When you’re doing multiprotocol NAS (even if the clients will only do NFS, your volumes might have NTFS style permissions), you want to try to use a centralized name service like LDAP so that ONTAP, SMB clients and NFS clients all agree on who the users are, what groups they belong to, what numeric IDs they have, etc. MacOS can be configured to use Active Directory LDAP for UNIX Identities When using MacOS for an NFS client, there are a few things I’ve run into the past week or two while testing that you would want to know to avoid issues. Generally, we recommend avoiding mixed security styles in most cases. This allows you to change permissions from any client, but you need to ensure you have proper name mappings in place to avoid undesired permission behavior. If an SMB client changes ownership of the file, it flips back to NTFS security style. Mixed security styles always use either UNIX or NTFS effective security styles, based on last ACL changeīasically, if an NFS client chmods a file, it switches to UNIX security style. SMB clients can do *some* permissions changes, but on a very limited basis. SMB clients will require mappings to a valid UNIX user for permissions NFS clients will only require mapping to a UNIX user name if using NFSv4 ACLs. UNIX security styles use UNIX mode bits (rwx) and/or NFSv4 ACLs Then, permissions are controlled via ACLs. SMB clients will map to UNIX users and NFS clients will require mappings to valid Windows users for authentication. TR-4887 goes into more detail on how all that works, but at a high level: The way ONTAP does Multiprotocol NAS (and keeps permissions predictable) is via name mappings and volume “security styles,” which controls what kind of ACLs are in use. Many clients can actually do both protocols – MacOS is one of those clients. In ONTAP, you can serve the same datasets to clients regardless of the NAS protocol they use (SMB or NFS). This won’t be an exhaustive list, and it is certain to change over time and possibly make its way into a TR, but here we go… ONTAP and Multiprotocol NASīefore I get into the MacOS client stuff, we need to understand ONTAP multiprotocol NAS, as it can impact how MacOS clients behave. A blog is a great place to do that, as it might help other people in similar scenarios. When I’m testing stuff out for customer deployments that I don’t work with a ton, I like to keep notes on the work so I can reference it later for TRs or other things.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |