Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-75-1439378.1
Update Date:2012-07-09
Keywords:

Solution Type  Troubleshooting Sure

Solution  1439378.1 :   Sun Storage 7000 Unified Storage System: How to Troubleshoot UNIX/NFS file and directory permission issues  


Related Items
  • Sun Storage 7410 Unified Storage System
  •  
  • Sun Storage 7310 Unified Storage System
  •  
  • Sun ZFS Storage 7120
  •  
  • Sun ZFS Storage 7420
  •  
  • Sun Storage 7110 Unified Storage System
  •  
  • Sun ZFS Storage 7320
  •  
  • Sun Storage 7210 Unified Storage System
  •  
Related Categories
  • PLA-Support>Sun Systems>DISK>NAS>SN-DK: 7xxx NAS
  •  




In this Document
Purpose
Troubleshooting Steps
References


Applies to:

Sun ZFS Storage 7420 - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7110 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7120 - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7320 - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7210 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Information in this document applies to any platform.

Purpose

This document provides a procedure to resolve problems with NFS file and directory permissions/security on the ZFS Storage Appliance.

To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - 7000 Series ZFS Appliances

Troubleshooting Steps

Steps to Follow

This document should be used to troubleshoot issues accessing files and directories over NFS mounts. Each of the following steps will provide instructions and/or a link to a document, to check for issues and provide corrective action as necessary.

Step 1 - Understand how ACLs and traditional UNIX permissions inter operate

See <Document:1428773.1> for tips on configuring security in an environment where both traditional NFSv3 permissions and NFSv4 ACL permissions.

ACL permissions allow you to go beyond the standard user/group/world security entities and configure files and directories with named users and inheritance bits, at the cost of some compatibility with traditional permissions.

Step 2 - Understand how file and directory permission inheritance works.

ACL security allows you to specify exactly what permissions should be inherited to newly created files and directories. This document <Document:1439307.1> explains how the ACL inheritance bits operate.

Step 3 - Check your NFSv4 Identity Domain configuration

A common problem with NFSv4 clients is that the NFSV4 identity domain on the client does not match that of the server. Because NFSv4 users are presented in a user@domain format, an incorrect identity domain can result in limited or no access to files or mount points. See <Document:1409693.1> for instructions on how to verify that these match.

Step 4 - Check for correct configuration of NFS Exceptions (A.K.A. root squash)

By default, root users on client systems are not given unrestricted access to filesystems on the ZFS Storage Appliance. See <Document:1439295.1> for instructions on how to create NFS Exceptions that allow NFS clients to access the ZFSSA as root.

Step 5 - Known issue with chown for non-root users

By default, only root is able to change ownership of files via NFS. <Document:1439387.1> explains how to change this if necessary.

Step 6 - Collect data and contact Oracle ZFSSA Support

At this point, if you not been able to resolve the issue with the troubleshooting steps above, a support case is recommended. Having the following data (as available) will help us to expedite a solution:

  • A ZFSSA support bundle. See <Document 1019887.1>
  • File and directory permissions from the command line. In UNIX, use the ls command (-V and -Vd for Solaris, equivalents for other UNIX OS). If there's a file operation involved, collect this data both before and after the operation.
  • Steps to reproduce the problem.
  • If possible, a network capture of the failed attempt to access the file. This should be run from the client, and should begin before the drive is mounted or mapped. See <Document: 1398376.1> for details on how to collect a network capture.

References

<NOTE:1019887.1> - Sun Storage 7000 Unified Storage System: How to collect a supportbundle using the BUI or CLI
<NOTE:1409693.1> - Sun Storage 7000 Unified Storage System: NFSv4 clients cannot mount shares if NFSv4 identity domains do not match
<NOTE:1428773.1> - Sun Storage 7000 Unified Storage System: Configuring file and directory permissions for shared access between UNIX and Windows clients.
<NOTE:1439295.1> - Sun Storage 7000 Unified Storage System: Configuring NFS Exceptions for root access
<NOTE:1439307.1> - Sun Storage 7000 Unified Storage System: Configuring file and directory inheritance.
<NOTE:1439387.1> - Sun Storage 7000 Unified Storage System: Non-root user cannot change ownership of files and directories.

Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback