication method, NFS permissions, and NTFS permissions are specific to each NFS Share. You can
configure them as part of the NFS Share creation wizard.
1. To create HA NFS Share on HPE 3PAR StoreServ File Controller, you must create a File Server first. Click on HPE 3PAR StoreServ File
Controller Shortcut icon on the Desktop. Select Manage Storage > Create a File Server.
Technical white paper
2. Right click on your Cluster > Configure Role.
Page 22
Technical white paper
Page 23
3. Provide the required information and follow the instructions on the wizard to complete creation of the File Server. While accessing the File
Server from an NFS client, use the File Server name or File Server IP address as NFS Server. The File Server name automatically becomes a
member of Windows Domain and gets added into the DNS Server entry.
4. To create an NFS Share, go to Failover Cluster Manager > Roles > Select the File Server > Right click the File Server > Add File Share.
You can also select Add File Share from the Actions pane.
Technical white paper
5. Select NFS Share—Quick and click Next.
6. In Share Location page, select the File Server and click Next.
Page 24
Technical white paper
7. For Authentication, Share permission, and NTFS permission check the topic “Selecting the Authentication Method”, “Setting up NFS
permissions for Clients”, and “Setting up NTFS File System permissions for users” respectively.
8. At Confirmation page check the information and click on Create.
To create the NFS Share on an HPE 3PAR StoreServ File Controller:
1. Go to Server Manager > File and Storage Services > Shares
2. Select Tasks > New Share… > NFS Share—Quick
3. Provide the share name
Page 25
Technical white paper
Page 26
Selecting the authentication method
For mapped user access, you can select either Kerberos authentication (RPCSEC_GSS) or No Server authentication (AUTH_SYS).
For unmapped user access, you must enable No Server authentication (AUTH_SYS). Once it is enabled, you have two options to select—
unmapped user access by UID/GID or anonymous access (AUTH_NONE).
For anonymous authentication access, specify valid GID and UID of a user on the client system. This GID/UID is used when reporting the owner of
a file owned by an unmapped Windows user.
Technical white paper
Setting up NFS permissions for clients
At this stage, you grant permissions to clients to access the NFS Shares. If you do not have any specific requirement, for simplicity in
administration, you may choose to grant Read/Write permission to all machines.
Page 27
Technical white paper
Page 28
Setting up NTFS permissions for users
For the mapped user access method, it is important to assign appropriate permissions for the users for which a mapped identity has been
created. Include users and their groups carefully for Read/Write permissions for the folder that you are planning to share through NFS.
For the unmapped user access method, you must include the group Everyone.
Technical white paper
Alternatively, you can create the NFS Share from the Properties menu of a folder.
1. Right click the folder and select Properties.
2. Select the NFS Sharing tab and click Manage NFS Sharing…
3. In the Permissions section, grant permissions to users to access the NFS Shares.
NTFS permission can also be set on the Security tab a folders’ Properties dialog.
Page 29
Technical white paper
Page 30
Here is a PowerShell command to create an NFS Share using the Command Line Interface. It creates a share called share for the folder
e:\Shares with all authentication, root access enabled, and Read/Write permission:
PS C:\> New-NfsShare –Name newshare2 –Path E:\Shares -Networkname Server1
–Authentication default –EnableUnmappedAccess $True -AllowRootAccess $True
–Permission readwrite
Name
---newshare2
Availability
-----------Continuously Available
Path
---E:\Shares
The Authentication parameter specifies the authentication types that an NFS client can use to access NFS shares. Valid values are:
Value
Meaning
sys
AUTH_SYS
krb5
Kerberos 5 authentication (krb5)
krb5i
Kerberos 5 authentication with integrity (krb5i)
krb5p
Kerberos 5 authentication with privacy (krb5p)
default
Enable default security flavors (sys, krb5, krb5i)
all
Enable all security flavors (sys, krb5, krb5i, krb5p)
PS C:\>Remove-NfsShare -name share
Confirm
Are you sure you want to perform this action?
Performing operation “Remove Share” on Target “E:\Shares”.
[Y] Yes [A] Yes to All [N] No
[?] Help (default is “Y”): y
[L] No to All
[S] Suspend
PS C:\>
Alternatively, you can use the nfsshare command:
To create: nfsshare <Share_Name>=<Path> -o unmapped=yes root rw
Example: nfsshare vol1=e:\Test -o unmapped=yes root rw
To delete NFS Share: nfsshare <share_name> /delete
Example: nfsshare vol1 /delete
Technical white paper
Page 31
Client specific configurations
Some client specific configurations are required to ensure that the shared resources on NFS server are accessible properly, including NTP client
configuration for Time Synchronization, DNS to resolve hostnames, and adding client system into Active Directory, Configure identity mapping
daemon (idmapd), and Configuring Kerberos 5 client authentications.
Every OS has different methods to configure these. For more information about configuration steps, see the documentation of your client’s OS.
This white paper provides a few examples to illustrate the concepts.
Time Synchronization, DNS client to resolve Host Names, and adding client system into Active Directory are also recommended for NFS server.
Configuring UNIX/Linux client for NTP client
This is primarily needed for Kerberos authentication. By default, the time difference between NFS server and client is expected to be less than
five minutes. Apart from authentication, synchronizing time has the additional benefit of matching file and folder creation and modification
timestamps between NFS clients and NFS server.
The NTP daemon (ntpd) synchronizes your client’s time to the server specified in /etc/ntp.conf using the NTP protocol and NTP servers.
Before you begin NTP configuration, ensure the package related to NTP is installed.
The NTP package contains utilities and daemons that will synchronize your computer’s time to Coordinated Universal Time (UTC) through the
NTP protocol and NTP servers. The NTP package includes ntpdate (a program for retrieving the date and time from remote machines using a
network) and ntpd (a daemon which continuously adjusts system time).
To start the NTP daemon, add the following line to the /etc/ntp.conf file:
server <NTP server IP Address or Host name>
Then run these commands:
[root@ubuntu ~]# apt-get update
[root@ubuntu ~]# apt-get install ntp ntpdate
[root@ubuntu ~]# service ntp restart
* Stopping NTP server ntpd
* Starting NTP server ntpd
Check status using ntpq –p.
Technical white paper
Page 32
Configuring UNIX/Linux client for DNS client
DNS client is required to resolve all hostnames including NFS server and Domain Server. NFSv4 and Kerberos authentication strongly
recommend configuring DNS client on each NFS client.
The /etc/resolv.conf file typically contains directives with the IP addresses of nameservers available to a host, such as:
nameserver 10.1.9.99
In this example, 10.1.9.99 is the DNS server.
To verify the DNS configuration, you may use the following command:
root@ubuntu:~# nslookup nas.lab
Server:
10.1.9.99
Address:
10.1.9.99#53
Name:
cnas.com
Address:
10.20.1.2
Name:
cnas.com
Address:
10.1.9.99
root@ubuntu:~# ping nas.lab
PING cnas.com (10.1.9.99) 56(84) bytes of data.
64 bytes from 10.1.9.99: icmp_req=1 ttl=128 time=0.517 ms
64 bytes from 10.1.9.99: icmp_req=2 ttl=128 time=0.468 ms
Adding a Linux system to Windows Active Directory
To display file and directory owner and group appropriately, it is recommended to use the same source of user and group databases on Windows
and Linux. This can be achieved by joining the client to AD. There are third-party tools, such as Likewise Open, that can be used to join your
Linux client system to Windows AD. For more information about steps and configuration, see the documentation of your client OS.
Technical white paper
Page 33
Configure identity mapping daemon (idmapd)
From NFS protocol version 4 onwards, an idmapd is used to track account information between NFS client and server. Server and client both
must have access to identical account information. If idmapd is not configured or does not work properly, it may display file and direct ownership
as nobody or equivalent high values like 4294967294.
The [General] section of /etc/idmapd.conf file must have a Domain setting. NFS servers and NFS clients that interact with each other must
have their idmap domains set identically. The [Translation] section specifies the method of translating between names and IDs. Typically, it is
best to point to nsswitch methodology.
For example, a typical idmapd.conf file might look like this:
[General]
Verbosity = 7
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = DOMAIN.COM
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
NOTE: In place of DOMAIN.COM, make sure to use your AD domain name (example: NAS.LAB)
For Ubuntu 12.04 client, update /etc/default/nfs-common file to set:
NEED_IDMAPD=yes
root@nfsclient:~# service idmapd restart
idmapd stop/waiting
idmapd start/running, process 2809
root@nfsclient:~#
root@nfsclient:~# ps -ef | grep idmap
root
2809
1
root
2828
2282
root@nfsclient:~#
0 21:06 ?
00:00:00 rpc.idmapd
0 21:07 pts/0
00:00:00 grep --color=auto idmap
Technical white paper
Page 34
For Fedora, run the following commands:
[root@fedora17x64 ~]# systemctl enable nfs-server.service
ln -s “/usr/lib/systemd/system/nfs-server.service” “/etc/systemd/system/multi-user.target.wants/nfsserver.service”
[root@fedora17x64 ~]#
Reboot the system or start the daemon using /usr/sbin/rpc.idmapd.
Configuring Kerberos 5 authentications
If you plan to implement Kerberos authentications, you must configure Kerberos client on each client system.
Before you begin with configuration, verify installation of required Kerberos packages for your client OS. Also ensure NTP client, DNS client, and
idmapd are configured correctly and working.
The infrastructure scenarios given below are used in this document, use your Domain and Server name in place of these names:
Domain Name
: DOMAIN.COM
Domain Controller
: domainserver.domain.com
NFS Server
: NFSSERVER and NFSSERVER.domain.com
UNIX Client
: nfsclient and nfsclient.domain.com
Step 1: Edit the /etc/krb5.conf file to specify default realm, KDC server and realm name.
For example:
[libdefaults]
default_realm = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = domainserver.domain.com
admin_server = domainserver.domain.com
}
[domain_realm]
domain.com = DOMAIN.COM
.DOMAIN.COM = DOMAIN.COM
Technical white paper
Page 35
Step 2: Enable client transport Kerberos authentication (RPC.GSSD) daemon.
For example, on Ubuntu 12.04, you can use the following steps:
Update /etc/default/nfs-common file to set:
NEED_GSSD=yes
root@nfsclient:~# service gssd restart
gssd stop/waiting
gssd start/running, process 2826
root@nfsclient:~#
root@nfsclient:~# ps -ef | grep gss
root
2826
1
root
2828
2282
0 21:06 ?
00:00:00 rpc.gssd
0 21:07 pts/0
00:00:00 grep --color=auto gss
root@nfsclient:~#
To enable rpc.gssd on Fedora systems:
[root@fedora ~]# service nfs-secure enable
Redirecting to /bin/systemctl
enable nfs-secure.service
ln -s “/usr/lib/systemd/system/nfs-secure.service” “/etc/systemd/system/multi-user.target.wants/nfssecure.service”
[root@fedora ~]# service nfs-secure start
Redirecting to /bin/systemctl
start nfs-secure.service
[root@fedora ~]# ps -ef | grep gss
root
32734
root
32742 32226
[root@fedora ~]#
1
0 14:58 ?
00:00:00 /usr/sbin/rpc.gssd
0 14:59 pts/1
00:00:00 grep --color=auto gss
Technical white paper
Page 36
Step 3: Test the configuration by requesting a ticket using the kinit utility.
For example:
The user root must exist in the domain.
root@nfsclient:~# kinit root@DOMAIN.COM
Password for root@ DOMAIN.COM:
When a ticket has been granted, the details can be viewed using klist:
root@nfsclient:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@DOMAIN.COM
Valid starting
12/12/2016 22:14:04
Expires
Service principal
12/13/2016 08:14:04
krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 12/13/2016 22:13:57
Step 4: Set up service principal names (SPNs) on Domain Controller.
Ensure the NFS server (NFSSERVER.domain.com in this example) is part of the domain.
An SPN is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. Setspn
command is used to manage SPNs for Windows computers. Run the following command on the Domain Controller to register the SPN:
c:\>setspn -A nfs/TWP3PAR-N1 TWP3PAR-N1
Registering ServicePrincipalNames for CN=TWP3PAR-N1,CN=Computers,DC=nas,DC=lab
nfs/TWP3PAR-N1
Updated object
c:\>setspn -A nfs/ TWP3PAR-N1.domain.com TWP3PAR-N1
Registering ServicePrincipalNames for CN=TWP3PAR-N1,CN=Computers,DC=nas,DC=lab
nfs/TWP3PAR-N1.domain.com
Updated object
c:\>
[Note: “nas.lab” is the domain]
Technical white paper
Page 37
Then verify:
c:\work>setspn -L NFSSERVER
Registered ServicePrincipalNames for CN=NFSSERVER,CN=Computers,DC=nas,DC=lab:
nfs/TWP3PAR-N1.domain.com
nfs/TWP3PAR-N1
MSServerClusterMgmtAPI/TWP3PAR-N1.domain.com
MSServerClusterMgmtAPI/TWP3PAR-N1
MSClusterVirtualServer/TWP3PAR-N1.domain.com
MSClusterVirtualServer/TWP3PAR-N1
HOST/TWP3PAR-N1.domain.com
HOST/TWP3PAR-N1
c:\>
Step 5: On Domain Controller create the following users and set passwords for them.
• hostuser (represents the client machine)
• rootuser (account for root on client)
• nfsuser (used by the NFS server on client)
After creating these users, right click on each user, go to Properties and in the Account tab, change the User logon name to
host/unixclient.nfsdomain.com, root/unixclient.nfsdomain.com, and nfs/unixclient.nfsdomain.com respectively.
c:\>setspn -A host/nfsclient hostuser
c:\>setspn -A host/nfsclient.domain.com hostuser
c:\>setspn -A root/nfsclient rootuser
c:\>setspn -A root/nfsclient.domain.com rootuser
c:\>setspn -A nfs/nfsclient nfsuser
c:\>setspn -A nfs/nfsclient.domain.com nfsuser
Note that the NFS client will try three different SPNs (host/nfsclient, root/nfsclient, and nfs/nfsclient) to connect to the NFS
server. NFS client will go through the keytab file generated from Domain Controller and find those SPNs one by one until the first valid SPN is
found, so it is enough for us to just configure the nfs/nfsclient principal. As a backup plan, you may try to configure other SPNs if
nfs/nfsclient does not work.
Technical white paper
Page 38
Step 6: Client must use the root/nfsclient.domain.com principal without actually typing in a password for
that account.
This is done with a keytab file. To export keytab files for these accounts, run the following commands on the Domain Controller:
c:\>ktpass -princ host/nfsclient.domain.com@DOMAIN.COM -mapuser hostuser -pass <password> -out hostuser.keytab
c:\>ktpass -princ root/nfsclient.domain.com@DOMAIN.COM -mapuser rootuser -pass <password> -out rootuser.keytab
c:\>ktpass -princ nfs/nfsclient.domain.com@DOMAIN.COM -mapuser nfsuser -pass <password> -out nfsuser.keytab
Step 7: Update Kerberos Principals on NFS client.
Now copy these keytab files from Domain Controller to nfsclient.
On the NFS client, merge these files in the keytab file. From the directory where the files were copied run ktutil. In this interactive tool run the
following commands:
# ktutil
ktutil:
ktutil: rkt /etc/krb5.keytab
( use this command, if this file already exist on client )
ktutil: rkt hostuser.keytab
ktutil: rkt rootuser.keytab
ktutil: rkt nfsuser.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
Now nfsclient should be able to get tickets for these accounts without typing any passwords. Test with below commands:
kinit -k host/nfsclient.domain.com
kinit -k root/nfsclient.domain.com
kinit -k nfs/nfsclient.domain.com
root@nfsclient:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------------------3 host/nfsclient.domain.com @DOMAIN. COM (arcfour-hmac)
3 root/nfsclient.domain.com @DOMAIN. COM (arcfour-hmac)
3 nfs/nfsclient.domain.com @DOMAIN. COM (arcfour-hmac)
root@nfsclient:~#
Technical white paper
Page 39
Mounting NFS Shares on clients
Before mounting the NFS Shares, check the list of shares available on the NFS server. On HPE 3PAR StoreServ File Controller, the following
PowerShell command can be used to list the NFS Shares available:
PS C:\ > Get-NfsShare
Name
---newnfs
newnfs2
Availability
-----------Standard (not clustered)
Standard (not clustered)
Path
---D:\Shares
E:\Shares
PS C:\ >
Alternatively nfsshare or showmount -e localhost commands can also be used to get similar output.
To list all Shares available on the server, go to Server Manager > File and Storage Services > Shares.
Most UNIX NFS Clients also support the showmount -e <NFS Server> command to list available Shares on the NFS server.
[root@ubuntu /]# showmount -e twp3par-n1
Export list for twp3par-n1:
/newnfs
(everyone)
/newnfs2
(everyone)
[root@ubuntu /]#
There are three different ways to mount NFS Shares:
Manual mounting
# mount -t <nfs-type> -o <options> <NFSServer:/NFSShare> <Mount point>
Manual mounting is not persistent across client reboot. When you reboot the client, shares will not be mounted automatically. Therefore, this method
is typically used to check and verify mount operation or to access data on a temporary basis.
A directory for mount point must be created first.
Examples:
# mount -t nfs -o vers=3 twp3par-n1:/newnfs /data
• Mounts /nfsdata NFS Share on /data using NFS protocol version 3
# mount -t nfs4 -o minorversion=1,sec=krb5i twp3par-n1.domain.com:/newnfs /data
• Mounts /newnfs NFS Share on /data using NFS protocol version 4.1 with Kerberos 5 authentication + integrity checking
Technical white paper
Page 40
Mounting via /etc/fstab
Add a line similar to this to /etc/fstab to mount NFS Share after reboot:
<NFSServer:/NFSShare> <Mount point> <nfs-type> <Options> 0 0
To mount a file system which is specified in /etc/fstab without rebooting the client system, use mount –a or mount <Mount Point>.
Here is an example that mounts an NFSv4.1 share using /etc/fstab:
[root@ubuntu /]# mount
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /run type tmpfs (rw,noexec,nosuid)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
[root@ubuntu /]# cat /etc/fstab
# /etc/fstab
# Created by
rootub on Wed Dec 14 18:20:44 2016
#
# Accessible filesystems, by reference, are maintained under “/dev/disk”
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=086eae5c-0fa5-427e-8613-552aab83ec41 /
ext3
defaults
1 1
UUID=def0a2b5-0ab7-4cc1-ab4d-29d7dce213ee swap
swap
defaults
0 0
tmpfs
/dev/shm
tmpfs
defaults
0 0
devpts
/dev/pts
devpts
gid=5,mode=620
0 0
sysfs
/sys
sysfs
defaults
0 0
proc
/proc
proc
defaults
0 0
minorversion=1
0 0
twp3par-n1.nas.lab:/newnfs
/mnt
[root@ubuntu /]# mount -a
[root@ubuntu /]# mount
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
nfs4
Technical white paper
Page 41
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
twp3par-n1.nas.lab:/newnfs on /mnt type nfs4 (rw,minorversion=1,addr=10.141.154.52,clientaddr=10.0.2.19)
[root@ubuntu /]#
Mounting via Autofs
Autofs is a program, available in most NFS client systems, which automatically mounts directories on an as-needed basis. It mounts the NFS
Shares when they are accessed and unmounts them after a period of inactivity. Because of this, automounting conserves bandwidth and offers
better overall performance compared to static mounts via fstab.
Before you configure Autofs, ensure you have autofs package installed on your client system.
This example line in /etc/auto.master instructs autofs to create a mount point at the place specified in
auto.data:
/data
/etc/auto.data
This /etc/auto.data file should contain a separate line for each NFS share. The format for a line is:
<Mount point> <Options> <NFSServer:/NFSShare>
The following line creates a new mount point at /data1 and mounts the NFS nfsdata directory exported by the machine whose host-name is
NFSServer.
data1
-fstype=nfs4,minorversion=1 NFSserver:/nfsdata
Mounts the share using NFSv4.1
data1
-fstype=nfs,vers=3
NFSServer1.cnas.com:/nfsdata
Mounts the share using NFSv3
The mount points specified here will be relative to the mount point given in /etc/auto.master. In the above example, when user browses to
/data/data1 directory, the NFS Share gets mounted.
Now restart the autofs service
[root@ubuntu /]#/etc/init.d/autofs restart
[root@ubuntu /]# /etc/init.d/autofs restart
Stopping automount:
[
OK
]
Starting automount:
[
OK
]
[root@ubuntu /]#
Technical white paper
Page 42
[root@ubuntu /]#df -k
Filesystem
1K-blocks
/dev/sda1
14110640
3603304
9790536
1962600
88
1962512
tmpfs
Used Available Use% Mounted on
27% /
1% /dev/shm
[root@ubuntu /]#ls -l /data/data1
total 4
-rw-r--r-- 1 root root 2724 Nov 20 22:44 data.tar.gz
[root@ubuntu /]#df -k
Filesystem
1K-blocks
/dev/sda1
14110640
3603304
9790536
1962600
88
1962512
524156896 430739072
93417824
tmpfs
Used Available Use% Mounted on
27% /
1% /dev/shm
twp3par-n1.nas.com:/nfsdata
83% /data/data1
[root@rhel63host /]#
Mount has numerous options. Refer to the main page for detailed information. Below are commonly used ones:
<nfs-type> is either nfs or nfs4.
<options> include:
nfsvers=2, 3—NFS protocol version (not 4).
minorversion=1 to mount NFSv4.1 Shares.
sec=mode—NFS security type.
sys uses local UIDs and GIDs.
krb5 uses Kerberos 5 authentication.
krb5i uses Kerberos 5 authentication + integrity checking.
krb5p uses Kerberos 5 authentication + integrity checking + encryption.
Technical white paper
Page 43
Use case deployment #1
An organization has two teams (groups) and each group has 10 members from a total of 20 employees. All are expected to have their home
directories on HPE 3PAR StoreServ File Controller. One group member can read files and directories of other members of the same group, but
cannot write. Members should not read and/or write files and directories of members of the other group. All users use an application, which is
stored on a common read-only share. Another common read-write share is used to store non-critical temp files.
Creating home directories
Step 1: Create following users and groups on client systems
Two groups – account_team and hr_team
10 users from account_user1 through account_user10 and hr_user1 through hr_user10
Step 2: Copy /etc/passwd and /etc/group files to a directory of HPE 3PAR StoreServ File Controller.
Remove all lines other than the ones below.
passwd file:
account_user1:x:505:601::/home/account_user1:/bin/bash
. . .
account_user10:x:515:601::/home/account_user1:/bin/bash
hr_user1:x:505:602::/home/account_user1:/bin/bash
. . .
hr_user10:x:505:602::/home/account_user1:/bin/bash
group file:
account_team:x:601:
hr_team:x:602:
Step 3: Create the users and groups
If you have AD DS available, run the script discussed in “Configuring server for NFS and NFS shares” on page 8, or you can copy these two files
to %SystemRoot%\system32\drivers\etc\ and create the users and groups manually.
Step 4: Create NFS shares
Create all NFS shares and assign the respective user for full control permission and its group for Read and Execution permission.
account_user1
:userdata/account_user1
account_user2
:userdata/account_user2
account_user3
:userdata/account_user3
account_user4
:userdata/account_user4
And so on.
Technical white paper
Page 44
Step 5: Create the mount point
Create a folder called /nas on client. Instead of mounting userdata shared directory to /nas, you may want to
automount individual user’s home directory, whenever the user logs in or access it.
/etc/auto.master might contain the following line:
/nas
/etc/auto.home
/etc/auto.home might contain these lines:
account_user1
NFSserver:/userdata/account_user1
account_user2
NFSserver:/userdata/account_user2
account_user3
NFSserver:/userdata/account_user3
account_user4
NFSserver:/userdata/account_user4
And so on.
Adding all users’ entries may be cumbersome. Instead, you can use wild-card characters in /etc/auto.home file, as follows:
*
NFSserver:/userdata/&
The asterisk (*) is used in place of the mount point and the ampersand (&) in place of the directory to be mounted.
Step 6: Move files from home directory to NFS share
Create a tar file containing all users’ data. Before you run the command ensure the volume containing the <path> folder has sufficient space:
# cd /home
# tar -cvzf /<path>/data.tar.gz ./
Copy the data file to destination:
# cp /<path>/data.tar.gz /nas
Extract the files and directories at destination. Before you extract ensure your all user’s home directories are mounted.
# cd /nas
# tar -xvzf data.tar.gz
Log in as root:
# usermod -d /nas/account_user1 account_user1
Try to log in as account_user1:
login as: account_user1
sunil@10 .1.8.63’s password:
Last login: Thu Sep 20 12:49:25 2012 from 10.1.8.11
bash-4.1$ pwd
/nas/account_user1
bash-4.1$ cp -r /home/account_user1/*.* .
bash-4.1$
Re-login with the user.
Technical white paper
Page 45
Creating a read-only apps share:
1. Create a folder on a volume of HPE 3PAR StoreServ File Controller.
2. Create unmapped user UNIX access NFS Share with Read-Only permission for root.
3. Add “everyone” in NTFS permission with Read & execute, List Folder contents.
4. Copy your applications.
5. Mount the volume:
[root@fedora ~]# mkdir /apps
[root@fedora ~]# mount -t nfs -o minorversion=1 NFSSERVER.domain.com:/ro /apps
[root@fedora ~]# ls -l /apps
total 1
-rwxr-xr-x. 1 nobody nobody 46 Nov 21 15:38 app
[root@fedora ~]#
6. Include the mounted directory in the PATH variable in the user’s profile (/etc/bashrc or /etc/profile).
The following is a small script to simulate and test your application generating data on your home directory.
[root@localhost ~]# cat /apps/app
touch testfile_`date +“%d-%b-%Y_%H-%M-%S”`.txt
[root@localhost ~]#
Creating an anonymous read-write share:
1. To allow anonymous users to access the shares, enable “Network access: Let Everyone permissions apply to anonymous users” as discussed
above.
2. Create a folder on a volume of HPE 3PAR StoreServ File Controller. Share the folder with unmapped anonymous access. Assign the group
“Everyone” with read-write permission.
3. Mount it on the client via /etc/fstab.
Use case deployment #2
An organization has NAS Storage systems and its client systems are configured mapped user access and Kerberos 5 authentication for NFS
shared resource access. The organization is planning to include a HPE 3PAR StoreServ File Controller into the data center and configure it to
access from the client systems.
Follow these steps to complete the configuration:
1. Complete the installation of the system including joining it to Active Directory Domain and cluster configuration.
2. Run these commands on the Domain Controller to register the service principal name (SPN):
c:\>setspn -A nfs/NFSSERVER NFSSERVER
Registering ServicePrincipalNames for CN=NFSSERVER,CN=Computers,DC=nas,DC=lab
nfs/NFSSERVER
Updated object
c:\>setspn -A nfs/NFSSERVER.domain.com NFSSERVER
Technical white paper
Registering ServicePrincipalNames for CN=NFSSERVER,CN=Computers,DC=nas,DC=lab
nfs/NFSSERVER.domain.com
Updated object
c:\>
3. Verify the registration:
c:\work>setspn -L NFSSERVER
Registered ServicePrincipalNames for CN=NFSSERVER,CN=Computers,DC=nas,DC=lab:
nfs/NFSSERVER.domain.com
nfs/NFSSERVER
MSServerClusterMgmtAPI/NFSSERVER.domain.com
MSServerClusterMgmtAPI/NFSSERVER
MSClusterVirtualServer/NFSSERVER.domain.com
MSClusterVirtualServer/NFSSERVER
HOST/NFSSERVER.domain.com
HOST/NFSSERVER
c:\>
4. Create NFS shares and assign appropriate NFS and NTFS permissions for the users who are allowed to access the share.
5. Configure the client system’s mount options, such as editing the /etc/fstab file to include new NFS shares.
Page 46
Technical white paper
Page 47
Issues with NFS export in UNIX
1. Enable NTFS Filename Case Sensitivity
By default case sensitivity is not enabled within an NTFS file system, hence files created on an NFS export take no notice of case.
Case sensitivity is a fundamental requirement for UNIX clients when working with filenames.
To Check the same form UNIX client follow the Steps:[unmapped@CentOS67 test]$ touch Pete
[unmapped@CentOS67 test]$ ll
total 0
-rw-rw-r--. 1 unmapped unmapped 0 May
4
2016 Pete
4
2016 pete
[unmapped@CentOS67 test]$ ll pete
-rw-rw-r--. 1 unmapped unmapped 0 May
[unmapped@CentOS67 test]$ cat /etc/fstab > pete
# This file should not exist
# This command should create the file `pete`
[unmapped@CentOS67 test]$ ll
total 4
-rw-rw-r--. 1 unmapped unmapped 785 May
Pete
[unmapped@CentOS67 test]$ cat pete
# /etc/fstab
4
2016 Pete
# But the redirect command has overwritten the file
# Hence the file Pete now contains data
Technical white paper
Page 48
Resolution
C:\Users\Administrator>reg add “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v
obcaseinsensitive /t REG_DWORD /d 0
Verify with
PS C:\Users\sladden.EMEA> reg query “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v
obcaseinsensitive
A server reboot is needed to apply this change.
After which case sensitivity is present for NFS exports
[unmapped@CentOS67 test]$ touch Pete
[unmapped@CentOS67 test]$ ll
total 0
-rw-rw-r--. 1 unmapped unmapped 0 May
4
2016 Pete
[unmapped@CentOS67 test]$ cat /etc/fstab > pete
[unmapped@CentOS67 test]$ ll
# file created as expected
Technical white paper
Page 49
total 1
-rw-rw-r--. 1 unmapped unmapped 785 May
4
2016 pete
-rw-rw-r--. 1 unmapped unmapped
4
2016 Pete
0 May
# now the redirect writes to the file called pete
[unmapped@CentOS67 test]$ cat Pete
empty
# this should provide no output as the file Pete is
[unmapped@CentOS67 test]$ cat pete
# this should provide the contents of /etc/fstab
# /etc/fstab
2. NFS Filename Character TranslationNOTE: The NFS translation file is no longer an options beginning with NFS version 4. This is because the RFC for NFS v4.0 and above is all about
uniformity of file names, UTF-8 encoding etc. explicitly. Hence, Character translation does not apply to v4.1 and this is now a legacy feature
which is still available for NFs v2/v3.
Both UNIX and Windows include a set of valid file name characters; however, these sets are different for each program. If you do not turn on and
configure character translation, Server for NFS cannot create some valid UNIX file names and you may receive an error message if you try to
create a file.
The NTFS characters not supported in filenames are:
Illegal NTFS File Characters
1. / (forward slash)
0x2f
2. \ (backslash)
0x5c
3. : (colon)
0x3a
4. * (asterisk)
0x2a
5. ? (question mark)
0x3f
6. < (less than)
0x3c
7. > (greater than)
0x3e
8. ” (double quote)
0x22
9. | (vertical bar or pipe)
0x7c
Note-*You can also refer to for Character support –
“Character Sets And Code Pages At The Push Of A Button” and selected ISO/IEC 8859-1 Latin 1
With NFS version 3 you have the option of resolving this by creating a translation file in NFS share (Windows) named NFS-Translation.txt. In this
file you need to have the information included as indicated below.
Technical white paper
Page 50
NFS-Translation.txt
0x00 0x2f : 0x00 0xD7 ; replace client “/" with server “Multiplication Sign"
0x00 0x5c : 0x00 0xA1 ; replace client “\" with server “Inverted Exclamation Mark"
0x00 0x3a : 0x00 0xA8 ; replace client “:" with server “Diaeresis"
0x00 0x2a : 0x00 0xB1 ; replace client “*" with server “Plus-Minus Sign"
0x00 0x3f : 0x00 0xBF ; replace client “?" with server “Inverted Question Mark"
0x00 0x3c : 0x00 0xAB ; replace client “<" with server “Left-Pointing Double Angle Quotation Mark"
0x00 0x3e : 0x00 0xBB ; replace client “>" with server “Right-Pointing Double Angle Quotation Mark"
0x00 0x22 : 0x00 0xF7 ; replace client “"" with server “Division Sign"
0x00 0x7c : 0x00 0xA6 ; replace client “|" with server “Broken Bar"
create a test folder in my Centos Linux server of the form:
[bttv@centos5-01 rsyncshare]$ ll /tmp/translation/
total 48
drwxr-xr-x
2 root root
4096 Apr 28 17:16 .
drwxrwxrwt 14 root root
4096 Apr 28 17:16 ..
-rw-r--r--
1 bttv vosp2
0 Apr 28 15:50 file<
-rw-r--r--
1 bttv vosp2
0 Apr 28 15:50 file>
-rw-r--r--
1 bttv vosp2
0 Apr 28 15:51 file|
-rw-r--r--
1 bttv vosp2
0 Apr 28 15:50 file:
-rw-r--r--
1 bttv vosp2
0 Apr 28 15:51 file?
-rw-r--r--
1 bttv vosp2
0 Apr 28 15:51 file"
-rw-r--r--
1 bttv vosp2
0 Apr 28 15:51 file*
-rw-r--r--
1 bttv vosp2
0 Apr 28 15:51 file\
Copy the test folder content to share in UNIX
bttv@centos5-01 rsyncshare]$ df -hm
Filesystem
1M-blocks
Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
/dev/sda1
tmpfs
15840
3619
11405
99
41
53
878
0
878
16122
185
15119
10237
659
9579
25% /
44% /boot
0% /dev/shm
centos5-02:/data1/unix1
win2k12r2:rsyncshare
2% /centos5-02/unix1
7% /win2k12r2/rsyncshare
Technical white paper
Page 51
[bttv@centos5-01 rsyncshare]$ pwd
/win2k12r2/rsyncshare
[bttv@centos5-01 rsyncshare]$ cp /tmp/translation/* .
[bttv@centos5-01 rsyncshare]$ ll
total 13
drwxrwxrwx 2 4294967294 4294967294 4096 Apr 28 18:21 .
drwxr-xr-x 5 root
root
4096 Apr 28 17:16 ..
-rw-r--r-- 1 bttv
vosp2
0 Apr 28 18:36 file<
-rw-r--r-- 1 bttv
vosp2
0 Apr 28 18:36 file>
-rw-r--r-- 1 bttv
vosp2
0 Apr 28 18:36 file|
-rw-r--r-- 1 bttv
vosp2
0 Apr 28 18:36 file:
-rw-r--r-- 1 bttv
vosp2
0 Apr 28 18:36 file?
-rw-r--r-- 1 bttv
vosp2
0 Apr 28 18:36 file"
-rw-r--r-- 1 bttv
vosp2
0 Apr 28 18:36 file*
-rw-r--r-- 1 bttv
vosp2
0 Apr 28 18:36 file\
-rw-rw-r-- 1 bttv
vosp2
130 Apr 28 13:48 unmapped-resolv.conf
-rw-rw-r-- 1 bttv
vosp2
130 Apr 28 13:48 unmapped-resolv-copy.txt
VerifyD:\rsyncshare>dir
Volume in drive D is Data
Volume Serial Number is 6EE8-E4D2
Directory of D:\rsyncshare
28/04/2016
18:21
<DIR>
.
28/04/2016
18:21
<DIR>
..
28/04/2016
18:21
0 file¡
28/04/2016
18:21
0 file¦
28/04/2016
18:21
0 file¨
28/04/2016
18:21
0 file«
28/04/2016
18:21
0 file±
28/04/2016
18:21
0 file»
28/04/2016
18:21
0 file¿
Technical white paper
Page 52
28/04/2016
18:21
0 file÷
28/04/2016
13:48
130 unmapped-resolv-copy.txt
28/04/2016
13:48
130 unmapped-resolv.conf
Data migration
This process migrates data from one NFS share to another, preserving the permission, timestamp of creation, modification time, and access time.
Pre-checks
1. Determine current Permission and Owners of Files and directories on Source Location. Following commands can be used to list all the users
and groups that are owner of files and directories.
[root@fedora ~]# ls -lR /home | awk “{print $3}”| sort -u
account_user1
account_user2
hr_user1
[root@fedora ~]# ls -lR /home | awk “{print $4}”| sort -u
account_team
nasqa
hr
[root@fedora ~]#
2. Configure user mapping for the destination to grant permission to files and directories for the above users and groups.
3. Folder will be created as part of the copy operation. Verify whether the user can create a directory with the same permission at the
destination.
Examples
Copying the data to a tape device:
# cd <source path>
# tar -cvf /dev/Tape_device ./
# This command stores files with relative paths
Restoring to a relative path:
# cd <destination path>
# tar -xvf /dev/Tape_device
Create a tar file containing all data. Before you run the command ensure the volume holding the <path> folder has sufficient space.
# cd <source path>
# tar -cvzf /<path>/data.tar.gz ./
Technical white paper
Page 53
Copy the data file to the destination:
# cp /<path>/data.tar.gz /<destination path>
Extract the files and directories at the destination:
# cd /<destination path>
# tar -xvzf data.tar.gz
Troubleshooting
Permission Denied issues
To troubleshoot “Permission Denied” issues, follow the steps in the diagram below, verifying permissions from the lowest level up. Use File
System Permissions > NFS Permissions > Authentication Method > User Mapping Method > File and Directory permissions for UNIX
Users (rwxrwxrwx).
Technical white paper
Issues with mount operations, NFS, or authentication daemons
If you have issues with any component like the idmapd, Kerberos authentication transport daemon (RPC.GSSD), or mount operations, get more
verbose information by running it in the foreground with higher verbosity level. Then from another terminal, try to perform the action that is
failing. For example, you might try mounting file systems or try accessing files or directories in the mount point.
Before you run the daemon in the foreground, kill the background process.
# /usr/sbin/rpc.gssd –f -vvv
# /usr/sbin/rpc.idmapd –f -vvv
# /usr/sbin/automount -f –vvv
# mount -t <nfs-type> -o <options> <NFSServer:/NFSShare> <Mount point> -vvv
Here –vvv indicates a verbosity level of 3. Some programs support even higher levels of verbosity.
The UNIX command tail is also very useful to monitor events that are logged to a file.
# tail –f /var/log/messages
Additionally, you can review the Windows System and Security Event Log on HPE 3PAR StoreServ File Controller.
Open Event Viewer from the Tools menu of Server Manager. Take corrective action based on the error message reported.
Summary
The HPE 3PAR StoreServ File Controller product family provides NFS server capability that enables storage provisioning over TCP/IP networks
to UNIX, Linux, and Mac OS-based client systems. This solution allows customers to connect servers and clients to HPE 3PAR StoreServ File
Controller and deploy end-to-end NFS implementation.
This document guides users in the configuration of end-to-end storage provisioning sharing over a network, which includes creation of NFS
Shares, user identify mapping, and mounting on client systems. This white paper also includes some common use case scenarios and
troubleshooting issues related to NFS.
Learn more at
hpe.com/us/en/product-catalog/storage/file-storage/pip.file-and-object-storage.6608649.html
Sign up for updates
© Copyright 2014–2015, 2017 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change
without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard
Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. UNIX is a registered trademark of The Open Group. Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries. All other third-party trademark(s) is/are property of their respective owner(s).
4AA5-4193ENW, April 2017, Rev. 2