Data ONTAP NFS Administration Exercise Guide - NetApp · PDF fileNETAPP UNIVERSITY Data ONTAP NFS Administration. Exercise Guide. Course ID: STRSW-ILT-NFSAD-REV06 ... Create a UNIX

Data ONTAP NFS Administration

NETAPP UNIVERSITY

Data ONTAP NFS Administration Exercise Guide Course ID: STRSW-ILT-NFSAD-REV06 Catalog Number: STRSW-ILT-NFSAD-REV06-EG Content Version: 1.1

NetApp University - Do Not Distribute

E-2 Data ONTAP NFS Administration: Welcome

© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.

ATTENTION

The information contained in this course is intended only for training. This course contains information and activities that, while beneficial for the purposes of training in a closed, non-production environment, can result in downtime or other severe consequences in a production environment. This course material is not a technical reference and should not, under any circumstances, be used in production environments. To obtain reference materials, refer to the NetApp product documentation that is located at http://now.netapp.com/.

COPYRIGHT

© 2015 NetApp, Inc. All rights reserved. Printed in the U.S.A. Specifications subject to change without notice.

No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical, including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of NetApp, Inc.

U.S. GOVERNMENT RIGHTS

Commercial Computer Software. Government users are subject to the NetApp, Inc. standard license agreement and applicable provisions of the FAR and its supplements.

TRADEMARK INFORMATION

NetApp, the NetApp logo, Go Further, Faster, ASUP, AutoSupport, Campaign Express, Customer Fitness, CyberSnap, Data ONTAP, DataFort, FilerView, Fitness, Flash Accel, Flash Cache, Flash Pool, FlashRay, FlexCache, FlexClone, FlexPod, FlexScale, FlexShare, FlexVol, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster, MultiStore, OnCommand, ONTAP, ONTAPI, RAID DP, SANtricity, SecureShare, Simplicity, Simulate ONTAP, Snap Creator, SnapCopy, SnapDrive, SnapIntegrator, SnapLock, SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot, SnapValidator, SnapVault, StorageGRID, Tech OnTap, and WAFL are trademarks or registered trademarks of NetApp, Inc. in the United States and/or other countries.

Other product and service names might be trademarks of NetApp or other companies. A current list of NetApp trademarks is available on the Web at http://www.netapp.com/us/legal/netapptmlist.aspx.


http://www.netapp.com/us/legal/netapptmlist.aspx

E-3 Data ONTAP NFS Administration: Welcome


TABLE OF CONTENTS

WELCOME..................................................................................................................................................... E-1

MODULE 1: NFS OVERVIEW ..................................................................................................................... E1-1

MODULE 2: NFS VERSION 3 ..................................................................................................................... E2-1

MODULE 3: NFS VERSION 4 ..................................................................................................................... E3-1

MODULE 4: NFS VERSION 4.1 .................................................................................................................. E4-1

MODULE 5: PERFORMANCE AND BASIC TROUBLESHOOTING ......................................................... E5-1

APPENDIX A: ANSWERS ............................................................................................................................. A-1

APPENDIX B: KERBEROS AUTHENTICATION ......................................................................................... B-1


E1-1 Data ONTAP NFS Administration: NFS Overview


MODULE 1: NFS OVERVIEW

EXERCISE 1: ADDING A CLUSTER

In this exercise, you practice setting up OnCommand System Manager and using it to add a cluster to the

administration tool.

OBJECTIVES

By the end of this exercise, you should be able to:

Identify the exercise environment

Log in to the exercise environment

Log in to a cluster by using System Manager

TASK 1: IDENTIFY THE EXERCISE ENVIRONMENT

STEP ACTION

1. With the assistance of your instructor, identify your main Windows server.

NOTE: This machine might be a virtual machine (VM).

IP address: _______________________________________________

Domain: _________________________________________________

Domain administrator password: Netapp123

2. With the assistance of your instructor, identify your clustered Data ONTAP operating system

nodes.

Node 1 management logical interface (LIF) IP address: 192.168.0.51

Node 2 management LIF IP address: 192.168.0.52

Cluster-management LIF IP address: 192.168.0.50

Cluster administrator (admin) password: Netapp123

3. With the assistance of your instructor, identify your Linux machine.

NOTE: This machine might be a VM.

IP address: 192.168.0.21

Root password: Netapp123

Windows Server

Clustered Data ONTAP

Linux Server




TASK 2: LOG IN TO THE EXERCISE ENVIRONMENT

In this task, you use Remote Desktop Connection (RDC) to log in to your assigned exercise environment.

You perform all subsequent tasks from this assigned machine.

STEP ACTION

1. On your local Windows machine desktop, click the Remote Desktop Connection link to log in

to the remote Windows server through the RDC tool.

NOTE: If this link is unavailable, ask your instructor where to find the tool.

2. Enter the IP address of your remote Windows server, and then click Connect.

3. Verify that the desktop of the remote machine is displayed.

4. If you are asked for authentication, enter the username and password that your instructor gave

you.




TASK 3: LOG ON TO A CLUSTER BY USING SYSTEM MANAGER

In this task, you add your cluster management port to the local hosts file, launch System Manager, and log on

to your assigned cluster.

NOTE: For more information about using System Manager to configure a storage system, see the Clustered

Data ONTAP Administration course.

STEP ACTION

1. Verify that you see the Modern view of your assigned Windows server.

2. Click the Desktop tile.




STEP ACTION

3. Verify that you see the administrator’s desktop.

4. On the administrator’s desktop taskbar, click the Internet Explorer icon.

5. Type the IP address of the cluster1 cluster-management LIF, and then press Enter.




STEP ACTION

6. Click Continue to this website (not recommended).

7. Type the username admin and the appropriate password, and then click Sign In to log in.

8. Verify that System Manager is logged in to cluster1.




STEP ACTION

9. In the left pane of System Manager, select Cluster > cluster1.

NOTE: The cluster contains two nodes.

END OF EXERCISE


E2-1 Data ONTAP NFS Administration: NFS Version 3


MODULE 2: NFS VERSION 3

EXERCISE 2: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 3

In this exercise, you create a storage virtual machine (SVM), previously called a virtual storage server

(Vserver), configure the SVM for NFS version 3 (NFSv3), and use the SVM export resources from a Linux

client. (The Linux host has some initial configuration, as described in Appendix B.)

OBJECTIVES


Create a data aggregate

Verify that NFS is licensed

Create an SVM for NFS

Create a UNIX group and user

Define a new export policy and rule

Allocate an aggregate as a resource for an SVM

Create the SVM namespace

Mount the SVM namespace

Describe the effects of file permissions

TASK 1: CREATE A DATA AGGREGATE

In this task, you create a data aggregate to use for storing client data.

STEP ACTION

1. In the left pane of OnCommand System Manager, select the Cluster category, expand cluster1,

and select Storage.

2. In the right pane, click Create Aggregate.




STEP ACTION

3. Verify that the Create Aggregate wizard opens.

4. On the aggregate details page, specify the following information:

Name: aggr_NFS1

Disk Type: FCAL on cluster1-01

Number of Disks: 16

RAID Type: RAID-DP

5. Click Create.

6. In the left pane, select the Cluster category, expand cluster1 > Storage, and select Aggregates.




STEP ACTION

7. Verify that the list of aggregates is populated.

8. In the right pane, select the new aggregate aggr_NFS1, and review the aggregate details.

TASK 2: VERIFY THE NFS LICENSE ON A CLUSTER

STEP ACTION

1. In the left pane of System Manager, select the Cluster category, expand cluster1 >

Configuration > System Tools, and select Licenses.




STEP ACTION

2. Verify that the NFS License package is licensed.

3. If NFS is not licensed, request a license code from your instructor.

TASK 3: CREATE AN SVM

In this task, you create an SVM with NFS as the allowed protocol and a data logical interface (LIF) for NFS

access.

STEP ACTION

1. In the left pane of System Manager, select the Storage Virtual Machines category and select

cluster1.




STEP ACTION

2. In the right pane, click Create to display the Storage Virtual Machine (SVM) Setup dialog box.




STEP ACTION

3. In the Storage Virtual Machine (SVM) Setup dialog box, at Step 1, specify the following

information:

SVM Name: svmNFS

IPspace: Default

Volume Type: FlexVol volumes

Data Protocols: NFS checkbox selected

Default Language: C.UTF-8

Security Style: UNIX

Root Aggregate: aggr_NFS1

Search Domains: learn.netapp.local

Name Servers: 192.168.0.11

4. Click Submit & Continue.




STEP ACTION


information:

Subnet: sub60

Port: cluster1-01:e0d

NOTE: This exercise configures a simple NFS server authenticating users via local users and

groups. Be sure to clear the default NIS configuration so that NIS doesn’t get in the way. Do not

skip this step.

Expand NIS Configuration

Domain Names: Clear the domain name field

IP Addresses: Clear the IP Addresses field

NOTE: Do not create a volume for export at this time.





STEP ACTION


information:

Password: Netapp123

Confirm Password: Netapp123

Create a new LIF for SVM management checkbox: selected

Subnet: sub60






STEP ACTION

9. Review the New Storage Virtual Machine (SVM) Summary page.

10. Click OK.

11. Review the new SVM.

12. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >

Configuration > Protocols, and select NFS.




STEP ACTION

13. In the right pane, if Server Status is Not Configured, click Enable to activate NFS.

14. Verify that Server Status and Version 3 Support are Enabled.




STEP ACTION

15. In the left pane, select the Cluster category, expand cluster1 > Configuration, and select

Network.

16. In the right pane, click the Network Interfaces tab.

17. Locate the new data LIF that is authorized for the NFS protocol and record the IP address to use

later.




TASK 4: CREATE A UNIX GROUP AND USER

In this task, you create a UNIX group and user based on a local UNIX user.

STEP ACTION

1. On your Windows desktop, double-click the Link to PuTTY icon.

2. Verify that the PuTTY Configuration dialog box opens.

3. Under Saved Sessions, select Linux.




STEP ACTION

4. Click Load.

5. Click Open to open a session with your storage system.

6. Click Yes to approve the security alert.

7. Verify that you see the login prompt:

login as:

8. At the login prompt, type root.

9. When prompted for the root password, type Netapp123.

10. Verify that you see the command prompt:

#

11. Verify the local student ID:

# id –u student

12. Record the returned value: _____________________




STEP ACTION

13. In the left pane of System Manager, select the Storage Virtual Machines category, expand

cluster1 > svmNFS > Configuration > Users and Groups, and select UNIX.

14. In the right pane, on the Groups tab, click Add Group.

15. In the Add Group dialog box, enter the following information:

Group Name: NFSUserList

Group ID: Use the student ID.

16. Click Add.




STEP ACTION

17. Verify that the new group was created.




STEP ACTION

18. In the right pane, click the Users tab.

19. Click Add User.

20. In the Add User dialog box, enter the following information:

User Name: student

User ID: Use the student ID.

Group Name: NFSUserList

Full Name: Student NFS User

21. Click Add.




STEP ACTION

22. Verify that the new user was created and added to the group.




TASK 5: DEFINE A NEW EXPORT POLICY AND RULE

STEP ACTION


cluster1 > svmNFS > Policies, and select Export Policies.

2. In the Policy area, select default.

No rule is displayed in the Rule Index area.




STEP ACTION

3. Click Add.




STEP ACTION

4. In the Create Export Rule dialog box, specify the following information:

Client Specification: 0.0.0.0/0

Rule Index: 1

Access Protocols: NFS checkbox selected

Read-Only checkbox: selected

Read/Write checkbox: selected

Allow Superuser Access checkbox: selected

5. Click OK.




STEP ACTION

6. Verify that when you select default in the Policy area, the new rule appears in the Rule Index

area.

7. In the right pane, click Create.




STEP ACTION

8. In the Create Export Policy dialog box, in the Policy Name box, type readOnly.

9. In the Export Rules area, click Add to create a rule.




STEP ACTION

10. In the Create Export Rule dialog box, specify the following information:

Client Specification: 0.0.0.0/0

Access Protocols: NFSv3 checkbox selected

Read-Only checkbox: selected

Read/Write checkbox: cleared

Allow Superuser Access checkbox: cleared

11. Click OK.

12. Verify the new policy and rule, and then click Create.




STEP ACTION

13. Note that the new rule is in the first index of the new policy.

14. On your Windows desktop, double-click the Link to PuTTY icon.

15. Verify that the PuTTY Configuration dialog box opens.




STEP ACTION

16. Under Saved Sessions, select cluster1-mgnt.

17. Click Open to open a session with your storage system.

18. Verify that you see the login prompt:

login as:

19. At the login prompt, type admin.

20. When prompted for the root password, type Netapp123.

21. Verify that you see the command prompt:

cluster1::>

22. List the export rules:

cluster1::> vserver export-policy rule show

The output should resemble this sample:

Policy Rule Access Client RO

Vserver Name Index Protocol Match Rule

------------ --------------- ------ -------- -------------------- ---

svmNFS default 1 nfs 0.0.0.0/0 any

svmNFS readOnly 1 nfs3 0.0.0.0/0 any

2 entries were displayed.


http://0.0.0.0/0

http://0.0.0.0/0



STEP ACTION

23. Review the details behind each rule:

cluster1::> vserver export-policy rule show -instance


Vserver: svmNFS

Policy Name: default

Rule Index: 1

Access Protocol: nfs

Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0

RO Access Rule: any

RW Access Rule: any

User ID To Which Anonymous Users Are Mapped: 65534

Superuser Security Types: any

Honor SetUID Bits in SETATTR: true

Allow Creation of Devices: true

Vserver: svmNFS

Policy Name: readOnly

Rule Index: 1

Access Protocol: nfs3

Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0

RO Access Rule: any

RW Access Rule: none

User ID To Which Anonymous Users Are Mapped: 65534

Superuser Security Types: none

Honor SetUID Bits in SETATTR: true

Allow Creation of Devices: true

2 entries were displayed.

24. Answer the following questions:

To which user ID are anonymous users mapped (anon=)? _____

Are any users currently mapped to this ID? _____

(NOTE: In System Manager, select the Storage Virtual Machines category, expand

cluster1 > svmNFS > Configuration > Local users and Groups, select UNIX, and click

the Users tab to discover the answer.)

If so, who? _____




TASK 6: ALLOCATE AN AGGREGATE AS A RESOURCE FOR AN SVM

In this task, you enable your newly created SVM to provision the aggregate that you created earlier.

STEP ACTION

1. In the left pane of System Manager, select the Storage Virtual Machines category and select

cluster1.

2. In the right pane, select svmNFS.

3. Click Edit.




STEP ACTION

4. In the Edit Storage Virtual Machine dialog box, click the Resource Allocation tab.

5. On the Resource Allocation tab, specify the following information:

Delegate volume creation: selected

aggr_NFS1 checkbox: selected

6. Click Save and Close to complete the process.




TASK 7: CREATE THE SVM NAMESPACE

In this task, you create two volumes, associate the export policies to each volume, and verify the namespace

for the SVM.

STEP ACTION


cluster1 > svmNFS > Storage, and select Volumes.





STEP ACTION

3. In the Create Volume dialog box, specify the following information:

Name: vol_NFS1

Aggregate: Use the Choose button to choose aggr_NFS1.

Storage Type: NAS (Used for CIFS or NFS access)

Total Size: 1 GB

Snapshot Reserve (%): 5

Thin Provisioned checkbox: cleared

4. Click Create.




STEP ACTION

5. Verify that the volume was created.





STEP ACTION


Name: vol_NFS2

Aggregate: Use the Choose button to choose aggr_NFS1.

Storage Type: NAS (Used for CIFS or NFS access)

Total Size: 1 GB






STEP ACTION

8. Verify that the new volume was created.

9. In the left pane, select Namespace.




STEP ACTION

10. Note that both new volumes are automatically mounted under the root node, with the default

export policy.

11. In the right pane, select the vol_NFS2 node, and then click Change Export Policy.

12. In the Change Export Policy dialog box, select the readOnly policy for vol_NFS2.

13. Click Change.

14. Verify that your namespace is similar to this example.




TASK 8: MOUNT THE SVM NAMESPACE

In this task, you log in as root to the client Linux host and mount the SVM namespace. Then you explore the

results of the export policies.

STEP ACTION

1. Use PuTTY to log in to the Linux client as root.

2. Verify whether rpcbind is started.

# service rpcbind status

NOTE: Within Red Hat Linux 6 and later, portmapper is part of rpcbind.

3. If rpcbind is not running, start it. (If the process is already running, skip this step.)

# service rpcbind start


Starting rpcbind: [ OK ]

4. Verify whether the NFS service is running:

# service nfs status


rpc.svcgssd is stopped

rpc.mountd is stopped

nfsd is stopped

rpc.rquotad is stopped

5. Start the NFS service:

# service nfs start


Starting NFS services: [ OK ]

Starting NFS quotas: [ OK ]

Starting NFS mountd: [ OK ]

Stopping RPC idmapd: [ OK ]

Starting RPC idmapd: [ OK ]

Starting NFS daemon: [ OK ]

6. Change the directory to the mount folder:

# cd /mnt

7. Create a mount folder that is named svmNFS-v3:

# mkdir svmNFS-v3

8. Verify the permissions:

# ls –l


drwxr-xr-x. 2 root root 4096 Nov 6 12:35 svmNFS-v3




STEP ACTION

9. Mount the SVM namespace at this new folder:

# mount –t nfs –o nfsvers=3 192.168.0.60:/ /mnt/svmNFS-v3

NOTE: You recorded the NFS LIF IP address in Task 3 of this exercise.

10. Attempt to change the directory to the mount location:

# cd svmNFS-v3

11. Answer the following question:

Was the previous step successful? _____

12. List the directory contents:

# ls


vol_NFS1 vol_NFS2

13. Attempt to create a file in the root directory of the SVM namespace:

# touch foo




# ls –l


total 8

-rw-r--r--. 1 root root 0 Feb 24 11:49 foo

drwx------. 2 root bin 4096 Feb 24 11:49 vol_NFS1

drwx------. 2 root bin 4096 Feb 24 10:59 vol_NFS2

NOTE: A NetApp best practice recommends against creating files in the SVM namespace root.

In this exercise, files are created in the namespace root for demonstration purposes only.

16. Attempt to change the directory to vol_NFS1:

# cd vol_NFS1



18. Attempt to create a file:

# touch foo






STEP ACTION


# ls


foo

21. Change the directory to vol_NFS2:

# cd ../vol_NFS2


# touch foo

23. Review the readOnly policy (the policy for vol_NFS2) rule permissions.


Were you able to create a file? _____

Why or why not? _____




TASK 9: DESCRIBE THE EFFECTS OF FILE PERMISSIONS

In this task, you grant global read access to vol_NFS1. Then you change to a student user account and explore

the effect of the current file permissions.

STEP ACTION

1. Navigate to the mount point directory:

# cd /mnt

2. Verify the current permissions:

# ls –l


total 4

drwxr-xr-x. 4 root bin 4096 Jun 19 15:48 svmNFS-v3

3. Set the mount point permissions so that everyone has access:

# chmod 777 svmNFS-v3

4. Verify the change:

# ls –l


total 4

drwxrwxrwx. 4 root bin 4096 Jun 19 15:48 svmNFS-v3

5. Navigate inside the version 3 mount:

# cd svmNFS-v3

6. Verify the current permissions:

# ls –l


total 8

-rw-r--r--. 1 root root 0 Jun 19 15:48 foo

drwxr-xr-x. 2 root bin 4096 Jun 19 15:48 vol_NFS1


7. Change the directory permissions of vol_NFS1:

# chmod 705 vol_NFS1

8. Verify the change:

# ls –l


total 8


Drwx---r-x. 2 root bin 4096 Jun 19 15:48 vol_NFS1





STEP ACTION

9. Navigate to the mount point directory:

# cd /mnt

10. Switch to the student user:

# su student


$

11. Attempt to change the directory to the mount location:

$ cd svmNFS-v3



13. Attempt to create a file in the root directory of the SVM namespace:

$ touch foo1



15. List the directory’s contents:

$ ls –l


total 8


-rw-rw-r--. 1 student student 0 Jun 19 16:02 foo1

drwxr-xr_x. 2 root bin 4096 Jun 19 15:48 vol_NFS1


NOTE: A NetApp best practice recommends against creating files in the SVM namespace root.

Files were created in this location for demonstration purposes only.

16. Attempt to change the directory to the vol_NFS1:

$ cd vol_NFS1


Was the previous step successful? ______


$ touch foo1



20. Attempt to change the directory to the vol_NFS2:

$ cd ../vol_NFS2




STEP ACTION




$ touch foo1


Was the previous step successful? ______

24. Switch to the root user:

$ su root

25. Enter the root password:

Password: Netapp123


#

END OF EXERCISE





EXERCISE 3: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 4

In this exercise, you configure a storage virtual machine (SVM), previously called a virtual storage server

(Vserver), for NFS version 4 (NFSv4) and use the SVM export resources from a Linux client. This exercise

explores NFSv4 referrals, access control lists (ACLs), and read and write delegations.

OBJECTIVES


Configure an SVM with a new storage volume and logical interface (LIF)

Enable NFSv4 features on an SVM and client

Describe an NFSv4 export on a client

Create NFSv4 ACLs

TASK 1: CONFIGURE AN SVM WITH A NEW STORAGE VOLUME AND LIF

In this task, you create an aggregate in the cluster and a storage volume and LIF for the SVM that you created

in an earlier exercise. You then add this volume to the namespace. You will use the new volume and LIF to

demonstrate NFSv4 referrals in Task 3.

STEP ACTION

1. In the left pane of OnCommand System Manager, select the Cluster category, expand cluster1

> Storage, and select Aggregates.


3. Verify that the Create Aggregate wizard opens.




STEP ACTION

4. On the aggregate details page, specify the following information:

Name: aggr_NFS2

Disk Type: FCAL on cluster1-02

Number of Disks: 16

RAID Configuration: RAID-DP

5. Click Create.

6. Verify that the new aggregate appears in the Aggregates list.

7. In the left pane, select the Storage Virtual Machines category and select cluster1.

8. In the right pane, select svmNFS, and then click Edit.

9. In the Edit Storage Virtual Machine dialog box, click the Resource Allocation tab.




STEP ACTION

10. Select the aggr_NFS2 checkbox for the new aggregate.

11. Click Save and Close.




STEP ACTION


Storage, and select Volumes.





STEP ACTION


Name: vol_NFS3

Aggregate: aggr_NFS2

Total Size: 1 GB



NOTE: Use the Choose button to select the correct Aggregate value.

15. Click Create.




STEP ACTION

16. Verify that your new volume was created.


Storage, and select Namespace.




STEP ACTION

18. Verify the export policy and namespace mounted location of the new volume.

19. In the left pane, select the Cluster category, expand cluster1 > Configuration, and select

Network.

20. In the right pane, click the Network Interfaces tab to begin creating a data LIF.


22. Verify that the Create Network Interface wizard has opened.




STEP ACTION

23. On the network interface properties page, specify the following information:

Name: svmNFS_nfs_lif2

Interface Role: Serves Data

SVM: svmNFS

Protocol Access NFS checkbox: selected

Subnet: sub60


24. Click Create.




STEP ACTION

25. Verify the new LIF, and record the IP address to use later.




TASK 2: ENABLE NFSV4 FEATURES ON AN SVM AND CLIENT

In this task, you enable NFSv4 features in System Manager and then configure the domain ID in the CLI of

the cluster. You then set the domain ID on the client.

STEP ACTION


cluster1 > svmNFS > Configuration > Protocols, and select NFS.

2. In the right pane, click Edit.




STEP ACTION

3. In the Edit NFS Settings dialog box, specify the following information:

Support version 3 checkbox: selected

Support version 4.0 checkbox: selected

ACLs checkbox: selected

Read delegation checkbox: selected

Write delegation checkbox: selected





STEP ACTION

5. Verify that Version 3 Support and Version 4 Support are Enabled on this SVM.

6. Use PuTTY to launch a Secure Shell (SSH) session to the cluster management interface of your

assigned cluster.

7. Set the interface to advanced privilege:

cluster1::> set -privilege advanced

8. At the prompt, type y:

Do you want to continue? {y|n}: y

9. View the current NFS settings of your SVM:

cluster1::*> vserver nfs show -vserver svmNFS -fields v4-id-

domain,v4.0-referrals

vserver v4.0-referrals v4-id-domain

------- -------------- ------------

svmNFS disabled defaultv4iddomain.com

10. Set the v4 ID domain to example.com and turn on NFSv4 referrals:

cluster1::*> vserver nfs modify -vserver svmNFS -v4-id-domain

example.com -v4.0-referrals enabled




STEP ACTION

11. Verify the changes:

cluster1::*> vserver nfs show -vserver svmNFS -fields v4-id-

domain,v4.0-referrals

vserver v4.0-referrals v4-id-domain

------- -------------- ------------

svmNFS enabled example.com

12. Log in to the Linux client as root.

13. Edit the /etc/idmapd.conf file:

# vi /etc/idmapd.conf

14. Scroll down until you see the following output:

[General]

#Verbosity = 0

# The following should be set to the local NFSv4 domain name

# The default is the host's DNS domain name.

#Domain…

15. Type i to enter insert mode.

16. Remove the hashtag symbol (#) that appears before Domain in the output.

17. Delete the existing domain name.

18. Type example.com as your domain name.

19. Verify the changed domain name in the output:

[General]

#Verbosity = 0



Domain = example.com

…

20. Press ESC to exit insert mode.

21. Type :wq to save and exit the virtual interface (VI).

22. Review the list of the file and verify that the changes occurred:

# cat /etc/idmapd.conf


[General]

#Verbosity = 0



Domain = example.com

…


http://example.com/

http://example.com/



STEP ACTION

23. Restart the rpcidmapd service:

# service rpcidmapd restart

NOTE: This step is required because of the changes that you made to the

/etc/idmapd.conf file.

TASK 3: DESCRIBE AN NFSV4 EXPORT ON A CLIENT

In this task, you use NFSv4 to mount a file system and explore the results. You create a second SSH session

and use tcpdump to analyze the Ethernet traffic and verify the NFSv4 referral feature.

STEP ACTION

1. After the rpcidmapd restart completes, leave this Linux session open.

NOTE: For the remainder of this exercise, this session is called SESSION 1.


# cd /mnt


# mkdir svmNFS-v4

4. Open a second PuTTY session to the Linux machine and log in as the root user.

NOTE: For the remainder of this exercise, this session will be called SESSION 2.

5. On SESSION 2, start a tcpdump command by looking for 2049:

# tcpdump -nv | grep 2049


Why are you looking for 2049? _____

7. With the SESSION 2 window visible, on SESSION 1, use the IP address of the first LIF

(svmNFS_nfs_lif1) on the svmNFS SVM to create an NFSv4 mount of the SVM namespace:

# mount –t nfs4 –o acl 192.168.0.60:/ /mnt/svmNFS-v4


Using SESSION 2, which SVM LIF is used for this operation? _____

9. On SESSION 1, use NFS version 3 (NFSv3) to remount the SVM:

# mount –t nfs –o nfsvers=3 192.168.0.60:/ /mnt/svmNFS-v3






STEP ACTION

11. On SESSION 1, verify the current mounts:

# mount


…

192.168.0.60:/ on /mnt/svmNFS-v3 type nfs (rw,nfsvers=3,addr=192.168.0.60)

192.168.0.60:/ on /mnt/svmNFS-v4 type nfs4

(rw,acl,addr=192.168.0.60,clientaddr=192.168.0.21)

12. On SESSION 1, change the directory to the NFSv4-attached mount point:

# cd svmNFS-v4


Using SESSION 2, which SVM interface is used for this operation? _____

14. On SESSION 1, list the directory:

# ls -l



16. On SESSION 1, change the directory to vol_NFS3:

# cd vol_NFS3

The output on SESSION 2 should resemble this sample:

…

192.168.0.21.699965736 > 192.168.0.60.2049: 156 getattr fh 0,0/22

192.168.0.60.2049 > 192.168.0.21.699965736: reply ok 180 getattr NON 3 ids 0/15 sz 0

192.168.0.21.716742952 > 192.168.0.60.2049: 156 getattr fh 0,0/22


192.168.0.21.732889002 > 192.168.0.62.2049: 40 null

192.168.0.62.2049 > 192.168.0.21.732889002: reply ok 24 null

192.168.0.21.749666218 > 192.168.0.62.2049: 108 getattr fh 0,0/24


192.168.0.21.766443434 > 192.168.0.62.2049: 136 getattr fh 0,0/22


192.168.0.21.783220650 > 192.168.0.62.2049: 140 getattr fh 0,0/22

192.168.0.62.2049 > 192.168.0.21.783220650: reply ok 108 getattr NON 2 ids 0/9 sz 0…



Why? _____

18. On SESSION 1, navigate to the NFSv3 mount point:

# cd /mnt/svmNFS-v3


Using SESSION 2, which SVM LIF is used for this operation? _




STEP ACTION

20. On SESSION 1, change the directory to vol_NFS3:

# cd vol_NFS3

The output on SESSION 2 should resemble this sample:

…

192.168.0.21.3320203757 > 192.168.0.60.2049: 144 readdirplus fh

Unknown/00010000040400800000000040000000DC605F00010400800000000040000000 4096 bytes @ 0 max

32768 verf 0000000000000000

192.168.0.60.2049 > 192.168.0.21.3320203757: reply ok 300 readdirplus POST: DIR 755 ids

0/0 sz 4096 verf 0000000000000000



Why? _____

22. On SESSION 1, change the directory to the NFSv4-attached mount point:

# cd /mnt/svmNFS-v4


# ls -l

total 12

-rw-r--r--. 1 root root 0 Nov 6 12:44 foo

-rw-rw-r--. 1 student nobody 0 Nov 6 12:50 foo1

drwxr-xr-x. 2 root root 4096 Nov 6 12:45 vol_NFS1



NOTE: These names are resolved by default because System Manager 2.2 and later create the

root user (id=0) and the daemon group (id=1). Without these users and group, the output would

resemble the following:

total 12

-rw-r--r--. 1 nobody nobody 0 Nov 6 12:44 foo

-rw-rw-r--. 1 nobody nobody 0 Nov 6 12:50 foo1

drwxr-xr-x. 2 nobody nobody 4096 Nov 6 12:45 vol_NFS1






TASK 4: CREATE NFSV4 ACLS

In this task, you create NFSv4 ACLs and verify the results of setting an ACL. This task uses SESSION 1

only. You do not use SESSION 2. Either close SESSION 2 now or use it for your own research as you

complete this task.

STEP ACTION

1. Verify the directory location and the NFSv4 mount location:

# pwd

/mnt/svmNFS-v4

2. Change the directory to vol_NFS3:

# cd vol_NFS3

3. Create a file that is named foo:

# touch foo

4. List the directory:

# ls –l

total 0


5. Explore the default file ACL:

# nfs4_getfacl foo


A::OWNER@:rwatTnNcCy

A:g:GROUP@:rtncy

A::EVERYONE@:rtncy

6. Change the directory up one level:

# cd ..


# su student


$

8. Attempt to use the student user account to change the directory to vol_NFS3:

$ cd vol_NFS3



10. Switch to the root user:

$ su root




STEP ACTION

11. Enter the root user password:

Password: Netapp123


#

12. Navigate to the svmNFS-v4 directory:

# cd /mnt/svmNFS-v4

13. Explore the ACL for the vol_NFS3 directory:

# nfs4_getfacl vol_NFS3


A::OWNER@:rwaDxtTnNcCy

A:g:GROUP@:rxtncy

A::EVERYONE@:rxtncy

14. Give the student (user ID 500) user account the ALLOW ability to read, write, execute, read

attributes, read name attributes, read ACL, and enable clients to use synchronous I/O with the

SVM:

# nfs4_setfacl -a A::500:rwxtncy vol_NFS3

15. Verify the current ACL for the vol_NFS3 directory:



A::[email protected]:rwxtncy


A:g:GROUP@:rxtncy

A::EVERYONE@:rxtncy

16. Navigate to the vol_NFS3 directory:

# cd vol_NFS3

17. Deny the student (user ID 500) user account access to the foo file:

# nfs4_setfacl -a D::500:rwxtncy foo


# nfs4_getfacl foo


D::[email protected]:rwxtcy

A::OWNER@:rwatTnNcCy

A:g:GROUP@:rtncy

A::EVERYONE@:rtncy

19. Navigate to the svmNFS-v4 directory:

# cd /mnt/svmNFS-v4




STEP ACTION


# su student


$

21. Attempt to use the student user account to change the directory to vol_NFS3:

$ cd vol_NFS3



23. Create a file that is named foo2:

$ touch foo2

24. Verify the file:

$ ls -l


total 0


-rw-rw-r--. 1 student nobody 0 Jun 19 16:56 foo2

25. Attempt to create a subdirectory:

$ mkdir test



Why or why not? _____

27. Attempt to read the foo file:

$ cat foo



29. Switch the user to root:

$ su root

30. Enter the root user password:

Password: Netapp123


#

31. Change the directory up one level:

# cd ..




STEP ACTION



A::[email protected]:rwxtncy


A:g:GROUP@:rxtncy

A::EVERYONE@:rxtncy

33. Remove the first access control entry (ACE) to test a change to the ACL for the vol_NFS3

directory:

# nfs4_setfacl --test -x 1 vol_NFS3

## Test mode only - the resulting ACL for "/mnt/svmNFS-

v4/vol_NFS3":


A:g:GROUP@:rxtncy

A::EVERYONE@:rxtncy

34. Remove the first ACE from the vol_NFS3 directory ACL:

# nfs4_setfacl -x 1 vol_NFS3

35. Verify the changed ACL for the vol_NFS3 directory:




A:g:GROUP@:rxtncy

A::EVERYONE@:rxtncy

END OF EXERCISE


E4-1 Data ONTAP NFS Administration: NFS Version 4.1


MODULE 4: NFS VERSION 4.1

EXERCISE 4: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 4.1

In this exercise, you configure a storage virtual machine (SVM), previously called a virtual storage server

(Vserver), for NFS version 4.1 (NFSv4.1). You use the SVM export resources from a compatible Linux

client.

OBJECTIVES


Configure an SVM for NFSv4.1

Describe an NFSv4.1 export on a client

Analyze the effects of a volume move operation on parallel NFS (pNFS)

TASK 1: CONFIGURE AN SVM FOR NFSV4.1

In this task, you enable NFSv4.1 features within OnCommand System Manager and then configure the

domain ID in the CLI of the cluster.

STEP ACTION


svmNFS > Configuration > Protocols, and select NFS.





STEP ACTION

3. Verify that the Support version 3, Support version 4.0, and Support version 4.1 checkboxes are

selected.


5. Verify that NFS Version 3 Support, Version 4 Support, and Version 4.1 Support are Enabled on

this SVM.

6. Launch a PuTTy session to the CLI of your assigned Data ONTAP cluster.

7. Set the interface to advanced privilege:

cluster1::> set -privilege advanced




STEP ACTION



9. Verify the current settings of your NFS server:

cluster1::*> vserver nfs show -vserver svmNFS


Vserver: svmNFS

General NFS Access: true

RPC GSS Context Cache High Water Mark: 0

RPC GSS Context Idle: 0

NFS v3: enabled

NFS v4.0: enabled

UDP Protocol: enabled

TCP Protocol: enabled

Spin Authentication: disabled

Default Windows User: -

Enable NFSv3 EJUKEBOX error: true

Require All NFSv3 Reads to Return Read Attributes: false

Show Change in FSID as NFSv3 Clients Traverse Filesystems: enabled

Enable the Dropping of a Connection When an NFSv3 Request is Dropped: enabled

Vserver NTFS Unix Security Options: use_export_policy

Vserver Change Ownership Mode: use_export_policy

NFS Response Trace Enabled: false

NFS Response Trigger (in secs): 60

UDP Maximum Transfer Size: 32768

TCP Maximum Transfer Size: 65536

NFSv3 TCP Maximum Read Size: 65536

NFSv3 TCP Maximum Write Size: 65536

NFSv4.0 ACL Support: enabled

NFSv4.0 Read Delegation Support: enabled

NFSv4.0 Write Delegation Support: enabled


NFSv4.0 Referral Support: enabled

NFSv4 ID Mapping Domain: learn.netapp.local

NFSv4 Validate UTF-8 Encoding of Symbolic Link Data: disabled

NFSv4 Lease Timeout Value (in secs): 30

NFSv4 Grace Timeout Value (in secs): 45

Preserves and Modifies NFSv4 ACL : enabled

NFSv4.1 Minor Version Support: enabled

Rquota Enable: disabled

NFSv4.1 Implementation ID Domain: netapp.com

NFSv4.1 Implementation ID Name: NetApp Release 8.2RC1 Cluster-Mode

NFSv4.1 Implementation ID Date: Tue Mar 26 21:02:39 2013

NFSv4.1 Parallel NFS Support: enabled

NFSv4.1 Referral Support: disabled

NFSv4.1 ACL Support: disabled

NFS vStorage Support: disabled

Default Windows Group: -

NFSv4.1 Read Delegation Support: disabled

NFSv4.1 Write Delegation Support: disabled

Number of Slots in the NFSv4.x Session slot tables: 180

Size of the Reply that will be Cached in Each NFSv4.x Session Slot (in bytes): 640

Maximum Number of ACEs per ACL: 400

NFS Mount Root Only: enabled

NFS Root Only: disabled

10. Review the output and note that NFSv4.1 pNFS support is enabled by default.




STEP ACTION

11. Turn on NFSv4.1 access control lists (ACLs) and set the implementation domain and name:

cluster1::*> vserver nfs mod -vserver svmNFS -v4.1-acl enabled

-v4.1-implementation-domain example.com

-v4.1-implementation-name example

12. Verify the changes:

cluster1::*> vserver nfs show -vserver svmNFS


Vserver: svmNFS General NFS Access: true

RPC GSS Context Cache High Water Mark: 0

RPC GSS Context Idle: 0

NFS v2: disabled

NFS v3: enabled

NFSv4.0: enabled

UDP Protocol: enabled

TCP Protocol: enabled

Spin Authentication: disabled

Default Windows User: -

Enable NFSv3 EJUKEBOX error: false

Require All NFSv3 Reads to Return Read Attributes: false


Enable the Dropping of a Connection When an NFSv3 Request is Dropped: enabled

Vserver NTFS Unix Security Options: use_export_policy

Vserver Change Ownership Mode: use_export_policy

NFS Response Trace Enabled: false

NFS Response Trigger (in secs): 60

UDP Maximum Transfer Size: 32768

TCP Maximum Transfer Size: 65536


NFSv4.0 Read Delegation Support: enabled

NFSv4.0 Write Delegation Support: enabled


NFSv4.0 Referral Support: enabled

NFSv4 ID Mapping Domain: example.com

NFSv4 Validate UTF-8 Encoding of Symbolic Link Data: disabled

NFSv4 Lease Timeout Value (in secs): 30

NFSv4 Grace Timeout Value (in secs): 45

Preserves and Modifies NFSv4 ACL : enabled

NFSv4.1 Minor Version Support: enabled

Rquota Enable: disabled

NFSv4.1 Implementation ID Domain: example.com

NFSv4.1 Implementation ID Name: example

NFSv4.1 Implementation ID Date: Wed Dec 31 16:00:00 1969

NFSv4.1 Parallel NFS Support: enabled

NFSv4.1 Referral Support: disabled


NFS vStorage Support: disabled




STEP ACTION


Configuration, and select Network.

14. In the right pane, on the Network Interfaces tab, verify that the current port is the same as the

home port (not failed over) for each network interface.

NOTE: LIF1 should be on node 1 and LIF2 should be on node 2.




STEP ACTION


Storage, and select Namespace to display the current namespace for the SVM.




STEP ACTION

16. In the left pane, select Volumes and verify that vol_NFS1 and vol_NFS2 are on node 1 and that

vol_NFS3 is on node 2.

NOTE: Multiple volumes on multiple nodes are accessible by multiple logical interfaces (LIFs).




TASK 2: DESCRIBE AN NFSV4.1 EXPORT ON A CLIENT

In this task, you use NFSv4.1 to mount a file system and you explore the results. You create a second PuTTY

session and use tcpdump to analyze the Ethernet traffic and to verify the NFSv4.1 pNFS feature.

STEP ACTION

1. Log in to the Linux client as root.


2. Edit the dist.conf file:

# vi /etc/modprobe.d/dist.conf

3. Use the arrow keys to navigate to the bottom of the file.

4. Enter insert mode by typing i:

i

5. Press Enter to create a new line.

6. Enter the following alias configuration:

alias nfs-layouttype4-1 nfs_layout_nfsv41_files


8. Type :wq to save and quit the editor.

9. Review the file to determine whether you correctly edited the dist.conf file:

# tail /etc/modprobe.d/dist.conf

10. Restart rpcidmapd:

# /etc/rc.d/init.d/rpcidmapd restart


# cd /mnt


# mkdir svmNFS-v41

13. Open a second PuTTY session to the Linux machine and log in as root.


14. On SESSION 2, start a tcpdump command by looking for 2049:

# tcpdump -nv | grep 2049

15. With the SESSION 2 window visible, on SESSION 1, use the IP address of svmNFS-lif1on the

svmNFS SVM to create an NFSv4.1 mount of the SVM namespace:

# mount –t nfs4 –o minorversion=1,acl 192.168.0.60:/

/mnt/svmNFS-v41




STEP ACTION



Which node in the cluster is the pNFS metadata server? _____

17. Verify the current mounts:

# mount


…

192.168.0.161:/ on /mnt/svmNFS-v3 type nfs (rw,nfsvers=3,addr=192.168.0.60)

192.168.0.161:/ on /mnt/svmNFS-v4 type nfs4

(rw,acl,addr=192.168.0.60,clientaddr=192.168.0.21) 192.168.0.161:/ on /mnt/svmNFS-v41 type nfs4

(rw,minorversion=1,acl,addr=192.168.0.60,clientaddr=192.168.0.21)

18. On SESSION 1, change the directory to the NFSv4.1-attached mount point:

# cd svmNFS-v41




# ls -l


total 12

-rw-r--r--. 1 root root 0 Mar 4 12:44 foo

-rw-rw-r--. 1 student nobody 0 Mar 4 12:50 foo1

drwxr-xr-x. 2 root root 4096 Mar 4 12:45 vol_NFS1





22. On SESSION 1, access a volume on the metadata server:

# cd vol_NFS1


# ls -l


total 0




On which node is this interface? _____




STEP ACTION

25. On SESSION 1, navigate up one level:

# cd ..

26. On SESSION 1, access a volume on a data server:

# cd vol_NFS3


# ls -l


total 0


-rw-rw-r--. 1 nobody nobody 0 Mar 4 13:53 foo2




29. Edit the foo file:

# vi foo

30. Type i to enter insert mode.

31. Enter some data.


33. Type :wq to save and quit the editor.




35. Use SESSION 2 to further explore pNFS and which interface is used for each file operation.

NOTE: pNFS is complex, and which interface is used is sometimes unclear. The file-system

operations (read and write) on a volume that is mounted on node1 and node 2 are in your

assigned cluster on SESSION 1.




TASK 3: ANALYZE THE EFFECTS OF A VOLUME MOVE OPERATION ON PNFS

In this task, you move a volume from node 2 to node 1 and analyze the results on a Linux client.

STEP ACTION


cluster1 > svmNFS > Storage, and select Volumes.

2. In the right pane, select vol_NFS3 on node 2.

3. Click Move.




STEP ACTION

4. In the Move Volume dialog box, in the Destination Aggregate section, select aggr_NFS1.

5. Click Move.

6. In the Move Volume confirmation dialog box, click Move.

7. After the move volume operation is complete, the Move Volume dialog box displays a Job ID.




STEP ACTION

8. Click the Job ID value.

9. Note the state of the move volume job.

10. On SESSION 1, perform some read and write operations to the vol_NFS3 directory while the

move volume operation is running.

For example, run the ls – l, cat, and touch commands.

11. On SESSION 2, verify which interfaces are used during the operations.

12. In the right pane of System Manager, on the Current Jobs tab, click Refresh.

13. On SESSION 1, perform a few read and write operations to the vol_NFS3 directory while the

volume move operation is running.

For example, run the ls – l, cat, and touch commands.




STEP ACTION

14. On SESSION 2, verify which interfaces are used during the operations.


Which interface is used for write operations? _____

Which interface is used for read operations? _____

Which interface is used for getattrib operations? _____

END OF EXERCISE


E5-1 Data ONTAP NFS Administration: Performance and Basic Troubleshooting


MODULE 5: PERFORMANCE AND BASIC TROUBLESHOOTING

No exercise is associated with Module 5.


A-1 Data ONTAP NFS Administration: Appendix A: Answers


APPENDIX A: ANSWERS

MODULE 1: NFS OVERVIEW

No answers provided.


TASK 5: DEFINE A NEW EXPORT POLICY AND RULE

STEP ACTION


To which user ID are anonymous users mapped (anon=)? 65534

Are any users currently mapped to this ID? yes

(NOTE: In System Manager, select the Storage Virtual Machines category, expand

cluster1 > svmNFS > Configuration > Local users and Groups, select UNIX, and

click the Users tab to discover the answer.)

If so, who? pcuser

TASK 8: MOUNT THE SVM NAMESPACE

STEP ACTION


Was the previous step successful? yes








Were you able to create a file? no; read-only file system

Why or why not? The export policy’s rule associated with this volume is set to read-only.




TASK 9: EXPLORE FILE PERMISSIONS

STEP ACTION








Was the previous step successful? no; permission denied




Was the previous step successful? no; read-only file system





TASK 3: DESCRIBE AN NFSV4 EXPORT ON A CLIENT

STEP ACTION


Why are you looking for 2049? because that is the port that nfsd uses


Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif1




Using SESSION 2, which SVM interface is used for this operation? svmNFS_nfs_lif1





Why? Because the volume is on node 2 and the original LIF was on node 1, a referral

occurred moving the access LIF to svmNFS-lif2.





Why? because NFSv3 does not do referrals

TASK 4: CREATE NFSV4 ACLS

STEP ACTION






Was the previous step successful? no, permission was denied

Why or why not? because student user does not have the append (“a”) permission


Was the previous step successful? no, permission was denied




MODULE 4: NFS VERSION 4.1

TASK 2: EXPLORE AN NFSV4.1 EXPORT ON A CLIENT

STEP ACTION


Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1

Which node in the cluster is the pNFS metadata server? node 1







On which node is this interface? node 1

TASK 3: ANALYZE THE EFFECTS OF A VOLUME MOVE OPERATION ON PNFS

STEP ACTION


Which interface is used for write operations? svmNFS-lif1

Which interface is used for read operations? svmNFS-lif1

Which interface is used for getattrib operations? svmNFS-lif1


B-1 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication


APPENDIX B: KERBEROS AUTHENTICATION

EXERCISE A

In this exercise, you configure Active Directory Kerberos authentication for an NFS mount.

OBJECTIVES


Configure clustered Data ONTAP for NFS Active Directory authentication

Configure Windows for NFS Active Directory authentication

Configure Linux for NFS Active Directory authentication

TASK 1: CONFIGURE CLUSTERED DATA ONTAP FOR NFS ACTIVE DIRECTORY AUTHENTICATION

In this task, you configure Kerberos in the cluster. You then configure a storage virtual machine (SVM)

logical interface (LIF) to use Kerberos configuration, while specifying a service principal name (SPN) for the

SVM. Finally, you confirm that the SPN is mapping appropriately.

STEP ACTION

1. From a Secure Shell (SSH) session, log in to your cluster as admin.

2. Set a preferred active directory server for svmNFS:

cluster1::> vserver active-directory preferred-dc add -vserver svmNFS

-domain learn.netapp.local -preferred-dc 192.168.0.11

3. Verify the preferred server:

cluster1::> vserver active-directory preferred-dc show




STEP ACTION


Configuration > System Tools, and select Date and Time.


6. In the Edit Date and Time dialog box, specify the following information:

Time Zone: US/Pacific (or the time zone of your assigned Active Directory server)

Timer Servers: 192.168.0.11

NOTE: Use the Add button to add the entry for Time Servers.




STEP ACTION

7. Click OK.

8. Verify that the cluster date and time synchronize to within 5 minutes of your kit’s Windows

machine. This process can take several minutes.




STEP ACTION


cluster1 > svmNFS > Configuration > Services, and select Kerberos Realm.


11. Verify that the Create Kerberos Realm wizard opens.




STEP ACTION

12. Click Next.

13. On the Basic Details page, specify the following information:

Kerberos Realm: learn.netapp.local

KDC IP Address: 192.168.0.11

KDC Port: 88

KDC Vendor: Microsoft

14. Click Next.




STEP ACTION

15. On the Advanced Details page, specify the following information:

Password Server IP: 192.168.0.11

AD Server Name: w2k12

AD Server IP: 192.168.0.11

16. Click Next.




STEP ACTION

17. Verify the configuration.

18. Click Next.

19. Verify that the operation was successful.

20. Click Finish.




STEP ACTION

21. Verify that Kerberos is configured properly for the SVM.


cluster1 > svmNFS > Configuration > Services, and select DNS.




STEP ACTION

23. Verify that DNS services are properly configured to the Microsoft DNS server.

NOTE: In your educational environment, the DNS server is usually the same server as your

Active Directory server.


Configuration > Services, and select Kerberos Interface.




STEP ACTION

25. In the right pane, select svmNFS_nfs_lif1.


27. In the Edit Kerberos Configuration dialog box, specify the following information:

Interface Name: svmNFS_nfs_lif1

Enable Kerberos checkbox: selected

Kerberos Realm: LEARN.NETAPP.LOCAL

Service Principal Name: nfs/[email protected]

Admin User Name: administrator

Admin Password: Netapp123




STEP ACTION

28. Click OK.

29. Verify that svmNFS_nfs_lif1 is configured for Kerberos with a valid SPN.

NOTE: In a production environment, you would configure multiple paths for redundancy.




STEP ACTION


Configuration > Users and Groups, and select Name Mapping.

31. In the right pane, click Add.




STEP ACTION

32. In the Add Name Mapping Entry dialog box, specify the following information:

Direction: Kerberos to UNIX

Position: 1

Pattern: nfs/[email protected]

Replacement: pcuser

33. Click Add.




STEP ACTION

34. Verify that the SPN that svmNFS_nfs_lif1 uses is properly mapped to pcuser.

NOTE: You can also create an NFS UNIX user to ensure that the NFS name is properly

authenticated.

35. From a Secure Shell (SSH) session, log in as admin and change to diagnostic mode:

cluster1::> set -privilege diag



37. Verify that the name mapping is working:

cluster1::*> diag secd name-mapping show –node cluster1-01

–vserver svmNFS –direction krb-unix

–name nfs/[email protected]


nfs/[email protected] maps to pcuser

38. Verify the Kerberos encryption types that are enabled for NFS:

cluster1::*> nfs show -vserver svmNFS -fields permitted-enc-types

vserver permitted-enc-types

------- ------------------------

svmNFS des,des3,aes-128,aes-256




TASK 2: CONFIGURE WINDOWS FOR NFS ACTIVE DIRECTORY AUTHENICATION

In this task, you configure a group policy to enable Windows to use AES encryption. Configure the Windows

DNS server to perform reserve lookups. You create DNS entries for the SVM and the Linux host. You create

a new SPN in Active Directory for the Linux host and transfer that keytab to the Linux host. Finally, you

configure the Linux Active Directory identity to use AES encryption.

STEP ACTION

1. On your assigned Windows system, open Server Manager.

2. Verify that the Server Manager dialog box opens.




STEP ACTION

3. From the Tools menu, select Group Policy Management.

4. Verify that the Group Policy Management window opens.

5. In the left pane, navigate to Group Policy Management > Forest: learn.netapp.local >

Domains > learn.netapp.local > Default Domain.




STEP ACTION

6. Click OK to confirm the warning message.

7. Verify that Default Domain is selected in the left pane.

8. In the left pane, right-click Default Domain and select Edit.

9. Verify that the Group Policy Management Editor opens.




STEP ACTION

10. In the left pane, navigate to Default Domain Policy > Computer Configuration > Policies >

Windows Settings > Security Settings > Local Policies > Security Options.

11. In the right pane, double-click the policy Network security: Configure encryption types

allowed for Kerberos.




STEP ACTION

12. On the Security Policy Setting tab, specify the following information:

Select the Define these policy settings checkbox.

Select all the encryption type checkboxes.

Verify that AES128_HMAC_SHA1 and AES256_HMAC_SHA1 are included.

13. Click OK.

14. Close the Group Policy Management Editor dialog box.

15. Close the Group Policy Management dialog box.

16. From the Server Manager Tool menu, select DNS.

17. Verify that DNS Manager opens.




STEP ACTION

18. In the left pane, navigate to W2K12 > Reverse Lookup Zones.

19. Right-click Reverse Lookup Zones and select New Zone to open the New Zone Wizard.

20. Click Next.




STEP ACTION

21. On the Zone Type page, specify the following information:

Primary zone: selected

Store the zone in Active Directory checkbox: selected

22. Click Next.

23. Select To all DNS servers running on domain controllers in this domain:

learn.netapp.local.

24. Click Next.




STEP ACTION

25. Select IPv4 Reverse Lookup Zone.

26. Click Next.

27. In the Network ID field, type 192.168.0.

28. Click Next.




STEP ACTION

29. Select Allow only secure dynamic updates (recommended for Active Directory).

30. Click Next.

31. Review the summary.

32. Click Finish.




STEP ACTION

33. Verify that the reverse lookup zone was created.

34. Open a Windows PowerShell command prompt on your Windows server.

35. Create a DNS entry for the Linux host:

PS C:\> dnscmd learn.netapp.local /RecordAdd learn.netapp.local

centos65 /CreatePTR A 192.168.0.21

36. Create a DNS entry for the Kerberos SPN that is associated with the SVM LIF IP address:

PS C:\> dnscmd learn.netapp.local /RecordAdd learn.netapp.local

kerberos /CreatePTR A 192.168.0.60




STEP ACTION

37. Create a computer account for the Linux host:

PS C:\> dsadd computer

"CN=centos65,CN=computers,DC=learn,DC=netapp,DC=local"


dsadd succeeded:CN=centos65,CN=computers,DC=learn,DC=netapp,DC=local

38. Import the Active Directory module:

PS C:\> import-module activedirectory

39. Modify the computer account for the Linux host identity to enable AES encryption:

PS C:\> Set-ADComputer -Identity centos65 -Replace @{’msDS-

SupportedEncryptionTypes’=28}

40. Modify the computer account for the SVM identity to enable AES encryption:

PS C:\> Set-ADComputer -Identity NFS-KERBEROS-LE -Replace

@{’msDS-SupportedEncryptionTypes’=28}

41. Create an SPN for the new Linux computer account:

PS C:\> setspn -s root/centos65.learn.netapp.local centos65


Checking domain DC=learn,DC=netapp,DC=local

Registering ServicePrincipalNames for

CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local

root/centos65.learn.netapp.local

Updated object

42. Verify the SPN:

PS C:\> setspn -L centos65


Registered ServicePrincipalNames for

CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local:


43. Query the SPN:

PS C:\> setspn /Q root/centos65.learn.netapp.local


Checking domain DC=learn,DC=netapp,DC=local

CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local


Existing SPN found!




STEP ACTION

44. Use ktpass to create the mappings for the SPN and output the mappings to the keytab files:

PS C:\> ktpass -princ

root/[email protected] -mapuser

LEARN\centos65$ -crypto ALL +rndpass -ptype KRB5_NT_PRINCIPAL

+Answer -out centos65.keytab


Targeting domain controller: w2k12.nau.com

Using legacy password setting method

Successfully mapped root/centos65.learn.netapp.local to CENTOS65$.

WARNING: Account CENTOS65$ is not a user account (uacflags=0x1021).

WARNING: Resetting CENTOS65$'s password may cause authentication problems if

CEN

TOS64$ is being used as a server.

Reset CENTOS65$'s password [y/n]? auto:

YES

WARNING: pType and account type do not match. This might cause problems.

Key created.

Key created.

Key created.

Key created.

Key created.

Output keytab to centos65.keytab:

Keytab version: 0x502

keysize 78 root/[email protected] ptype 1

(KRB5_NT_

PRINCIPAL) vno 2 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2c7689bf257f15dc)


(KRB5_NT_

PRINCIPAL) vno 2 etype 0x3 (DES-CBC-MD5) keylength 8 (0x2c7689bf257f15dc)


(KRB5_NT_

PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16

(0x68a60a541ba235cb9d946cca0b6b237d)


(KRB5_NT_PRINCIPAL) vno 2 etype 0x12 (AES256-SHA1) keylength 32

(0xdc3bd08a9a487a0d1839f

81b670f24da44ce93bb5c4988ea96689f1a8f282e06)


(KRB5_NT_PRINCIPAL) vno 2 etype 0x11 (AES128-SHA1) keylength 16

(0xab2ec0cb98670247d8bab38788d39aa0)

45. Open a command-prompt window.




STEP ACTION

46. Copy the keytab file to the Linux host and provide the root password. You will be prompted for

the root user’s password.

C:\> pscp centos65.keytab

[email protected]:/root/centos65.keytab

[email protected]’s password: Netapp123

svmNFS_nfs_lif1.keytab | 0 kB | 0.1 kB/s | ETA: 00:00:00 | 100%

TASK 3: CONFIGURE LINUX FOR NFS ACTIVE DIRECTORY AUTHENTICATION

In this task, you import the Linux credentials that were created in Windows in /etc/krb5.keytab. You

enable secure NFS authentication in the /etc/sysconfig/nfs.conf file. You configure the Kerberos

realm information in the /etc/krb5.conf file and restart the GSSd service. Finally, you log in with a user

account in Active Directory, mount an export by using Kerberos authentication, and verify read and write

permissions.

STEP ACTION

1. On the Linux host, navigate to the root home directory:

# cd /root

2. Verify that the keytab file was transferred successfully:

# ls

anaconda-ks.cfg install.log.syslog upgrade.log.syslog

install.log upgrade.log centos65.keytab

3. Start the ktutil tool:

# ktutil

ktutil:

4. Read the keytab file:

ktutil: rkt centos65.keytab

5. List the keytab file:

ktutil: list

slot KVNO Principal

---- ---- ---------------------------------------------------------------------

1 2 root/[email protected]





6. Write the keytab file:

ktutil: wkt /etc/krb5.keytab




STEP ACTION

7. Quit the ktutil tool:

ktutil: q

#

8. Start vi to edit the NFS configuration file:

# vi /etc/sysconfig/nfs

9. Using the cursor keys, navigate within the file until you find the following line:

#SECURE_NFS="yes"

10. Place your cursor on the # sign.

11. Type r and then press the space bar to remove the # sign.

12. Save the file and exit vi by typing :wq.

13. Verify that the line now reads SECURE_NFS="yes":.

# cat /etc/sysconfig/nfs




STEP ACTION

14. Edit the krb5.conf file with vi.

Hint: You will edit or insert the lines below in bold typeface.

# vi /etc/krb5.conf

The file should resemble this sample:

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = LEARN.NETAPP.LOCAL

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

allow_weak_crypto = true

[realms]

LEARN.NETAPP.LOCAL = {

kdc = w2k12.learn.netapp.local

default_domain = learn.netapp.local

}

[domain_realm]

.netapp.local = LEARN.NETAPP.LOCAL

.learn.netapp.local = LEARN.NETAPP.LOCAL

15. Verify the configuration of the krb5.conf file:

# cat /etc/krb5.conf

16. Relaunch the GSSd service:

# service rpcgssd restart

Stopping RPC gssd: [ OK ]

Starting RPC gssd: [ OK ]

17. Log in with the credentials that are configured in Active Directory:

# kinit administrator




STEP ACTION

18. Provide the correct password:

Password for [email protected]: Netapp123

19. List the current authenticated user:

# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: [email protected]

Valid starting Expires Service principal

11/08/14 10:01:49 11/08/14 20:01:05

krbtgt/[email protected]

renew until 11/15/14 10:00:49

11/08/14 10:01:49 11/08/14 20:01:05

root/[email protected]

renew until 11/15/14 10:00:49

20. Remove the current authenticated user:

# kdestroy


# klist

klist: No credentials cache found (ticket cache

FILE:/tmp/krb5cc_0)

22. Log in again with the credentials that are configured in Active Directory:

# kinit administrator

23. Provide the correct password:

Password for [email protected]: Netapp123


# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: [email protected]

Valid starting Expires Service principal

11/08/14 10:01:49 11/08/14 20:02:05

krbtgt/[email protected]

renew until 11/15/14 10:01:49

11/08/14 10:01:49 11/08/14 20:02:05

root/[email protected]

renew until 11/15/14 10:01:49




STEP ACTION

25. Navigate to the mount directory:

# cd /mnt

26. Make a new mount directory:

# mkdir svmNFS-krb

27. Mount the SVM by using Kerberos authentication:

# mount –t nfs4 -o sec=krb5 192.168.0.60:/ /mnt/svmNFS-krb

28. Navigate into the mount directory:

# cd svmNFS-krb

29. List the contents:

# ls –l

30. Verify write capability:

# touch krb

31. List the contents:

# ls –l

32. Read the empty file:

# cat krb

END OF EXERCISE


Documents

Data ONTAP NFS Administration Exercise Guide - NetApp · PDF fileNETAPP UNIVERSITY Data ONTAP NFS Administration. Exercise Guide. Course ID: STRSW-ILT-NFSAD-REV06 ... Create a UNIX