Sun Storage 7000 Unified Storage System: NFSv4 clients cannot mount shares if NFSv4 identity domains do not match

Asset ID:	1-72-1409693.1
Update Date:	2018-05-10
Keywords:

Solution Type Problem Resolution Sure

Solution 1409693.1 : Sun Storage 7000 Unified Storage System: NFSv4 clients cannot mount shares if NFSv4 identity domains do not match

Applies to:

Sun Storage 7210 Unified Storage System - Version All Versions and later
Sun Storage 7110 Unified Storage System - Version All Versions and later
Sun ZFS Storage 7420 - Version All Versions and later
Sun Storage 7310 Unified Storage System - Version All Versions and later
Sun Storage 7410 Unified Storage System - Version All Versions and later
7000 Appliance OS (Fishworks)
NAS head revision : [not dependent]
BIOS revision : [not dependent]
ILOM revision : [not dependent]
JBODs Model : [not dependent]
CLUSTER related : [not dependent]

This problem will affect any client that tries to access a network share from the appliance via the NFSv4 protocol

Symptoms

NFSv4 clients are unable to mount shares from the ZFS Storage Appliance.

Inability to access expected files.
Created files owned by "nobody".

To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - Disk Storage ZFS Storage Appliance Community

Changes

Cause

As opposed to NFSv3 where users and groups are represented simply by UIDs and GIDs, NFSv4 stores users and groups in a user@domain format.

The domain portion is known as an NFSv4 identity domain.

To be able to access the ZFS Storage Appliance via NFSv4 as a known user, or even mount the filesystem in some cases, the identity domains of the client and the appliance must match.

All NFSv4 systems sharing files within an organization must be assigned the same NFSv4 Identity Domain.

Because many organizations span multiple DNS or NIS domains, the Identity Domain is often an arbitrary name that may or may not match these.

Solution

The default behavior of the appliance is to use the configured DNS name as NFSv4 Identity Domain.

It is strongly recommended to explicitly set the NFSv4 Identity Domain on both the clients and the ZFS Storage Appliance to ensure they are identical.

To change the appliance side value:

In the BUI do the following

Configuration -> SERVICES -> NFS

Uncheck "Use DNS domain as NFSv4 identity domain"

Enter a new value in the "Custom NFSv4 identity domain" field

To commit the changed settings a click on 'Apply' is required.

In the CLI follow the steps below

ZFSSA:> configuration services nfs
ZFSSA: configuration services nfs > set mapid_dns=false
mapid_dns = false (uncommitted)
ZFSSA: configuration services nfs > set mapid_domain=mynfsdomain
mapid_domain = mynfsdomain (uncommitted)
ZFSSA: configuration services nfs > commit

There might be some variations dependent on the Appliance Kit Software running on the ZFSSA system, the Online Help on the appliance might hold more detailed information.
Point the browser to https://ZFSSA-IP:215/wiki/index.php

To change the client side value:

For Solaris 10: edit /etc/default/nfs, add or fix the line NFSMAPID_DOMAIN=FQDN

Newer Solaris 11: svcprop nfsconf, set com.sun.ak,nfs/mapid_domain astring FQDN

(update) The current code seems to use this:

sharectl set -p nfsmapid_domain=<what-you-want-it-to-be> nfs

Linux: edit /etc/idmapd.conf, add a line or edit the file so that it contains Domain=FQDN

FQDN in each of the above examples should be replaced with the fully-qualified NFSv4 identity domain name.

e.g. NFSMAPID_DOMAIN=mydomain.com

Back to <Document 1402579.1> Sun Storage 7000 Unified Storage System: How to Troubleshoot NFS Problems.

Check for relevancy - 10-May-2018

References

<NOTE:1402579.1> - Sun Storage 7000 Unified Storage System: How to Troubleshoot Problems with the NFS Service

Attachments

This solution has no attachment