Click here to load reader
Upload
hathuan
View
315
Download
43
Embed Size (px)
Citation preview
Data ONTAP NFS Administration
NETAPP UNIVERSITY
Data ONTAP NFS Administration Exercise Guide Course ID: STRSW-ILT-NFSAD-REV06 Catalog Number: STRSW-ILT-NFSAD-REV06-EG Content Version: 1.1
NetApp University - Do Not Distribute
E-2 Data ONTAP NFS Administration: Welcome
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
ATTENTION
The information contained in this course is intended only for training. This course contains information and activities that, while beneficial for the purposes of training in a closed, non-production environment, can result in downtime or other severe consequences in a production environment. This course material is not a technical reference and should not, under any circumstances, be used in production environments. To obtain reference materials, refer to the NetApp product documentation that is located at http://now.netapp.com/.
COPYRIGHT
© 2015 NetApp, Inc. All rights reserved. Printed in the U.S.A. Specifications subject to change without notice.
No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical, including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of NetApp, Inc.
U.S. GOVERNMENT RIGHTS
Commercial Computer Software. Government users are subject to the NetApp, Inc. standard license agreement and applicable provisions of the FAR and its supplements.
TRADEMARK INFORMATION
NetApp, the NetApp logo, Go Further, Faster, ASUP, AutoSupport, Campaign Express, Customer Fitness, CyberSnap, Data ONTAP, DataFort, FilerView, Fitness, Flash Accel, Flash Cache, Flash Pool, FlashRay, FlexCache, FlexClone, FlexPod, FlexScale, FlexShare, FlexVol, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster, MultiStore, OnCommand, ONTAP, ONTAPI, RAID DP, SANtricity, SecureShare, Simplicity, Simulate ONTAP, Snap Creator, SnapCopy, SnapDrive, SnapIntegrator, SnapLock, SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot, SnapValidator, SnapVault, StorageGRID, Tech OnTap, and WAFL are trademarks or registered trademarks of NetApp, Inc. in the United States and/or other countries.
Other product and service names might be trademarks of NetApp or other companies. A current list of NetApp trademarks is available on the Web at http://www.netapp.com/us/legal/netapptmlist.aspx.
NetApp University - Do Not Distribute
E-3 Data ONTAP NFS Administration: Welcome
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TABLE OF CONTENTS
WELCOME..................................................................................................................................................... E-1
MODULE 1: NFS OVERVIEW ..................................................................................................................... E1-1
MODULE 2: NFS VERSION 3 ..................................................................................................................... E2-1
MODULE 3: NFS VERSION 4 ..................................................................................................................... E3-1
MODULE 4: NFS VERSION 4.1 .................................................................................................................. E4-1
MODULE 5: PERFORMANCE AND BASIC TROUBLESHOOTING ......................................................... E5-1
APPENDIX A: ANSWERS ............................................................................................................................. A-1
APPENDIX B: KERBEROS AUTHENTICATION ......................................................................................... B-1
NetApp University - Do Not Distribute
E1-1 Data ONTAP NFS Administration: NFS Overview
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
MODULE 1: NFS OVERVIEW
EXERCISE 1: ADDING A CLUSTER
In this exercise, you practice setting up OnCommand System Manager and using it to add a cluster to the
administration tool.
OBJECTIVES
By the end of this exercise, you should be able to:
Identify the exercise environment
Log in to the exercise environment
Log in to a cluster by using System Manager
TASK 1: IDENTIFY THE EXERCISE ENVIRONMENT
STEP ACTION
1. With the assistance of your instructor, identify your main Windows server.
NOTE: This machine might be a virtual machine (VM).
IP address: _______________________________________________
Domain: _________________________________________________
Domain administrator password: Netapp123
2. With the assistance of your instructor, identify your clustered Data ONTAP operating system
nodes.
Node 1 management logical interface (LIF) IP address: 192.168.0.51
Node 2 management LIF IP address: 192.168.0.52
Cluster-management LIF IP address: 192.168.0.50
Cluster administrator (admin) password: Netapp123
3. With the assistance of your instructor, identify your Linux machine.
NOTE: This machine might be a VM.
IP address: 192.168.0.21
Root password: Netapp123
Windows Server
Clustered Data ONTAP
Linux Server
NetApp University - Do Not Distribute
E1-2 Data ONTAP NFS Administration: NFS Overview
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 2: LOG IN TO THE EXERCISE ENVIRONMENT
In this task, you use Remote Desktop Connection (RDC) to log in to your assigned exercise environment.
You perform all subsequent tasks from this assigned machine.
STEP ACTION
1. On your local Windows machine desktop, click the Remote Desktop Connection link to log in
to the remote Windows server through the RDC tool.
NOTE: If this link is unavailable, ask your instructor where to find the tool.
2. Enter the IP address of your remote Windows server, and then click Connect.
3. Verify that the desktop of the remote machine is displayed.
4. If you are asked for authentication, enter the username and password that your instructor gave
you.
NetApp University - Do Not Distribute
E1-3 Data ONTAP NFS Administration: NFS Overview
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 3: LOG ON TO A CLUSTER BY USING SYSTEM MANAGER
In this task, you add your cluster management port to the local hosts file, launch System Manager, and log on
to your assigned cluster.
NOTE: For more information about using System Manager to configure a storage system, see the Clustered
Data ONTAP Administration course.
STEP ACTION
1. Verify that you see the Modern view of your assigned Windows server.
2. Click the Desktop tile.
NetApp University - Do Not Distribute
E1-4 Data ONTAP NFS Administration: NFS Overview
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. Verify that you see the administrator’s desktop.
4. On the administrator’s desktop taskbar, click the Internet Explorer icon.
5. Type the IP address of the cluster1 cluster-management LIF, and then press Enter.
NetApp University - Do Not Distribute
E1-5 Data ONTAP NFS Administration: NFS Overview
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
6. Click Continue to this website (not recommended).
7. Type the username admin and the appropriate password, and then click Sign In to log in.
8. Verify that System Manager is logged in to cluster1.
NetApp University - Do Not Distribute
E1-6 Data ONTAP NFS Administration: NFS Overview
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. In the left pane of System Manager, select Cluster > cluster1.
NOTE: The cluster contains two nodes.
END OF EXERCISE
NetApp University - Do Not Distribute
E2-1 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
MODULE 2: NFS VERSION 3
EXERCISE 2: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 3
In this exercise, you create a storage virtual machine (SVM), previously called a virtual storage server
(Vserver), configure the SVM for NFS version 3 (NFSv3), and use the SVM export resources from a Linux
client. (The Linux host has some initial configuration, as described in Appendix B.)
OBJECTIVES
By the end of this exercise, you should be able to:
Create a data aggregate
Verify that NFS is licensed
Create an SVM for NFS
Create a UNIX group and user
Define a new export policy and rule
Allocate an aggregate as a resource for an SVM
Create the SVM namespace
Mount the SVM namespace
Describe the effects of file permissions
TASK 1: CREATE A DATA AGGREGATE
In this task, you create a data aggregate to use for storing client data.
STEP ACTION
1. In the left pane of OnCommand System Manager, select the Cluster category, expand cluster1,
and select Storage.
2. In the right pane, click Create Aggregate.
NetApp University - Do Not Distribute
E2-2 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. Verify that the Create Aggregate wizard opens.
4. On the aggregate details page, specify the following information:
Name: aggr_NFS1
Disk Type: FCAL on cluster1-01
Number of Disks: 16
RAID Type: RAID-DP
5. Click Create.
6. In the left pane, select the Cluster category, expand cluster1 > Storage, and select Aggregates.
NetApp University - Do Not Distribute
E2-3 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
7. Verify that the list of aggregates is populated.
8. In the right pane, select the new aggregate aggr_NFS1, and review the aggregate details.
TASK 2: VERIFY THE NFS LICENSE ON A CLUSTER
STEP ACTION
1. In the left pane of System Manager, select the Cluster category, expand cluster1 >
Configuration > System Tools, and select Licenses.
NetApp University - Do Not Distribute
E2-4 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
2. Verify that the NFS License package is licensed.
3. If NFS is not licensed, request a license code from your instructor.
TASK 3: CREATE AN SVM
In this task, you create an SVM with NFS as the allowed protocol and a data logical interface (LIF) for NFS
access.
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category and select
cluster1.
NetApp University - Do Not Distribute
E2-5 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
2. In the right pane, click Create to display the Storage Virtual Machine (SVM) Setup dialog box.
NetApp University - Do Not Distribute
E2-6 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. In the Storage Virtual Machine (SVM) Setup dialog box, at Step 1, specify the following
information:
SVM Name: svmNFS
IPspace: Default
Volume Type: FlexVol volumes
Data Protocols: NFS checkbox selected
Default Language: C.UTF-8
Security Style: UNIX
Root Aggregate: aggr_NFS1
Search Domains: learn.netapp.local
Name Servers: 192.168.0.11
4. Click Submit & Continue.
NetApp University - Do Not Distribute
E2-7 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
5. In the Storage Virtual Machine (SVM) Setup dialog box, at Step 2, specify the following
information:
Subnet: sub60
Port: cluster1-01:e0d
NOTE: This exercise configures a simple NFS server authenticating users via local users and
groups. Be sure to clear the default NIS configuration so that NIS doesn’t get in the way. Do not
skip this step.
Expand NIS Configuration
Domain Names: Clear the domain name field
IP Addresses: Clear the IP Addresses field
NOTE: Do not create a volume for export at this time.
6. Click Submit & Continue.
NetApp University - Do Not Distribute
E2-8 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
7. In the Storage Virtual Machine (SVM) Setup dialog box, at Step 3, specify the following
information:
Password: Netapp123
Confirm Password: Netapp123
Create a new LIF for SVM management checkbox: selected
Subnet: sub60
Port: cluster1-02:e0d
8. Click Submit & Continue.
NetApp University - Do Not Distribute
E2-9 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. Review the New Storage Virtual Machine (SVM) Summary page.
10. Click OK.
11. Review the new SVM.
12. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Configuration > Protocols, and select NFS.
NetApp University - Do Not Distribute
E2-10 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
13. In the right pane, if Server Status is Not Configured, click Enable to activate NFS.
14. Verify that Server Status and Version 3 Support are Enabled.
NetApp University - Do Not Distribute
E2-11 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
15. In the left pane, select the Cluster category, expand cluster1 > Configuration, and select
Network.
16. In the right pane, click the Network Interfaces tab.
17. Locate the new data LIF that is authorized for the NFS protocol and record the IP address to use
later.
NetApp University - Do Not Distribute
E2-12 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 4: CREATE A UNIX GROUP AND USER
In this task, you create a UNIX group and user based on a local UNIX user.
STEP ACTION
1. On your Windows desktop, double-click the Link to PuTTY icon.
2. Verify that the PuTTY Configuration dialog box opens.
3. Under Saved Sessions, select Linux.
NetApp University - Do Not Distribute
E2-13 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. Click Load.
5. Click Open to open a session with your storage system.
6. Click Yes to approve the security alert.
7. Verify that you see the login prompt:
login as:
8. At the login prompt, type root.
9. When prompted for the root password, type Netapp123.
10. Verify that you see the command prompt:
#
11. Verify the local student ID:
# id –u student
12. Record the returned value: _____________________
NetApp University - Do Not Distribute
E2-14 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
13. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Users and Groups, and select UNIX.
14. In the right pane, on the Groups tab, click Add Group.
15. In the Add Group dialog box, enter the following information:
Group Name: NFSUserList
Group ID: Use the student ID.
16. Click Add.
NetApp University - Do Not Distribute
E2-15 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
17. Verify that the new group was created.
NetApp University - Do Not Distribute
E2-16 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
18. In the right pane, click the Users tab.
19. Click Add User.
20. In the Add User dialog box, enter the following information:
User Name: student
User ID: Use the student ID.
Group Name: NFSUserList
Full Name: Student NFS User
21. Click Add.
NetApp University - Do Not Distribute
E2-17 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
22. Verify that the new user was created and added to the group.
NetApp University - Do Not Distribute
E2-18 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 5: DEFINE A NEW EXPORT POLICY AND RULE
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Policies, and select Export Policies.
2. In the Policy area, select default.
No rule is displayed in the Rule Index area.
NetApp University - Do Not Distribute
E2-19 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. Click Add.
NetApp University - Do Not Distribute
E2-20 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. In the Create Export Rule dialog box, specify the following information:
Client Specification: 0.0.0.0/0
Rule Index: 1
Access Protocols: NFS checkbox selected
Read-Only checkbox: selected
Read/Write checkbox: selected
Allow Superuser Access checkbox: selected
5. Click OK.
NetApp University - Do Not Distribute
E2-21 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
6. Verify that when you select default in the Policy area, the new rule appears in the Rule Index
area.
7. In the right pane, click Create.
NetApp University - Do Not Distribute
E2-22 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
8. In the Create Export Policy dialog box, in the Policy Name box, type readOnly.
9. In the Export Rules area, click Add to create a rule.
NetApp University - Do Not Distribute
E2-23 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
10. In the Create Export Rule dialog box, specify the following information:
Client Specification: 0.0.0.0/0
Access Protocols: NFSv3 checkbox selected
Read-Only checkbox: selected
Read/Write checkbox: cleared
Allow Superuser Access checkbox: cleared
11. Click OK.
12. Verify the new policy and rule, and then click Create.
NetApp University - Do Not Distribute
E2-24 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
13. Note that the new rule is in the first index of the new policy.
14. On your Windows desktop, double-click the Link to PuTTY icon.
15. Verify that the PuTTY Configuration dialog box opens.
NetApp University - Do Not Distribute
E2-25 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
16. Under Saved Sessions, select cluster1-mgnt.
17. Click Open to open a session with your storage system.
18. Verify that you see the login prompt:
login as:
19. At the login prompt, type admin.
20. When prompted for the root password, type Netapp123.
21. Verify that you see the command prompt:
cluster1::>
22. List the export rules:
cluster1::> vserver export-policy rule show
The output should resemble this sample:
Policy Rule Access Client RO
Vserver Name Index Protocol Match Rule
------------ --------------- ------ -------- -------------------- ---
svmNFS default 1 nfs 0.0.0.0/0 any
svmNFS readOnly 1 nfs3 0.0.0.0/0 any
2 entries were displayed.
NetApp University - Do Not Distribute
E2-26 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
23. Review the details behind each rule:
cluster1::> vserver export-policy rule show -instance
The output should resemble this sample:
Vserver: svmNFS
Policy Name: default
Rule Index: 1
Access Protocol: nfs
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0
RO Access Rule: any
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: any
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true
Vserver: svmNFS
Policy Name: readOnly
Rule Index: 1
Access Protocol: nfs3
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0
RO Access Rule: any
RW Access Rule: none
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: none
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true
2 entries were displayed.
24. Answer the following questions:
To which user ID are anonymous users mapped (anon=)? _____
Are any users currently mapped to this ID? _____
(NOTE: In System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Local users and Groups, select UNIX, and click
the Users tab to discover the answer.)
If so, who? _____
NetApp University - Do Not Distribute
E2-27 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 6: ALLOCATE AN AGGREGATE AS A RESOURCE FOR AN SVM
In this task, you enable your newly created SVM to provision the aggregate that you created earlier.
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category and select
cluster1.
2. In the right pane, select svmNFS.
3. Click Edit.
NetApp University - Do Not Distribute
E2-28 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. In the Edit Storage Virtual Machine dialog box, click the Resource Allocation tab.
5. On the Resource Allocation tab, specify the following information:
Delegate volume creation: selected
aggr_NFS1 checkbox: selected
6. Click Save and Close to complete the process.
NetApp University - Do Not Distribute
E2-29 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 7: CREATE THE SVM NAMESPACE
In this task, you create two volumes, associate the export policies to each volume, and verify the namespace
for the SVM.
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Storage, and select Volumes.
2. In the right pane, click Create.
NetApp University - Do Not Distribute
E2-30 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. In the Create Volume dialog box, specify the following information:
Name: vol_NFS1
Aggregate: Use the Choose button to choose aggr_NFS1.
Storage Type: NAS (Used for CIFS or NFS access)
Total Size: 1 GB
Snapshot Reserve (%): 5
Thin Provisioned checkbox: cleared
4. Click Create.
NetApp University - Do Not Distribute
E2-31 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
5. Verify that the volume was created.
6. In the right pane, click Create.
NetApp University - Do Not Distribute
E2-32 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
7. In the Create Volume dialog box, specify the following information:
Name: vol_NFS2
Aggregate: Use the Choose button to choose aggr_NFS1.
Storage Type: NAS (Used for CIFS or NFS access)
Total Size: 1 GB
Snapshot Reserve (%): 5
Thin Provisioned checkbox: cleared
NetApp University - Do Not Distribute
E2-33 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
8. Verify that the new volume was created.
9. In the left pane, select Namespace.
NetApp University - Do Not Distribute
E2-34 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
10. Note that both new volumes are automatically mounted under the root node, with the default
export policy.
11. In the right pane, select the vol_NFS2 node, and then click Change Export Policy.
12. In the Change Export Policy dialog box, select the readOnly policy for vol_NFS2.
13. Click Change.
14. Verify that your namespace is similar to this example.
NetApp University - Do Not Distribute
E2-35 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 8: MOUNT THE SVM NAMESPACE
In this task, you log in as root to the client Linux host and mount the SVM namespace. Then you explore the
results of the export policies.
STEP ACTION
1. Use PuTTY to log in to the Linux client as root.
2. Verify whether rpcbind is started.
# service rpcbind status
NOTE: Within Red Hat Linux 6 and later, portmapper is part of rpcbind.
3. If rpcbind is not running, start it. (If the process is already running, skip this step.)
# service rpcbind start
The output should resemble this sample:
Starting rpcbind: [ OK ]
4. Verify whether the NFS service is running:
# service nfs status
The output should resemble this sample:
rpc.svcgssd is stopped
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
5. Start the NFS service:
# service nfs start
The output should resemble this sample:
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS mountd: [ OK ]
Stopping RPC idmapd: [ OK ]
Starting RPC idmapd: [ OK ]
Starting NFS daemon: [ OK ]
6. Change the directory to the mount folder:
# cd /mnt
7. Create a mount folder that is named svmNFS-v3:
# mkdir svmNFS-v3
8. Verify the permissions:
# ls –l
The output should resemble this sample:
drwxr-xr-x. 2 root root 4096 Nov 6 12:35 svmNFS-v3
NetApp University - Do Not Distribute
E2-36 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. Mount the SVM namespace at this new folder:
# mount –t nfs –o nfsvers=3 192.168.0.60:/ /mnt/svmNFS-v3
NOTE: You recorded the NFS LIF IP address in Task 3 of this exercise.
10. Attempt to change the directory to the mount location:
# cd svmNFS-v3
11. Answer the following question:
Was the previous step successful? _____
12. List the directory contents:
# ls
The output should resemble this sample:
vol_NFS1 vol_NFS2
13. Attempt to create a file in the root directory of the SVM namespace:
# touch foo
14. Answer the following question:
Was the previous step successful? _____
15. List the directory contents:
# ls –l
The output should resemble this sample:
total 8
-rw-r--r--. 1 root root 0 Feb 24 11:49 foo
drwx------. 2 root bin 4096 Feb 24 11:49 vol_NFS1
drwx------. 2 root bin 4096 Feb 24 10:59 vol_NFS2
NOTE: A NetApp best practice recommends against creating files in the SVM namespace root.
In this exercise, files are created in the namespace root for demonstration purposes only.
16. Attempt to change the directory to vol_NFS1:
# cd vol_NFS1
17. Answer the following question:
Was the previous step successful? _____
18. Attempt to create a file:
# touch foo
19. Answer the following question:
Was the previous step successful? _____
NetApp University - Do Not Distribute
E2-37 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
20. List the directory contents:
# ls
The output should resemble this sample:
foo
21. Change the directory to vol_NFS2:
# cd ../vol_NFS2
22. Attempt to create a file:
# touch foo
23. Review the readOnly policy (the policy for vol_NFS2) rule permissions.
24. Answer the following questions:
Were you able to create a file? _____
Why or why not? _____
NetApp University - Do Not Distribute
E2-38 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 9: DESCRIBE THE EFFECTS OF FILE PERMISSIONS
In this task, you grant global read access to vol_NFS1. Then you change to a student user account and explore
the effect of the current file permissions.
STEP ACTION
1. Navigate to the mount point directory:
# cd /mnt
2. Verify the current permissions:
# ls –l
The output should resemble this sample:
total 4
drwxr-xr-x. 4 root bin 4096 Jun 19 15:48 svmNFS-v3
3. Set the mount point permissions so that everyone has access:
# chmod 777 svmNFS-v3
4. Verify the change:
# ls –l
The output should resemble this sample:
total 4
drwxrwxrwx. 4 root bin 4096 Jun 19 15:48 svmNFS-v3
5. Navigate inside the version 3 mount:
# cd svmNFS-v3
6. Verify the current permissions:
# ls –l
The output should resemble this sample:
total 8
-rw-r--r--. 1 root root 0 Jun 19 15:48 foo
drwxr-xr-x. 2 root bin 4096 Jun 19 15:48 vol_NFS1
drwxr-xr-x. 2 root bin 4096 Jun 19 15:42 vol_NFS2
7. Change the directory permissions of vol_NFS1:
# chmod 705 vol_NFS1
8. Verify the change:
# ls –l
The output should resemble this sample:
total 8
-rw-r--r--. 1 root root 0 Jun 19 15:48 foo
Drwx---r-x. 2 root bin 4096 Jun 19 15:48 vol_NFS1
drwxr-xr-x. 2 root bin 4096 Jun 19 15:42 vol_NFS2
NetApp University - Do Not Distribute
E2-39 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. Navigate to the mount point directory:
# cd /mnt
10. Switch to the student user:
# su student
The output should resemble this sample:
$
11. Attempt to change the directory to the mount location:
$ cd svmNFS-v3
12. Answer the following question:
Was the previous step successful? _____
13. Attempt to create a file in the root directory of the SVM namespace:
$ touch foo1
14. Answer the following question:
Was the previous step successful? _____
15. List the directory’s contents:
$ ls –l
The output should resemble this sample:
total 8
-rw-r--r--. 1 root root 0 Jun 19 15:48 foo
-rw-rw-r--. 1 student student 0 Jun 19 16:02 foo1
drwxr-xr_x. 2 root bin 4096 Jun 19 15:48 vol_NFS1
drwxr-xr-x. 2 root bin 4096 Jun 19 15:42 vol_NFS2
NOTE: A NetApp best practice recommends against creating files in the SVM namespace root.
Files were created in this location for demonstration purposes only.
16. Attempt to change the directory to the vol_NFS1:
$ cd vol_NFS1
17. Answer the following question:
Was the previous step successful? ______
18. Attempt to create a file:
$ touch foo1
19. Answer the following question:
Was the previous step successful? _____
20. Attempt to change the directory to the vol_NFS2:
$ cd ../vol_NFS2
NetApp University - Do Not Distribute
E2-40 Data ONTAP NFS Administration: NFS Version 3
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
21. Answer the following question:
Was the previous step successful? _____
22. Attempt to create a file:
$ touch foo1
23. Answer the following question:
Was the previous step successful? ______
24. Switch to the root user:
$ su root
25. Enter the root password:
Password: Netapp123
The output should resemble this sample:
#
END OF EXERCISE
NetApp University - Do Not Distribute
E3-1 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
MODULE 3: NFS VERSION 4
EXERCISE 3: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 4
In this exercise, you configure a storage virtual machine (SVM), previously called a virtual storage server
(Vserver), for NFS version 4 (NFSv4) and use the SVM export resources from a Linux client. This exercise
explores NFSv4 referrals, access control lists (ACLs), and read and write delegations.
OBJECTIVES
By the end of this exercise, you should be able to:
Configure an SVM with a new storage volume and logical interface (LIF)
Enable NFSv4 features on an SVM and client
Describe an NFSv4 export on a client
Create NFSv4 ACLs
TASK 1: CONFIGURE AN SVM WITH A NEW STORAGE VOLUME AND LIF
In this task, you create an aggregate in the cluster and a storage volume and LIF for the SVM that you created
in an earlier exercise. You then add this volume to the namespace. You will use the new volume and LIF to
demonstrate NFSv4 referrals in Task 3.
STEP ACTION
1. In the left pane of OnCommand System Manager, select the Cluster category, expand cluster1
> Storage, and select Aggregates.
2. In the right pane, click Create.
3. Verify that the Create Aggregate wizard opens.
NetApp University - Do Not Distribute
E3-2 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. On the aggregate details page, specify the following information:
Name: aggr_NFS2
Disk Type: FCAL on cluster1-02
Number of Disks: 16
RAID Configuration: RAID-DP
5. Click Create.
6. Verify that the new aggregate appears in the Aggregates list.
7. In the left pane, select the Storage Virtual Machines category and select cluster1.
8. In the right pane, select svmNFS, and then click Edit.
9. In the Edit Storage Virtual Machine dialog box, click the Resource Allocation tab.
NetApp University - Do Not Distribute
E3-3 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
10. Select the aggr_NFS2 checkbox for the new aggregate.
11. Click Save and Close.
NetApp University - Do Not Distribute
E3-4 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
12. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Storage, and select Volumes.
13. In the right pane, click Create.
NetApp University - Do Not Distribute
E3-5 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
14. In the Create Volume dialog box, specify the following information:
Name: vol_NFS3
Aggregate: aggr_NFS2
Total Size: 1 GB
Snapshot Reserve (%): 5
Thin Provisioned checkbox: cleared
NOTE: Use the Choose button to select the correct Aggregate value.
15. Click Create.
NetApp University - Do Not Distribute
E3-6 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
16. Verify that your new volume was created.
17. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Storage, and select Namespace.
NetApp University - Do Not Distribute
E3-7 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
18. Verify the export policy and namespace mounted location of the new volume.
19. In the left pane, select the Cluster category, expand cluster1 > Configuration, and select
Network.
20. In the right pane, click the Network Interfaces tab to begin creating a data LIF.
21. In the right pane, click Create.
22. Verify that the Create Network Interface wizard has opened.
NetApp University - Do Not Distribute
E3-8 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
23. On the network interface properties page, specify the following information:
Name: svmNFS_nfs_lif2
Interface Role: Serves Data
SVM: svmNFS
Protocol Access NFS checkbox: selected
Subnet: sub60
Port: cluster1-02:e0d
24. Click Create.
NetApp University - Do Not Distribute
E3-9 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
25. Verify the new LIF, and record the IP address to use later.
NetApp University - Do Not Distribute
E3-10 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 2: ENABLE NFSV4 FEATURES ON AN SVM AND CLIENT
In this task, you enable NFSv4 features in System Manager and then configure the domain ID in the CLI of
the cluster. You then set the domain ID on the client.
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Protocols, and select NFS.
2. In the right pane, click Edit.
NetApp University - Do Not Distribute
E3-11 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. In the Edit NFS Settings dialog box, specify the following information:
Support version 3 checkbox: selected
Support version 4.0 checkbox: selected
ACLs checkbox: selected
Read delegation checkbox: selected
Write delegation checkbox: selected
4. Click Save and Close.
NetApp University - Do Not Distribute
E3-12 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
5. Verify that Version 3 Support and Version 4 Support are Enabled on this SVM.
6. Use PuTTY to launch a Secure Shell (SSH) session to the cluster management interface of your
assigned cluster.
7. Set the interface to advanced privilege:
cluster1::> set -privilege advanced
8. At the prompt, type y:
Do you want to continue? {y|n}: y
9. View the current NFS settings of your SVM:
cluster1::*> vserver nfs show -vserver svmNFS -fields v4-id-
domain,v4.0-referrals
vserver v4.0-referrals v4-id-domain
------- -------------- ------------
svmNFS disabled defaultv4iddomain.com
10. Set the v4 ID domain to example.com and turn on NFSv4 referrals:
cluster1::*> vserver nfs modify -vserver svmNFS -v4-id-domain
example.com -v4.0-referrals enabled
NetApp University - Do Not Distribute
E3-13 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
11. Verify the changes:
cluster1::*> vserver nfs show -vserver svmNFS -fields v4-id-
domain,v4.0-referrals
vserver v4.0-referrals v4-id-domain
------- -------------- ------------
svmNFS enabled example.com
12. Log in to the Linux client as root.
13. Edit the /etc/idmapd.conf file:
# vi /etc/idmapd.conf
14. Scroll down until you see the following output:
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain…
15. Type i to enter insert mode.
16. Remove the hashtag symbol (#) that appears before Domain in the output.
17. Delete the existing domain name.
18. Type example.com as your domain name.
19. Verify the changed domain name in the output:
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = example.com
…
20. Press ESC to exit insert mode.
21. Type :wq to save and exit the virtual interface (VI).
22. Review the list of the file and verify that the changes occurred:
# cat /etc/idmapd.conf
The output should resemble this sample:
[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = example.com
…
NetApp University - Do Not Distribute
E3-14 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
23. Restart the rpcidmapd service:
# service rpcidmapd restart
NOTE: This step is required because of the changes that you made to the
/etc/idmapd.conf file.
TASK 3: DESCRIBE AN NFSV4 EXPORT ON A CLIENT
In this task, you use NFSv4 to mount a file system and explore the results. You create a second SSH session
and use tcpdump to analyze the Ethernet traffic and verify the NFSv4 referral feature.
STEP ACTION
1. After the rpcidmapd restart completes, leave this Linux session open.
NOTE: For the remainder of this exercise, this session is called SESSION 1.
2. Change the directory to the mount folder:
# cd /mnt
3. Create a mount folder that is named svmNFS-v4:
# mkdir svmNFS-v4
4. Open a second PuTTY session to the Linux machine and log in as the root user.
NOTE: For the remainder of this exercise, this session will be called SESSION 2.
5. On SESSION 2, start a tcpdump command by looking for 2049:
# tcpdump -nv | grep 2049
6. Answer the following question:
Why are you looking for 2049? _____
7. With the SESSION 2 window visible, on SESSION 1, use the IP address of the first LIF
(svmNFS_nfs_lif1) on the svmNFS SVM to create an NFSv4 mount of the SVM namespace:
# mount –t nfs4 –o acl 192.168.0.60:/ /mnt/svmNFS-v4
8. Answer the following question:
Using SESSION 2, which SVM LIF is used for this operation? _____
9. On SESSION 1, use NFS version 3 (NFSv3) to remount the SVM:
# mount –t nfs –o nfsvers=3 192.168.0.60:/ /mnt/svmNFS-v3
10. Answer the following question:
Using SESSION 2, which SVM LIF is used for this operation? _____
NetApp University - Do Not Distribute
E3-15 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
11. On SESSION 1, verify the current mounts:
# mount
The output should resemble this sample:
…
192.168.0.60:/ on /mnt/svmNFS-v3 type nfs (rw,nfsvers=3,addr=192.168.0.60)
192.168.0.60:/ on /mnt/svmNFS-v4 type nfs4
(rw,acl,addr=192.168.0.60,clientaddr=192.168.0.21)
12. On SESSION 1, change the directory to the NFSv4-attached mount point:
# cd svmNFS-v4
13. Answer the following question:
Using SESSION 2, which SVM interface is used for this operation? _____
14. On SESSION 1, list the directory:
# ls -l
15. Answer the following questions:
Using SESSION 2, which SVM LIF is used for this operation? _____
16. On SESSION 1, change the directory to vol_NFS3:
# cd vol_NFS3
The output on SESSION 2 should resemble this sample:
…
192.168.0.21.699965736 > 192.168.0.60.2049: 156 getattr fh 0,0/22
192.168.0.60.2049 > 192.168.0.21.699965736: reply ok 180 getattr NON 3 ids 0/15 sz 0
192.168.0.21.716742952 > 192.168.0.60.2049: 156 getattr fh 0,0/22
192.168.0.60.2049 > 192.168.0.21.716742952: reply ok 180 getattr NON 3 ids 0/15 sz 0
192.168.0.21.732889002 > 192.168.0.62.2049: 40 null
192.168.0.62.2049 > 192.168.0.21.732889002: reply ok 24 null
192.168.0.21.749666218 > 192.168.0.62.2049: 108 getattr fh 0,0/24
192.168.0.62.2049 > 192.168.0.21.749666218: reply ok 248 getattr NON 3 ids 0/10 sz 0
192.168.0.21.766443434 > 192.168.0.62.2049: 136 getattr fh 0,0/22
192.168.0.62.2049 > 192.168.0.21.766443434: reply ok 92 getattr NON 2 ids 0/9 sz 0
192.168.0.21.783220650 > 192.168.0.62.2049: 140 getattr fh 0,0/22
192.168.0.62.2049 > 192.168.0.21.783220650: reply ok 108 getattr NON 2 ids 0/9 sz 0…
17. Answer the following questions:
Using SESSION 2, which SVM LIF is used for this operation? _____
Why? _____
18. On SESSION 1, navigate to the NFSv3 mount point:
# cd /mnt/svmNFS-v3
19. Answer the following question:
Using SESSION 2, which SVM LIF is used for this operation? _
NetApp University - Do Not Distribute
E3-16 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
20. On SESSION 1, change the directory to vol_NFS3:
# cd vol_NFS3
The output on SESSION 2 should resemble this sample:
…
192.168.0.21.3320203757 > 192.168.0.60.2049: 144 readdirplus fh
Unknown/00010000040400800000000040000000DC605F00010400800000000040000000 4096 bytes @ 0 max
32768 verf 0000000000000000
192.168.0.60.2049 > 192.168.0.21.3320203757: reply ok 300 readdirplus POST: DIR 755 ids
0/0 sz 4096 verf 0000000000000000
21. Answer the following questions:
Using SESSION 2, which SVM LIF is used for this operation? _____
Why? _____
22. On SESSION 1, change the directory to the NFSv4-attached mount point:
# cd /mnt/svmNFS-v4
23. On SESSION 1, list the directory:
# ls -l
total 12
-rw-r--r--. 1 root root 0 Nov 6 12:44 foo
-rw-rw-r--. 1 student nobody 0 Nov 6 12:50 foo1
drwxr-xr-x. 2 root root 4096 Nov 6 12:45 vol_NFS1
drwxr-xr-x. 2 root root 4096 Nov 6 12:22 vol_NFS2
drwxr-xr-x. 2 root root 4096 Nov 6 13:00 vol_NFS3
NOTE: These names are resolved by default because System Manager 2.2 and later create the
root user (id=0) and the daemon group (id=1). Without these users and group, the output would
resemble the following:
total 12
-rw-r--r--. 1 nobody nobody 0 Nov 6 12:44 foo
-rw-rw-r--. 1 nobody nobody 0 Nov 6 12:50 foo1
drwxr-xr-x. 2 nobody nobody 4096 Nov 6 12:45 vol_NFS1
drwxr-xr-x. 2 nobody nobody 4096 Nov 6 12:22 vol_NFS2
drwxr-xr-x. 2 nobody nobody 4096 Nov 6 13:00 vol_NFS3
NetApp University - Do Not Distribute
E3-17 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 4: CREATE NFSV4 ACLS
In this task, you create NFSv4 ACLs and verify the results of setting an ACL. This task uses SESSION 1
only. You do not use SESSION 2. Either close SESSION 2 now or use it for your own research as you
complete this task.
STEP ACTION
1. Verify the directory location and the NFSv4 mount location:
# pwd
/mnt/svmNFS-v4
2. Change the directory to vol_NFS3:
# cd vol_NFS3
3. Create a file that is named foo:
# touch foo
4. List the directory:
# ls –l
total 0
-rw-r--r--. 1 root root 0 Jun 19 16:43 foo
5. Explore the default file ACL:
# nfs4_getfacl foo
The output should resemble this sample:
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rtncy
A::EVERYONE@:rtncy
6. Change the directory up one level:
# cd ..
7. Switch to the student user:
# su student
The output should resemble this sample:
$
8. Attempt to use the student user account to change the directory to vol_NFS3:
$ cd vol_NFS3
9. Answer the following question:
Was the previous step successful? _____
10. Switch to the root user:
$ su root
NetApp University - Do Not Distribute
E3-18 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
11. Enter the root user password:
Password: Netapp123
The output should resemble this sample:
#
12. Navigate to the svmNFS-v4 directory:
# cd /mnt/svmNFS-v4
13. Explore the ACL for the vol_NFS3 directory:
# nfs4_getfacl vol_NFS3
The output should resemble this sample:
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
14. Give the student (user ID 500) user account the ALLOW ability to read, write, execute, read
attributes, read name attributes, read ACL, and enable clients to use synchronous I/O with the
SVM:
# nfs4_setfacl -a A::500:rwxtncy vol_NFS3
15. Verify the current ACL for the vol_NFS3 directory:
# nfs4_getfacl vol_NFS3
The output should resemble this sample:
A::[email protected]:rwxtncy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
16. Navigate to the vol_NFS3 directory:
# cd vol_NFS3
17. Deny the student (user ID 500) user account access to the foo file:
# nfs4_setfacl -a D::500:rwxtncy foo
18. Verify the current ACL for the vol_NFS3 directory:
# nfs4_getfacl foo
The output should resemble this sample:
D::[email protected]:rwxtcy
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rtncy
A::EVERYONE@:rtncy
19. Navigate to the svmNFS-v4 directory:
# cd /mnt/svmNFS-v4
NetApp University - Do Not Distribute
E3-19 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
20. Switch to the student user:
# su student
The output should resemble this sample:
$
21. Attempt to use the student user account to change the directory to vol_NFS3:
$ cd vol_NFS3
22. Answer the following question:
Was the previous step successful? _____
23. Create a file that is named foo2:
$ touch foo2
24. Verify the file:
$ ls -l
The output should resemble this sample:
total 0
-rw-r--r--. 1 root root 0 Jun 19 16:43 foo
-rw-rw-r--. 1 student nobody 0 Jun 19 16:56 foo2
25. Attempt to create a subdirectory:
$ mkdir test
26. Answer the following questions:
Was the previous step successful? _____
Why or why not? _____
27. Attempt to read the foo file:
$ cat foo
28. Answer the following question:
Was the previous step successful? _____
29. Switch the user to root:
$ su root
30. Enter the root user password:
Password: Netapp123
The output should resemble this sample:
#
31. Change the directory up one level:
# cd ..
NetApp University - Do Not Distribute
E3-20 Data ONTAP NFS Administration: NFS Version 4
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
32. Verify the current ACL for the vol_NFS3 directory:
# nfs4_getfacl vol_NFS3
A::[email protected]:rwxtncy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
33. Remove the first access control entry (ACE) to test a change to the ACL for the vol_NFS3
directory:
# nfs4_setfacl --test -x 1 vol_NFS3
## Test mode only - the resulting ACL for "/mnt/svmNFS-
v4/vol_NFS3":
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
34. Remove the first ACE from the vol_NFS3 directory ACL:
# nfs4_setfacl -x 1 vol_NFS3
35. Verify the changed ACL for the vol_NFS3 directory:
# nfs4_getfacl vol_NFS3
The output should resemble this sample:
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
END OF EXERCISE
NetApp University - Do Not Distribute
E4-1 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
MODULE 4: NFS VERSION 4.1
EXERCISE 4: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 4.1
In this exercise, you configure a storage virtual machine (SVM), previously called a virtual storage server
(Vserver), for NFS version 4.1 (NFSv4.1). You use the SVM export resources from a compatible Linux
client.
OBJECTIVES
By the end of this exercise, you should be able to:
Configure an SVM for NFSv4.1
Describe an NFSv4.1 export on a client
Analyze the effects of a volume move operation on parallel NFS (pNFS)
TASK 1: CONFIGURE AN SVM FOR NFSV4.1
In this task, you enable NFSv4.1 features within OnCommand System Manager and then configure the
domain ID in the CLI of the cluster.
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
svmNFS > Configuration > Protocols, and select NFS.
2. In the right pane, click Edit.
NetApp University - Do Not Distribute
E4-2 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. Verify that the Support version 3, Support version 4.0, and Support version 4.1 checkboxes are
selected.
4. Click Save and Close.
5. Verify that NFS Version 3 Support, Version 4 Support, and Version 4.1 Support are Enabled on
this SVM.
6. Launch a PuTTy session to the CLI of your assigned Data ONTAP cluster.
7. Set the interface to advanced privilege:
cluster1::> set -privilege advanced
NetApp University - Do Not Distribute
E4-3 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
8. At the prompt, type y:
Do you want to continue? {y|n}: y
9. Verify the current settings of your NFS server:
cluster1::*> vserver nfs show -vserver svmNFS
The output should resemble this sample:
Vserver: svmNFS
General NFS Access: true
RPC GSS Context Cache High Water Mark: 0
RPC GSS Context Idle: 0
NFS v3: enabled
NFS v4.0: enabled
UDP Protocol: enabled
TCP Protocol: enabled
Spin Authentication: disabled
Default Windows User: -
Enable NFSv3 EJUKEBOX error: true
Require All NFSv3 Reads to Return Read Attributes: false
Show Change in FSID as NFSv3 Clients Traverse Filesystems: enabled
Enable the Dropping of a Connection When an NFSv3 Request is Dropped: enabled
Vserver NTFS Unix Security Options: use_export_policy
Vserver Change Ownership Mode: use_export_policy
NFS Response Trace Enabled: false
NFS Response Trigger (in secs): 60
UDP Maximum Transfer Size: 32768
TCP Maximum Transfer Size: 65536
NFSv3 TCP Maximum Read Size: 65536
NFSv3 TCP Maximum Write Size: 65536
NFSv4.0 ACL Support: enabled
NFSv4.0 Read Delegation Support: enabled
NFSv4.0 Write Delegation Support: enabled
Show Change in FSID as NFSv4 Clients Traverse Filesystems: enabled
NFSv4.0 Referral Support: enabled
NFSv4 ID Mapping Domain: learn.netapp.local
NFSv4 Validate UTF-8 Encoding of Symbolic Link Data: disabled
NFSv4 Lease Timeout Value (in secs): 30
NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL : enabled
NFSv4.1 Minor Version Support: enabled
Rquota Enable: disabled
NFSv4.1 Implementation ID Domain: netapp.com
NFSv4.1 Implementation ID Name: NetApp Release 8.2RC1 Cluster-Mode
NFSv4.1 Implementation ID Date: Tue Mar 26 21:02:39 2013
NFSv4.1 Parallel NFS Support: enabled
NFSv4.1 Referral Support: disabled
NFSv4.1 ACL Support: disabled
NFS vStorage Support: disabled
Default Windows Group: -
NFSv4.1 Read Delegation Support: disabled
NFSv4.1 Write Delegation Support: disabled
Number of Slots in the NFSv4.x Session slot tables: 180
Size of the Reply that will be Cached in Each NFSv4.x Session Slot (in bytes): 640
Maximum Number of ACEs per ACL: 400
NFS Mount Root Only: enabled
NFS Root Only: disabled
10. Review the output and note that NFSv4.1 pNFS support is enabled by default.
NetApp University - Do Not Distribute
E4-4 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
11. Turn on NFSv4.1 access control lists (ACLs) and set the implementation domain and name:
cluster1::*> vserver nfs mod -vserver svmNFS -v4.1-acl enabled
-v4.1-implementation-domain example.com
-v4.1-implementation-name example
12. Verify the changes:
cluster1::*> vserver nfs show -vserver svmNFS
The output should resemble this sample:
Vserver: svmNFS General NFS Access: true
RPC GSS Context Cache High Water Mark: 0
RPC GSS Context Idle: 0
NFS v2: disabled
NFS v3: enabled
NFSv4.0: enabled
UDP Protocol: enabled
TCP Protocol: enabled
Spin Authentication: disabled
Default Windows User: -
Enable NFSv3 EJUKEBOX error: false
Require All NFSv3 Reads to Return Read Attributes: false
Show Change in FSID as NFSv3 Clients Traverse Filesystems: enabled
Enable the Dropping of a Connection When an NFSv3 Request is Dropped: enabled
Vserver NTFS Unix Security Options: use_export_policy
Vserver Change Ownership Mode: use_export_policy
NFS Response Trace Enabled: false
NFS Response Trigger (in secs): 60
UDP Maximum Transfer Size: 32768
TCP Maximum Transfer Size: 65536
NFSv4.0 ACL Support: enabled
NFSv4.0 Read Delegation Support: enabled
NFSv4.0 Write Delegation Support: enabled
Show Change in FSID as NFSv4 Clients Traverse Filesystems: enabled
NFSv4.0 Referral Support: enabled
NFSv4 ID Mapping Domain: example.com
NFSv4 Validate UTF-8 Encoding of Symbolic Link Data: disabled
NFSv4 Lease Timeout Value (in secs): 30
NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL : enabled
NFSv4.1 Minor Version Support: enabled
Rquota Enable: disabled
NFSv4.1 Implementation ID Domain: example.com
NFSv4.1 Implementation ID Name: example
NFSv4.1 Implementation ID Date: Wed Dec 31 16:00:00 1969
NFSv4.1 Parallel NFS Support: enabled
NFSv4.1 Referral Support: disabled
NFSv4.1 ACL Support: enabled
NFS vStorage Support: disabled
NetApp University - Do Not Distribute
E4-5 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
13. In the left pane of System Manager, select the Cluster category, expand cluster1 >
Configuration, and select Network.
14. In the right pane, on the Network Interfaces tab, verify that the current port is the same as the
home port (not failed over) for each network interface.
NOTE: LIF1 should be on node 1 and LIF2 should be on node 2.
NetApp University - Do Not Distribute
E4-6 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
15. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Storage, and select Namespace to display the current namespace for the SVM.
NetApp University - Do Not Distribute
E4-7 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
16. In the left pane, select Volumes and verify that vol_NFS1 and vol_NFS2 are on node 1 and that
vol_NFS3 is on node 2.
NOTE: Multiple volumes on multiple nodes are accessible by multiple logical interfaces (LIFs).
NetApp University - Do Not Distribute
E4-8 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 2: DESCRIBE AN NFSV4.1 EXPORT ON A CLIENT
In this task, you use NFSv4.1 to mount a file system and you explore the results. You create a second PuTTY
session and use tcpdump to analyze the Ethernet traffic and to verify the NFSv4.1 pNFS feature.
STEP ACTION
1. Log in to the Linux client as root.
NOTE: For the remainder of this exercise, this session is called SESSION 1.
2. Edit the dist.conf file:
# vi /etc/modprobe.d/dist.conf
3. Use the arrow keys to navigate to the bottom of the file.
4. Enter insert mode by typing i:
i
5. Press Enter to create a new line.
6. Enter the following alias configuration:
alias nfs-layouttype4-1 nfs_layout_nfsv41_files
7. Press ESC to exit insert mode.
8. Type :wq to save and quit the editor.
9. Review the file to determine whether you correctly edited the dist.conf file:
# tail /etc/modprobe.d/dist.conf
10. Restart rpcidmapd:
# /etc/rc.d/init.d/rpcidmapd restart
11. Change the directory to the mount folder:
# cd /mnt
12. Create a mount folder that is named svmNFS-v41:
# mkdir svmNFS-v41
13. Open a second PuTTY session to the Linux machine and log in as root.
NOTE: For the remainder of this exercise, this session is called SESSION 2.
14. On SESSION 2, start a tcpdump command by looking for 2049:
# tcpdump -nv | grep 2049
15. With the SESSION 2 window visible, on SESSION 1, use the IP address of svmNFS-lif1on the
svmNFS SVM to create an NFSv4.1 mount of the SVM namespace:
# mount –t nfs4 –o minorversion=1,acl 192.168.0.60:/
/mnt/svmNFS-v41
NetApp University - Do Not Distribute
E4-9 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
16. Answer the following questions:
Using SESSION 2, which SVM interface is used for this operation? _____
Which node in the cluster is the pNFS metadata server? _____
17. Verify the current mounts:
# mount
The output should resemble this sample:
…
192.168.0.161:/ on /mnt/svmNFS-v3 type nfs (rw,nfsvers=3,addr=192.168.0.60)
192.168.0.161:/ on /mnt/svmNFS-v4 type nfs4
(rw,acl,addr=192.168.0.60,clientaddr=192.168.0.21) 192.168.0.161:/ on /mnt/svmNFS-v41 type nfs4
(rw,minorversion=1,acl,addr=192.168.0.60,clientaddr=192.168.0.21)
18. On SESSION 1, change the directory to the NFSv4.1-attached mount point:
# cd svmNFS-v41
19. Answer the following question:
Using SESSION 2, which SVM interface is used for this operation? _____
20. On SESSION 1, list the directory:
# ls -l
The output should resemble this sample:
total 12
-rw-r--r--. 1 root root 0 Mar 4 12:44 foo
-rw-rw-r--. 1 student nobody 0 Mar 4 12:50 foo1
drwxr-xr-x. 2 root root 4096 Mar 4 12:45 vol_NFS1
drwxr-xr-x. 2 root root 4096 Mar 4 12:22 vol_NFS2
drwxr-xr-x. 2 root root 4096 Mar 4 14:04 vol_NFS3
21. Answer the following question:
Using SESSION 2, which SVM interface is used for this operation? _____
22. On SESSION 1, access a volume on the metadata server:
# cd vol_NFS1
23. On SESSION 1, list the directory:
# ls -l
The output should resemble this sample:
total 0
-rw-r--r--. 1 root root 0 Mar 4 12:45 foo
24. Answer the following questions:
Using SESSION 2, which SVM interface is used for this operation? _____
On which node is this interface? _____
NetApp University - Do Not Distribute
E4-10 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
25. On SESSION 1, navigate up one level:
# cd ..
26. On SESSION 1, access a volume on a data server:
# cd vol_NFS3
27. On SESSION 1, list the directory:
# ls -l
The output should resemble this sample:
total 0
-rw-r--r--. 1 root root 0 Mar 4 13:42 foo
-rw-rw-r--. 1 nobody nobody 0 Mar 4 13:53 foo2
28. Answer the following questions:
Using SESSION 2, which SVM interface is used for this operation? _____
On which node is this interface? _____
29. Edit the foo file:
# vi foo
30. Type i to enter insert mode.
31. Enter some data.
32. Press ESC to exit insert mode.
33. Type :wq to save and quit the editor.
34. Answer the following questions:
Using SESSION 2, which SVM interface is used for this operation? _____
On which node is this interface? _____
35. Use SESSION 2 to further explore pNFS and which interface is used for each file operation.
NOTE: pNFS is complex, and which interface is used is sometimes unclear. The file-system
operations (read and write) on a volume that is mounted on node1 and node 2 are in your
assigned cluster on SESSION 1.
NetApp University - Do Not Distribute
E4-11 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 3: ANALYZE THE EFFECTS OF A VOLUME MOVE OPERATION ON PNFS
In this task, you move a volume from node 2 to node 1 and analyze the results on a Linux client.
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Storage, and select Volumes.
2. In the right pane, select vol_NFS3 on node 2.
3. Click Move.
NetApp University - Do Not Distribute
E4-12 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. In the Move Volume dialog box, in the Destination Aggregate section, select aggr_NFS1.
5. Click Move.
6. In the Move Volume confirmation dialog box, click Move.
7. After the move volume operation is complete, the Move Volume dialog box displays a Job ID.
NetApp University - Do Not Distribute
E4-13 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
8. Click the Job ID value.
9. Note the state of the move volume job.
10. On SESSION 1, perform some read and write operations to the vol_NFS3 directory while the
move volume operation is running.
For example, run the ls – l, cat, and touch commands.
11. On SESSION 2, verify which interfaces are used during the operations.
12. In the right pane of System Manager, on the Current Jobs tab, click Refresh.
13. On SESSION 1, perform a few read and write operations to the vol_NFS3 directory while the
volume move operation is running.
For example, run the ls – l, cat, and touch commands.
NetApp University - Do Not Distribute
E4-14 Data ONTAP NFS Administration: NFS Version 4.1
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
14. On SESSION 2, verify which interfaces are used during the operations.
15. Answer the following questions:
Which interface is used for write operations? _____
Which interface is used for read operations? _____
Which interface is used for getattrib operations? _____
END OF EXERCISE
NetApp University - Do Not Distribute
E5-1 Data ONTAP NFS Administration: Performance and Basic Troubleshooting
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
MODULE 5: PERFORMANCE AND BASIC TROUBLESHOOTING
No exercise is associated with Module 5.
NetApp University - Do Not Distribute
A-1 Data ONTAP NFS Administration: Appendix A: Answers
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
APPENDIX A: ANSWERS
MODULE 1: NFS OVERVIEW
No answers provided.
MODULE 2: NFS VERSION 3
TASK 5: DEFINE A NEW EXPORT POLICY AND RULE
STEP ACTION
24. Answer the following questions:
To which user ID are anonymous users mapped (anon=)? 65534
Are any users currently mapped to this ID? yes
(NOTE: In System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Local users and Groups, select UNIX, and
click the Users tab to discover the answer.)
If so, who? pcuser
TASK 8: MOUNT THE SVM NAMESPACE
STEP ACTION
11. Answer the following question:
Was the previous step successful? yes
14. Answer the following question:
Was the previous step successful? yes
17. Answer the following question:
Was the previous step successful? yes
19. Answer the following question:
Was the previous step successful? yes
24. Answer the following questions:
Were you able to create a file? no; read-only file system
Why or why not? The export policy’s rule associated with this volume is set to read-only.
NetApp University - Do Not Distribute
A-2 Data ONTAP NFS Administration: Appendix A: Answers
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 9: EXPLORE FILE PERMISSIONS
STEP ACTION
12. Answer the following question:
Was the previous step successful? yes
14. Answer the following question:
Was the previous step successful? yes
17. Answer the following question:
Was the previous step successful? yes
19. Answer the following question:
Was the previous step successful? no; permission denied
21. Answer the following question:
Was the previous step successful? yes
23. Answer the following question:
Was the previous step successful? no; read-only file system
NetApp University - Do Not Distribute
A-3 Data ONTAP NFS Administration: Appendix A: Answers
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
MODULE 3: NFS VERSION 4
TASK 3: DESCRIBE AN NFSV4 EXPORT ON A CLIENT
STEP ACTION
6. Answer the following question:
Why are you looking for 2049? because that is the port that nfsd uses
8. Answer the following question:
Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif1
10. Answer the following question:
Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif1
13. Answer the following question:
Using SESSION 2, which SVM interface is used for this operation? svmNFS_nfs_lif1
15. Answer the following questions:
Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif1
17. Answer the following questions:
Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif2
Why? Because the volume is on node 2 and the original LIF was on node 1, a referral
occurred moving the access LIF to svmNFS-lif2.
19. Answer the following question:
Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif1
21. Answer the following questions:
Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif1
Why? because NFSv3 does not do referrals
TASK 4: CREATE NFSV4 ACLS
STEP ACTION
9. Answer the following question:
Was the previous step successful? yes
22. Answer the following question:
Was the previous step successful? yes
26. Answer the following questions:
Was the previous step successful? no, permission was denied
Why or why not? because student user does not have the append (“a”) permission
28. Answer the following question:
Was the previous step successful? no, permission was denied
NetApp University - Do Not Distribute
A-4 Data ONTAP NFS Administration: Appendix A: Answers
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
MODULE 4: NFS VERSION 4.1
TASK 2: EXPLORE AN NFSV4.1 EXPORT ON A CLIENT
STEP ACTION
16. Answer the following questions:
Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1
Which node in the cluster is the pNFS metadata server? node 1
19. Answer the following question:
Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1
21. Answer the following question:
Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1
24. Answer the following questions:
Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1
On which node is this interface? node 1
TASK 3: ANALYZE THE EFFECTS OF A VOLUME MOVE OPERATION ON PNFS
STEP ACTION
15. Answer the following questions:
Which interface is used for write operations? svmNFS-lif1
Which interface is used for read operations? svmNFS-lif1
Which interface is used for getattrib operations? svmNFS-lif1
NetApp University - Do Not Distribute
B-1 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
APPENDIX B: KERBEROS AUTHENTICATION
EXERCISE A
In this exercise, you configure Active Directory Kerberos authentication for an NFS mount.
OBJECTIVES
By the end of this exercise, you should be able to:
Configure clustered Data ONTAP for NFS Active Directory authentication
Configure Windows for NFS Active Directory authentication
Configure Linux for NFS Active Directory authentication
TASK 1: CONFIGURE CLUSTERED DATA ONTAP FOR NFS ACTIVE DIRECTORY AUTHENTICATION
In this task, you configure Kerberos in the cluster. You then configure a storage virtual machine (SVM)
logical interface (LIF) to use Kerberos configuration, while specifying a service principal name (SPN) for the
SVM. Finally, you confirm that the SPN is mapping appropriately.
STEP ACTION
1. From a Secure Shell (SSH) session, log in to your cluster as admin.
2. Set a preferred active directory server for svmNFS:
cluster1::> vserver active-directory preferred-dc add -vserver svmNFS
-domain learn.netapp.local -preferred-dc 192.168.0.11
3. Verify the preferred server:
cluster1::> vserver active-directory preferred-dc show
NetApp University - Do Not Distribute
B-2 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
4. In the left pane of System Manager, select the Cluster category, expand cluster1 >
Configuration > System Tools, and select Date and Time.
5. In the right pane, click Edit.
6. In the Edit Date and Time dialog box, specify the following information:
Time Zone: US/Pacific (or the time zone of your assigned Active Directory server)
Timer Servers: 192.168.0.11
NOTE: Use the Add button to add the entry for Time Servers.
NetApp University - Do Not Distribute
B-3 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
7. Click OK.
8. Verify that the cluster date and time synchronize to within 5 minutes of your kit’s Windows
machine. This process can take several minutes.
NetApp University - Do Not Distribute
B-4 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
9. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Services, and select Kerberos Realm.
10. In the right pane, click Create.
11. Verify that the Create Kerberos Realm wizard opens.
NetApp University - Do Not Distribute
B-5 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
12. Click Next.
13. On the Basic Details page, specify the following information:
Kerberos Realm: learn.netapp.local
KDC IP Address: 192.168.0.11
KDC Port: 88
KDC Vendor: Microsoft
14. Click Next.
NetApp University - Do Not Distribute
B-6 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
15. On the Advanced Details page, specify the following information:
Password Server IP: 192.168.0.11
AD Server Name: w2k12
AD Server IP: 192.168.0.11
16. Click Next.
NetApp University - Do Not Distribute
B-7 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
17. Verify the configuration.
18. Click Next.
19. Verify that the operation was successful.
20. Click Finish.
NetApp University - Do Not Distribute
B-8 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
21. Verify that Kerberos is configured properly for the SVM.
22. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Services, and select DNS.
NetApp University - Do Not Distribute
B-9 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
23. Verify that DNS services are properly configured to the Microsoft DNS server.
NOTE: In your educational environment, the DNS server is usually the same server as your
Active Directory server.
24. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Configuration > Services, and select Kerberos Interface.
NetApp University - Do Not Distribute
B-10 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
25. In the right pane, select svmNFS_nfs_lif1.
26. In the right pane, click Edit.
27. In the Edit Kerberos Configuration dialog box, specify the following information:
Interface Name: svmNFS_nfs_lif1
Enable Kerberos checkbox: selected
Kerberos Realm: LEARN.NETAPP.LOCAL
Service Principal Name: nfs/[email protected]
Admin User Name: administrator
Admin Password: Netapp123
NetApp University - Do Not Distribute
B-11 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
28. Click OK.
29. Verify that svmNFS_nfs_lif1 is configured for Kerberos with a valid SPN.
NOTE: In a production environment, you would configure multiple paths for redundancy.
NetApp University - Do Not Distribute
B-12 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
30. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Configuration > Users and Groups, and select Name Mapping.
31. In the right pane, click Add.
NetApp University - Do Not Distribute
B-13 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
32. In the Add Name Mapping Entry dialog box, specify the following information:
Direction: Kerberos to UNIX
Position: 1
Pattern: nfs/[email protected]
Replacement: pcuser
33. Click Add.
NetApp University - Do Not Distribute
B-14 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
34. Verify that the SPN that svmNFS_nfs_lif1 uses is properly mapped to pcuser.
NOTE: You can also create an NFS UNIX user to ensure that the NFS name is properly
authenticated.
35. From a Secure Shell (SSH) session, log in as admin and change to diagnostic mode:
cluster1::> set -privilege diag
36. At the prompt, type y:
Do you want to continue? {y|n}: y
37. Verify that the name mapping is working:
cluster1::*> diag secd name-mapping show –node cluster1-01
–vserver svmNFS –direction krb-unix
–name nfs/[email protected]
The output should resemble this sample:
nfs/[email protected] maps to pcuser
38. Verify the Kerberos encryption types that are enabled for NFS:
cluster1::*> nfs show -vserver svmNFS -fields permitted-enc-types
vserver permitted-enc-types
------- ------------------------
svmNFS des,des3,aes-128,aes-256
NetApp University - Do Not Distribute
B-15 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
TASK 2: CONFIGURE WINDOWS FOR NFS ACTIVE DIRECTORY AUTHENICATION
In this task, you configure a group policy to enable Windows to use AES encryption. Configure the Windows
DNS server to perform reserve lookups. You create DNS entries for the SVM and the Linux host. You create
a new SPN in Active Directory for the Linux host and transfer that keytab to the Linux host. Finally, you
configure the Linux Active Directory identity to use AES encryption.
STEP ACTION
1. On your assigned Windows system, open Server Manager.
2. Verify that the Server Manager dialog box opens.
NetApp University - Do Not Distribute
B-16 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
3. From the Tools menu, select Group Policy Management.
4. Verify that the Group Policy Management window opens.
5. In the left pane, navigate to Group Policy Management > Forest: learn.netapp.local >
Domains > learn.netapp.local > Default Domain.
NetApp University - Do Not Distribute
B-17 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
6. Click OK to confirm the warning message.
7. Verify that Default Domain is selected in the left pane.
8. In the left pane, right-click Default Domain and select Edit.
9. Verify that the Group Policy Management Editor opens.
NetApp University - Do Not Distribute
B-18 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
10. In the left pane, navigate to Default Domain Policy > Computer Configuration > Policies >
Windows Settings > Security Settings > Local Policies > Security Options.
11. In the right pane, double-click the policy Network security: Configure encryption types
allowed for Kerberos.
NetApp University - Do Not Distribute
B-19 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
12. On the Security Policy Setting tab, specify the following information:
Select the Define these policy settings checkbox.
Select all the encryption type checkboxes.
Verify that AES128_HMAC_SHA1 and AES256_HMAC_SHA1 are included.
13. Click OK.
14. Close the Group Policy Management Editor dialog box.
15. Close the Group Policy Management dialog box.
16. From the Server Manager Tool menu, select DNS.
17. Verify that DNS Manager opens.
NetApp University - Do Not Distribute
B-20 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
18. In the left pane, navigate to W2K12 > Reverse Lookup Zones.
19. Right-click Reverse Lookup Zones and select New Zone to open the New Zone Wizard.
20. Click Next.
NetApp University - Do Not Distribute
B-21 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
21. On the Zone Type page, specify the following information:
Primary zone: selected
Store the zone in Active Directory checkbox: selected
22. Click Next.
23. Select To all DNS servers running on domain controllers in this domain:
learn.netapp.local.
24. Click Next.
NetApp University - Do Not Distribute
B-22 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
25. Select IPv4 Reverse Lookup Zone.
26. Click Next.
27. In the Network ID field, type 192.168.0.
28. Click Next.
NetApp University - Do Not Distribute
B-23 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
29. Select Allow only secure dynamic updates (recommended for Active Directory).
30. Click Next.
31. Review the summary.
32. Click Finish.
NetApp University - Do Not Distribute
B-24 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
33. Verify that the reverse lookup zone was created.
34. Open a Windows PowerShell command prompt on your Windows server.
35. Create a DNS entry for the Linux host:
PS C:\> dnscmd learn.netapp.local /RecordAdd learn.netapp.local
centos65 /CreatePTR A 192.168.0.21
36. Create a DNS entry for the Kerberos SPN that is associated with the SVM LIF IP address:
PS C:\> dnscmd learn.netapp.local /RecordAdd learn.netapp.local
kerberos /CreatePTR A 192.168.0.60
NetApp University - Do Not Distribute
B-25 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
37. Create a computer account for the Linux host:
PS C:\> dsadd computer
"CN=centos65,CN=computers,DC=learn,DC=netapp,DC=local"
The output should resemble this sample:
dsadd succeeded:CN=centos65,CN=computers,DC=learn,DC=netapp,DC=local
38. Import the Active Directory module:
PS C:\> import-module activedirectory
39. Modify the computer account for the Linux host identity to enable AES encryption:
PS C:\> Set-ADComputer -Identity centos65 -Replace @{’msDS-
SupportedEncryptionTypes’=28}
40. Modify the computer account for the SVM identity to enable AES encryption:
PS C:\> Set-ADComputer -Identity NFS-KERBEROS-LE -Replace
@{’msDS-SupportedEncryptionTypes’=28}
41. Create an SPN for the new Linux computer account:
PS C:\> setspn -s root/centos65.learn.netapp.local centos65
The output should resemble this sample:
Checking domain DC=learn,DC=netapp,DC=local
Registering ServicePrincipalNames for
CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local
root/centos65.learn.netapp.local
Updated object
42. Verify the SPN:
PS C:\> setspn -L centos65
The output should resemble this sample:
Registered ServicePrincipalNames for
CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local:
root/centos65.learn.netapp.local
43. Query the SPN:
PS C:\> setspn /Q root/centos65.learn.netapp.local
The output should resemble this sample:
Checking domain DC=learn,DC=netapp,DC=local
CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local
root/centos65.learn.netapp.local
Existing SPN found!
NetApp University - Do Not Distribute
B-26 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
44. Use ktpass to create the mappings for the SPN and output the mappings to the keytab files:
PS C:\> ktpass -princ
root/[email protected] -mapuser
LEARN\centos65$ -crypto ALL +rndpass -ptype KRB5_NT_PRINCIPAL
+Answer -out centos65.keytab
The output should resemble this sample:
Targeting domain controller: w2k12.nau.com
Using legacy password setting method
Successfully mapped root/centos65.learn.netapp.local to CENTOS65$.
WARNING: Account CENTOS65$ is not a user account (uacflags=0x1021).
WARNING: Resetting CENTOS65$'s password may cause authentication problems if
CEN
TOS64$ is being used as a server.
Reset CENTOS65$'s password [y/n]? auto:
YES
WARNING: pType and account type do not match. This might cause problems.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to centos65.keytab:
Keytab version: 0x502
keysize 78 root/[email protected] ptype 1
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2c7689bf257f15dc)
keysize 78 root/[email protected] ptype 1
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x3 (DES-CBC-MD5) keylength 8 (0x2c7689bf257f15dc)
keysize 86 root/[email protected] ptype 1
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16
(0x68a60a541ba235cb9d946cca0b6b237d)
keysize 102 root/[email protected] ptype 1
(KRB5_NT_PRINCIPAL) vno 2 etype 0x12 (AES256-SHA1) keylength 32
(0xdc3bd08a9a487a0d1839f
81b670f24da44ce93bb5c4988ea96689f1a8f282e06)
keysize 86 root/[email protected] ptype 1
(KRB5_NT_PRINCIPAL) vno 2 etype 0x11 (AES128-SHA1) keylength 16
(0xab2ec0cb98670247d8bab38788d39aa0)
45. Open a command-prompt window.
NetApp University - Do Not Distribute
B-27 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
46. Copy the keytab file to the Linux host and provide the root password. You will be prompted for
the root user’s password.
C:\> pscp centos65.keytab
[email protected]:/root/centos65.keytab
[email protected]’s password: Netapp123
svmNFS_nfs_lif1.keytab | 0 kB | 0.1 kB/s | ETA: 00:00:00 | 100%
TASK 3: CONFIGURE LINUX FOR NFS ACTIVE DIRECTORY AUTHENTICATION
In this task, you import the Linux credentials that were created in Windows in /etc/krb5.keytab. You
enable secure NFS authentication in the /etc/sysconfig/nfs.conf file. You configure the Kerberos
realm information in the /etc/krb5.conf file and restart the GSSd service. Finally, you log in with a user
account in Active Directory, mount an export by using Kerberos authentication, and verify read and write
permissions.
STEP ACTION
1. On the Linux host, navigate to the root home directory:
# cd /root
2. Verify that the keytab file was transferred successfully:
# ls
anaconda-ks.cfg install.log.syslog upgrade.log.syslog
install.log upgrade.log centos65.keytab
3. Start the ktutil tool:
# ktutil
ktutil:
4. Read the keytab file:
ktutil: rkt centos65.keytab
5. List the keytab file:
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 root/[email protected]
2 2 root/[email protected]
3 2 root/[email protected]
4 2 root/[email protected]
5 2 root/[email protected]
6. Write the keytab file:
ktutil: wkt /etc/krb5.keytab
NetApp University - Do Not Distribute
B-28 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
7. Quit the ktutil tool:
ktutil: q
#
8. Start vi to edit the NFS configuration file:
# vi /etc/sysconfig/nfs
9. Using the cursor keys, navigate within the file until you find the following line:
#SECURE_NFS="yes"
10. Place your cursor on the # sign.
11. Type r and then press the space bar to remove the # sign.
12. Save the file and exit vi by typing :wq.
13. Verify that the line now reads SECURE_NFS="yes":.
# cat /etc/sysconfig/nfs
NetApp University - Do Not Distribute
B-29 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
14. Edit the krb5.conf file with vi.
Hint: You will edit or insert the lines below in bold typeface.
# vi /etc/krb5.conf
The file should resemble this sample:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LEARN.NETAPP.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
LEARN.NETAPP.LOCAL = {
kdc = w2k12.learn.netapp.local
default_domain = learn.netapp.local
}
[domain_realm]
.netapp.local = LEARN.NETAPP.LOCAL
.learn.netapp.local = LEARN.NETAPP.LOCAL
15. Verify the configuration of the krb5.conf file:
# cat /etc/krb5.conf
16. Relaunch the GSSd service:
# service rpcgssd restart
Stopping RPC gssd: [ OK ]
Starting RPC gssd: [ OK ]
17. Log in with the credentials that are configured in Active Directory:
# kinit administrator
NetApp University - Do Not Distribute
B-30 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
18. Provide the correct password:
Password for [email protected]: Netapp123
19. List the current authenticated user:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
11/08/14 10:01:49 11/08/14 20:01:05
krbtgt/[email protected]
renew until 11/15/14 10:00:49
11/08/14 10:01:49 11/08/14 20:01:05
root/[email protected]
renew until 11/15/14 10:00:49
20. Remove the current authenticated user:
# kdestroy
21. List the current authenticated user:
# klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
22. Log in again with the credentials that are configured in Active Directory:
# kinit administrator
23. Provide the correct password:
Password for [email protected]: Netapp123
24. List the current authenticated user:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
11/08/14 10:01:49 11/08/14 20:02:05
krbtgt/[email protected]
renew until 11/15/14 10:01:49
11/08/14 10:01:49 11/08/14 20:02:05
root/[email protected]
renew until 11/15/14 10:01:49
NetApp University - Do Not Distribute
B-31 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.
STEP ACTION
25. Navigate to the mount directory:
# cd /mnt
26. Make a new mount directory:
# mkdir svmNFS-krb
27. Mount the SVM by using Kerberos authentication:
# mount –t nfs4 -o sec=krb5 192.168.0.60:/ /mnt/svmNFS-krb
28. Navigate into the mount directory:
# cd svmNFS-krb
29. List the contents:
# ls –l
30. Verify write capability:
# touch krb
31. List the contents:
# ls –l
32. Read the empty file:
# cat krb
END OF EXERCISE
NetApp University - Do Not Distribute