0

I am a complete noob to Linux and its capabilities but in my environment I am having problems accessing an NFS share from Linux clients. I can mount the share without incident and have it set up as an auto mount but when I try to ls or cd to one of the subdirectories of the share I get "Permission Denied". This is occurring with multiple users (except administrators) on my network who are added to the appropriate groups with matching UID/GID information in CentrifyDC and AD.

The share is a VNX5200 series CIFS/NFS share with Windows permissioning set to allow Windows clients as well as Linux clients access. My environment is mixed with RHEL6, RHEL7, CENTOS, Windows 7, Windows Server 2008 R2, and Windows Server 2012 R2. The AD Domain is a Windows Server 2008 R2 domain, I don't have direct access to the VNX (owned by another group) but I can work with that admin if necessary. I have full permissions on the AD side of things for all of my clients. The VNX is added to our AD Domain and has multiple interfaces configured for various purposes.

M. Rostami
  • 126
  • 1
  • 2
  • 16
MSE WIN TEAM
  • 1
  • Go have a chat with whoever runs the VNX. – Michael Hampton Sep 02 '16 at 17:44
  • I've thought about this but I have no idea where to have them start looking. – MSE WIN TEAM Sep 02 '16 at 18:29
  • The group that runs the VNX inherited it from several team members ago so they don't have a clue where to start looking without more information. If I knew where to direct them that would help. – MSE WIN TEAM Sep 02 '16 at 18:36
  • 1
    how are you mounting without incident? Could you provide all of the commands syntax/output? – xguru Sep 02 '16 at 19:37
  • also the relvant string from the `mount` command output would be helpful. – Dima Chubarov Sep 03 '16 at 12:12
  • Which NFS version? On the server side there should be messages when you get a permission denied on the client. – Nils Sep 03 '16 at 14:41
  • We are currently using NFSv3. This connection has been working fine without change for at least the past 3 years which is why I don't believe the problem is with the mount command or any of the other commands used to automount this drive and make it available to our users. – MSE WIN TEAM Sep 08 '16 at 11:44

1 Answers1

1

I did a quick google search of vfstab vnx5200 and the first non-advertisement in the list was this white paper by EMC.

https://www.emc.com/collateral/software/white-papers/h10949-configuring-nfsv4-vnx-wp.pdf

Pages 8 and 12 are interesting, 17 and 18 discuss ACLs for linux and solaris, and troubleshooting starts on page 19, but page 22 (Appendix A) reveals specific requirements for using RHEL or SUSE linux as a client.

You may find those details helpful to your situation.

dan
  • 321
  • 2
  • 6
  • I had not seen this white paper but I will review it to determine if it's applicable to my current situation. In the interim, I have spoken with the VNX admins and they believe (based on previous experience) that a restart of the VNX is in order to correct the problem. I have been instructed by my supervisors to continue down this path first to see if the issue is corrected as we have already spent months trying to figure this out with no luck. Should that not correct the problem, we are definitely open to attempting additional "fixes" for this problem. – MSE WIN TEAM Sep 08 '16 at 11:46
  • So we (EMC Support) came onsite and reseated/restarted each SP, the control station, and the Data Mover and the issue still persists. Are there any other suggestions I may try? – MSE WIN TEAM Sep 09 '16 at 11:40
  • The point that it had been working for 3 years, and still works for administrative users should be a clue. The fact that you can mount the share (is this automatic at boot or a manual command?) is also a clue of functional storage, network, and security. While I am by no means a guru in this area, I am aware of access control and permission dependencies through experience in my own mixed OS environment. – dan Sep 09 '16 at 16:06
  • I missed the 5 minute cutoff for editing. The fact that you can `automount` the share (you checked the dmesg and message logs?) is also a clue. If you give one of the problem users an administrative role/group (**temporary for testing**), does the share become usable for them? – dan Sep 09 '16 at 16:14
  • Unfortunately I cannot grant a regular user elevated privileges on this system without a crap ton of authorization, even for a temporary period. With that said however, I have noticed that if I delete the group entirely out of AD then recreate it with the same GID it previously had (prior to deletion) things work. This of course isn't really a viable solution because we have several TB of data that I would have to navigate and reapply permission to on our windows side of the house because the SID would be different. – MSE WIN TEAM Sep 09 '16 at 20:44
  • However what I can do is create a test account with no elevated permissions (essentially a regular user) and add them to the administrative group of the share. I have performed this and things work fine for the test account sometimes. Other times, when I attempt to apply the domain administrative group (not the default built-in administrators group) to some folders on the share I receive an error message stating that the security ID structure is invalid. – MSE WIN TEAM Sep 12 '16 at 12:17
  • This sounds like something in the AD is out of sync with the storage device. If nothing has changed regarding storage, has anyone examined the directory server? I am confident that during three years of use, there have been patches and updates applied somewhere that could have tipped the balance of security and functionality. – dan Sep 13 '16 at 20:18
  • That is definitely one of my thoughts on the matter. I do not know what to look for or where to begin to look either in order to determine what is out of sync, why, and how to get it back in sync. There are definitely patches applied to the AD DS but according to our storage admins they have applied very few patches to the storage due to the high availability (extremely minimal downtime) requirement. We are trying to get them to patch the storage server now though because the version they are running is no longer supported by EMC. – MSE WIN TEAM Sep 15 '16 at 18:01