Vdocuments - MX Data Ontap Nfs Administration Exercise Guide Netapp University Data Ontap Nfs

Data ONTAP NFS Administration
NETAPP UNIVERSITY
Data ONTAP NFS Administration
Exercise Guide
Course ID: STRSW-ILT-NFSAD-REV06
Catalog Number: STRSW-ILT-NFSAD-REV06-EG
Content Version: 1.1
NetApp University - Do Not Distribute

ATTENTION
The information contained in this course is intended only for training. This course contains information and activities that,
while beneficial for the purposes of training in a closed, non-production environment, can result in downtime or other
severe consequences in a production environment. This course material is not a technical reference and should not,
under any circumstances, be used in production environments. To obtain reference materials, refer to the NetApp product
documentation that is located at http://now.netapp.com/.
COPYRIGHT
© 2015 NetApp, Inc. All rights reserved. Printed in the U.S.A. Specifications subject to change without notice.
No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or
mechanical, including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written
permission of NetApp, Inc.
U.S. GOVERNMENT RIGHTS

Commercial Computer Software. Government users are subject to the NetApp, Inc. standard license agreement and
applicable provisions of the FAR and its supplements.
TRADEMARK INFORMATION
NetApp, the NetApp logo, Go Further, Faster, ASUP, AutoSupport, Campaign Express, Customer Fitness, CyberSnap,
Data ONTAP, DataFort, FilerView, Fitness, Flash Accel, Flash Cache, Flash Pool, FlashRay, FlexCache, FlexClone,
FlexPod, FlexScale, FlexShare, FlexVol, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster, MultiStore,
OnCommand, ONTAP, ONTAPI, RAID DP, SANtricity, SecureShare, Simplicity, Simulate ONTAP, Snap Creator,
SnapCopy, SnapDrive, SnapIntegrator, SnapLock, SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore,
Snapshot, SnapValidator, SnapVault, StorageGRID, Tech OnTap, and WAFL are trademarks or registered trademarks of
NetApp, Inc. in the United States and/or other countries.
Other product and service names might be trademarks of NetApp or other companies. A current list of NetApp trademarks
is available on the Web at http://www.netapp.com/us/legal/netapptmlist.aspx.
E-2 Data ONTAP NFS Administration: Welcome
© 2015 NetApp, Inc. This material is intended only for training. Reproduction is not authorized.

TABLE OF CONTENTS
WELCOME..................................................................................................................................................... E-1
MODULE 1: NFS OVERVIEW ..................................................................................................................... E1-1
MODULE 2: NFS VERSION 3 ..................................................................................................................... E2-1
MODULE 3: NFS VERSION 4 ..................................................................................................................... E3-1
MODULE 4: NFS VERSION 4.1 .................................................................................................................. E4-1
MODULE 5: PERFORMANCE AND BASIC TROUBLESHOOTING ......................................................... E5-1
APPENDIX A: ANSWERS............................................................................................................................. A-1
APPENDIX B: KERBEROS AUTHENTICATION ......................................................................................... B-1
E-3 Data ONTAP NFS Administration: Welcome

MODULE 1: NFS OVERVIEW
EXERCISE 1: ADDING A CLUSTER

In this exercise, you practice setting up OnCommand System Manager and using it to add a cluster to the
administration tool.
OBJECTIVES
By the end of this exercise, you should be able to:
 Identify the exercise environment
 Log in to the exercise environment
 Log in to a cluster by using System Manager
TASK 1: IDENTIFY THE EXERCISE ENVIRONMENT

STEP ACTION
1. With the assistance of your instructor, identify your main Windows server.
NOTE: This machine might be a virtual machine (VM). Windows Server
IP address: _______________________________________________
Domain: _________________________________________________
Domain administrator password: Netapp123
2. With the assistance of your instructor, identify your clustered Data ONTAP operating system
nodes.
Clustered Data ONTAP

Node 1 management logical interface (LIF) IP address: 192.168.0.51
Node 2 management LIF IP address: 192.168.0.52
Cluster-management LIF IP address: 192.168.0.50
Cluster administrator (admin) password: Netapp123
3. With the assistance of your instructor, identify your Linux machine.

NOTE: This machine might be a VM. Linux Server
IP address: 192.168.0.21
Root password: Netapp123
E1-1 Data ONTAP NFS Administration: NFS Overview

TASK 2: LOG IN TO THE EXERCISE ENVIRONMENT
In this task, you use Remote Desktop Connection (RDC) to log in to your assigned exercise environment.
You perform all subsequent tasks from this assigned machine.
STEP ACTION
1. On your local Windows machine desktop, click the Remote Desktop Connection link to log in
to the remote Windows server through the RDC tool.
NOTE: If this link is unavailable, ask your instructor where to find the tool.
2. Enter the IP address of your remote Windows server, and then click Connect.
3. Verify that the desktop of the remote machine is displayed.
4. If you are asked for authentication, enter the username and password that your instructor gave
you.

TASK 3: LOG ON TO A CLUSTER BY USING SYSTEM MANAGER
In this task, you add your cluster management port to the local hosts file, launch System Manager, and log on
to your assigned cluster.
NOTE: For more information about using System Manager to configure a storage system, see the Clustered
Data ONTAP Administration course.
STEP ACTION
1. Verify that you see the Modern view of your assigned Windows server.
2. Click the Desktop tile.

STEP ACTION
3. Verify that you see the administrator’s desktop.
4. On the administrator’s desktop taskbar, click the Internet Explorer icon.
5. Type the IP address of the cluster1 cluster-management LIF, and then press Enter.

STEP ACTION
6. Click Continue to this website (not recommended).
7. Type the username admin and the appropriate password, and then click Sign In to log in.
8. Verify that System Manager is logged in to cluster1.

STEP ACTION
9. In the left pane of System Manager, select Cluster > cluster1.

NOTE: The cluster contains two nodes.
END OF EXERCISE

MODULE 2: NFS VERSION 3
EXERCISE 2: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 3

In this exercise, you create a storage virtual machine (SVM), previously called a virtual storage server
(Vserver), configure the SVM for NFS version 3 (NFSv3), and use the SVM export resources from a Linux
client. (The Linux host has some initial configuration, as described in Appendix B.)
OBJECTIVES
 Create a data aggregate
 Verify that NFS is licensed
 Create an SVM for NFS
 Create a UNIX group and user
 Define a new export policy and rule
 Allocate an aggregate as a resource for an SVM
 Create the SVM namespace
 Mount the SVM namespace
 Describe the effects of file permissions
TASK 1: CREATE A DATA AGGREGATE

In this task, you create a data aggregate to use for storing client data.
STEP ACTION
1. In the left pane of OnCommand System Manager, select the Cluster category, expand cluster1,
and select Storage.
2. In the right pane, click Create Aggregate.
E2-1 Data ONTAP NFS Administration: NFS Version 3

STEP ACTION
3. Verify that the Create Aggregate wizard opens.
4. On the aggregate details page, specify the following information:

 Name: aggr_NFS1
 Disk Type: FCAL on cluster1-01
 Number of Disks: 16
 RAID Type: RAID-DP
5. Click Create.
6. In the left pane, select the Cluster category, expand cluster1 > Storage, and select Aggregates.

STEP ACTION
7. Verify that the list of aggregates is populated.
8. In the right pane, select the new aggregate aggr_NFS1, and review the aggregate details.
TASK 2: VERIFY THE NFS LICENSE ON A CLUSTER

STEP ACTION
1. In the left pane of System Manager, select the Cluster category, expand cluster1 >
Configuration > System Tools, and select Licenses.

STEP ACTION
2. Verify that the NFS License package is licensed.
3. If NFS is not licensed, request a license code from your instructor.
TASK 3: CREATE AN SVM

In this task, you create an SVM with NFS as the allowed protocol and a data logical interface (LIF) for NFS
access.
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category and select
cluster1.

STEP ACTION
2. In the right pane, click Create to display the Storage Virtual Machine (SVM) Setup dialog box.

STEP ACTION
3. In the Storage Virtual Machine (SVM) Setup dialog box, at Step 1, specify the following
information:
 SVM Name: svmNFS
 IPspace: Default
 Volume Type: FlexVol volumes
 Data Protocols: NFS checkbox selected
 Default Language: C.UTF-8
 Security Style: UNIX
 Root Aggregate: aggr_NFS1
 Search Domains: learn.netapp.local
 Name Servers: 192.168.0.11
4. Click Submit & Continue.

STEP ACTION
information:
 Subnet: sub60
 Port: cluster1-01:e0d
NOTE: This exercise configures a simple NFS server authenticating users via local users and
groups. Be sure to clear the default NIS configuration so that NIS doesn’t get in the way. Do not
skip this step.
Expand NIS Configuration

 Domain Names: Clear the domain name field
 IP Addresses: Clear the IP Addresses field
NOTE: Do not create a volume for export at this time.

STEP ACTION
information:
 Password: Netapp123
 Confirm Password: Netapp123
 Create a new LIF for SVM management checkbox: selected
 Subnet: sub60

STEP ACTION
9. Review the New Storage Virtual Machine (SVM) Summary page.
10. Click OK.
11. Review the new SVM.
12. In the left pane, select the Storage Virtual Machines category, expand cluster1 > svmNFS >
Configuration > Protocols, and select NFS.

STEP ACTION
13. In the right pane, if Server Status is Not Configured, click Enable to activate NFS.
14. Verify that Server Status and Version 3 Support are Enabled.

STEP ACTION
15. In the left pane, select the Cluster category, expand cluster1 > Configuration, and select
Network.
16. In the right pane, click the Network Interfaces tab.
17. Locate the new data LIF that is authorized for the NFS protocol and record the IP address to use
later.

TASK 4: CREATE A UNIX GROUP AND USER
In this task, you create a UNIX group and user based on a local UNIX user.
STEP ACTION
1. On your Windows desktop, double-click the Link to PuTTY icon.
2. Verify that the PuTTY Configuration dialog box opens.
3. Under Saved Sessions, select Linux.

STEP ACTION
4. Click Load.
5. Click Open to open a session with your storage system.
6. Click Yes to approve the security alert.
7. Verify that you see the login prompt:

login as:
8. At the login prompt, type root.
9. When prompted for the root password, type Netapp123.
10. Verify that you see the command prompt:

#
11. Verify the local student ID:

# id –u student
12. Record the returned value: _____________________

STEP ACTION
13. In the left pane of System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Users and Groups, and select UNIX.
14. In the right pane, on the Groups tab, click Add Group.
15. In the Add Group dialog box, enter the following information:
 Group Name: NFSUserList
 Group ID: Use the student ID.
16. Click Add.

STEP ACTION
17. Verify that the new group was created.

STEP ACTION
18. In the right pane, click the Users tab.
19. Click Add User.
20. In the Add User dialog box, enter the following information:
 User Name: student
 User ID: Use the student ID.
 Group Name: NFSUserList
 Full Name: Student NFS User
21. Click Add.

STEP ACTION
22. Verify that the new user was created and added to the group.

TASK 5: DEFINE A NEW EXPORT POLICY AND RULE
STEP ACTION
cluster1 > svmNFS > Policies, and select Export Policies.
2. In the Policy area, select default.

No rule is displayed in the Rule Index area.

STEP ACTION
3. Click Add.

STEP ACTION
4. In the Create Export Rule dialog box, specify the following information:
 Client Specification: 0.0.0.0/0
 Rule Index: 1
 Access Protocols: NFS checkbox selected
 Read-Only checkbox: selected
 Read/Write checkbox: selected
 Allow Superuser Access checkbox: selected
5. Click OK.

STEP ACTION
6. Verify that when you select default in the Policy area, the new rule appears in the Rule Index
area.
7. In the right pane, click Create.

STEP ACTION
8. In the Create Export Policy dialog box, in the Policy Name box, type readOnly.
9. In the Export Rules area, click Add to create a rule.

STEP ACTION
10. In the Create Export Rule dialog box, specify the following information:
 Client Specification: 0.0.0.0/0
 Access Protocols: NFSv3 checkbox selected
 Read-Only checkbox: selected
 Read/Write checkbox: cleared
 Allow Superuser Access checkbox: cleared
11. Click OK.
12. Verify the new policy and rule, and then click Create.

STEP ACTION
13. Note that the new rule is in the first index of the new policy.
14. On your Windows desktop, double-click the Link to PuTTY icon.
15. Verify that the PuTTY Configuration dialog box opens.

STEP ACTION
16. Under Saved Sessions, select cluster1-mgnt.
17. Click Open to open a session with your storage system.
18. Verify that you see the login prompt:

login as:
19. At the login prompt, type admin.
20. When prompted for the root password, type Netapp123.
21. Verify that you see the command prompt:

cluster1::>
22. List the export rules:

cluster1::> vserver export-policy rule show
The output should resemble this sample:
Policy Rule Access Client RO
Vserver Name Index Protocol Match Rule
------------ --------------- ------ -------- -------------------- ---
svmNFS default 1 nfs 0.0.0.0/0 any
svmNFS readOnly 1 nfs3 0.0.0.0/0 any
2 entries were displayed.

STEP ACTION
23. Review the details behind each rule:

cluster1::> vserver export-policy rule show -instance
Vserver: svmNFS
Policy Name: default
Rule Index: 1
Access Protocol: nfs
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0
RO Access Rule: any
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: any
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true
Vserver: svmNFS
Policy Name: readOnly
Rule Index: 1
Access Protocol: nfs3
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0
RO Access Rule: any
RW Access Rule: none
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: none
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true
2 entries were displayed.
24. Answer the following questions:

 To which user ID are anonymous users mapped (anon=)? _____
 Are any users currently mapped to this ID? _____
(NOTE: In System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Local users and Groups, select UNIX, and click
the Users tab to discover the answer.)
 If so, who? _____

TASK 6: ALLOCATE AN AGGREGATE AS A RESOURCE FOR AN SVM
In this task, you enable your newly created SVM to provision the aggregate that you created earlier.
STEP ACTION
1. In the left pane of System Manager, select the Storage Virtual Machines category and select
cluster1.
2. In the right pane, select svmNFS.
3. Click Edit.

STEP ACTION
4. In the Edit Storage Virtual Machine dialog box, click the Resource Allocation tab.
5. On the Resource Allocation tab, specify the following information:

 Delegate volume creation: selected
 aggr_NFS1 checkbox: selected
6. Click Save and Close to complete the process.

TASK 7: CREATE THE SVM NAMESPACE
In this task, you create two volumes, associate the export policies to each volume, and verify the namespace
for the SVM.
STEP ACTION
cluster1 > svmNFS > Storage, and select Volumes.

STEP ACTION
3. In the Create Volume dialog box, specify the following information:

 Name: vol_NFS1
 Aggregate: Use the Choose button to choose aggr_NFS1.
 Storage Type: NAS (Used for CIFS or NFS access)
 Total Size: 1 GB
 Snapshot Reserve (%): 5
 Thin Provisioned checkbox: cleared
4. Click Create.

STEP ACTION
5. Verify that the volume was created.

STEP ACTION

 Name: vol_NFS2
 Aggregate: Use the Choose button to choose aggr_NFS1.
 Storage Type: NAS (Used for CIFS or NFS access)

STEP ACTION
8. Verify that the new volume was created.
9. In the left pane, select Namespace.

STEP ACTION
10. Note that both new volumes are automatically mounted under the root node, with the default
export policy.
11. In the right pane, select the vol_NFS2 node, and then click Change Export Policy.
12. In the Change Export Policy dialog box, select the readOnly policy for vol_NFS2.
13. Click Change.
14. Verify that your namespace is similar to this example.

TASK 8: MOUNT THE SVM NAMESPACE
In this task, you log in as root to the client Linux host and mount the SVM namespace. Then you explore the
results of the export policies.
STEP ACTION
1. Use PuTTY to log in to the Linux client as root.
2. Verify whether rpcbind is started.

# service rpcbind status
NOTE: Within Red Hat Linux 6 and later, portmapper is part of rpcbind.
3. If rpcbind is not running, start it. (If the process is already running, skip this step.)
# service rpcbind start
Starting rpcbind: [ OK ]
4. Verify whether the NFS service is running:

# service nfs status

rpc.svcgssd is stopped
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
5. Start the NFS service:
# service nfs start

Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS mountd: [ OK ]
Stopping RPC idmapd: [ OK ]
Starting RPC idmapd: [ OK ]
Starting NFS daemon: [ OK ]
6. Change the directory to the mount folder:

# cd /mnt
7. Create a mount folder that is named svmNFS-v3:

# mkdir svmNFS-v3
8. Verify the permissions:

# ls –l
drwxr-xr-x. 2 root root 4096 Nov 6 12:35 svmNFS-v3

STEP ACTION
9. Mount the SVM namespace at this new folder:

# mount –t nfs –o nfsvers=3 192.168.0.60:/ /mnt/svmNFS-v3
NOTE: You recorded the NFS LIF IP address in Task 3 of this exercise.
10. Attempt to change the directory to the mount location:

# cd svmNFS-v3
11. Answer the following question:
Was the previous step successful? _____
12. List the directory contents:

# ls

vol_NFS1 vol_NFS2
13. Attempt to create a file in the root directory of the SVM namespace:
# touch foo


# ls –l

total 8
-rw-r--r--. 1 root root 0 Feb 24 11:49 foo
drwx------. 2 root bin 4096 Feb 24 11:49 vol_NFS1
drwx------. 2 root bin 4096 Feb 24 10:59 vol_NFS2
NOTE: A NetApp best practice recommends against creating files in the SVM namespace root.
In this exercise, files are created in the namespace root for demonstration purposes only.
16. Attempt to change the directory to vol_NFS1:

# cd vol_NFS1

18. Attempt to create a file:

# touch foo


STEP ACTION

# ls

foo
21. Change the directory to vol_NFS2:

# cd ../vol_NFS2

# touch foo
23. Review the readOnly policy (the policy for vol_NFS2) rule permissions.

 Were you able to create a file? _____
 Why or why not? _____

TASK 9: DESCRIBE THE EFFECTS OF FILE PERMISSIONS
In this task, you grant global read access to vol_NFS1. Then you change to a student user account and explore
the effect of the current file permissions.
STEP ACTION
1. Navigate to the mount point directory:

# cd /mnt
2. Verify the current permissions:

# ls –l

total 4
drwxr-xr-x. 4 root bin 4096 Jun 19 15:48 svmNFS-v3
3. Set the mount point permissions so that everyone has access:

# chmod 777 svmNFS-v3
4. Verify the change:

# ls –l

total 4
drwxrwxrwx. 4 root bin 4096 Jun 19 15:48 svmNFS-v3
5. Navigate inside the version 3 mount:

# cd svmNFS-v3
6. Verify the current permissions:

# ls –l

total 8
-rw-r--r--. 1 root root 0 Jun 19 15:48 foo
drwxr-xr-x. 2 root bin 4096 Jun 19 15:48 vol_NFS1
7. Change the directory permissions of vol_NFS1:
# chmod 705 vol_NFS1
8. Verify the change:
# ls –l

total 8
Drwx---r-x. 2 root bin 4096 Jun 19 15:48 vol_NFS1

STEP ACTION
9. Navigate to the mount point directory:

# cd /mnt
10. Switch to the student user:

# su student
$
11. Attempt to change the directory to the mount location:

$ cd svmNFS-v3

13. Attempt to create a file in the root directory of the SVM namespace:
$ touch foo1

15. List the directory’s contents:

$ ls –l

total 8
-rw-rw-r--. 1 student student 0 Jun 19 16:02 foo1
drwxr-xr_x. 2 root bin 4096 Jun 19 15:48 vol_NFS1
NOTE: A NetApp best practice recommends against creating files in the SVM namespace root.
Files were created in this location for demonstration purposes only.
16. Attempt to change the directory to the vol_NFS1:

$ cd vol_NFS1

Was the previous step successful? ______

$ touch foo1

20. Attempt to change the directory to the vol_NFS2:

$ cd ../vol_NFS2

STEP ACTION


$ touch foo1

Was the previous step successful? ______
24. Switch to the root user:

$ su root
25. Enter the root password:

Password: Netapp123
#
END OF EXERCISE

EXERCISE 3: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 4

In this exercise, you configure a storage virtual machine (SVM), previously called a virtual storage server
(Vserver), for NFS version 4 (NFSv4) and use the SVM export resources from a Linux client. This exercise
explores NFSv4 referrals, access control lists (ACLs), and read and write delegations.
OBJECTIVES
 Configure an SVM with a new storage volume and logical interface (LIF)
 Enable NFSv4 features on an SVM and client
 Describe an NFSv4 export on a client
 Create NFSv4 ACLs
TASK 1: CONFIGURE AN SVM WITH A NEW STORAGE VOLUME AND LIF

In this task, you create an aggregate in the cluster and a storage volume and LIF for the SVM that you created
in an earlier exercise. You then add this volume to the namespace. You will use the new volume and LIF to
demonstrate NFSv4 referrals in Task 3.
STEP ACTION
1. In the left pane of OnCommand System Manager, select the Cluster category, expand cluster1
> Storage, and select Aggregates.
3. Verify that the Create Aggregate wizard opens.

STEP ACTION
4. On the aggregate details page, specify the following information:

 Name: aggr_NFS2
 Disk Type: FCAL on cluster1-02
 Number of Disks: 16
 RAID Configuration: RAID-DP
5. Click Create.
6. Verify that the new aggregate appears in the Aggregates list.
7. In the left pane, select the Storage Virtual Machines category and select cluster1.
8. In the right pane, select svmNFS, and then click Edit.
9. In the Edit Storage Virtual Machine dialog box, click the Resource Allocation tab.

STEP ACTION
10. Select the aggr_NFS2 checkbox for the new aggregate.
11. Click Save and Close.

STEP ACTION
Storage, and select Volumes.

STEP ACTION
 Name: vol_NFS3
 Aggregate: aggr_NFS2
NOTE: Use the Choose button to select the correct Aggregate value.
15. Click Create.

STEP ACTION
16. Verify that your new volume was created.
Storage, and select Namespace.

STEP ACTION
18. Verify the export policy and namespace mounted location of the new volume.
19. In the left pane, select the Cluster category, expand cluster1 > Configuration, and select
Network.
20. In the right pane, click the Network Interfaces tab to begin creating a data LIF.
22. Verify that the Create Network Interface wizard has opened.

STEP ACTION
23. On the network interface properties page, specify the following information:
 Name: svmNFS_nfs_lif2
 Interface Role: Serves Data
 SVM: svmNFS
 Protocol Access NFS checkbox: selected
 Subnet: sub60
24. Click Create.

STEP ACTION
25. Verify the new LIF, and record the IP address to use later.

TASK 2: ENABLE NFSV4 FEATURES ON AN SVM AND CLIENT
In this task, you enable NFSv4 features in System Manager and then configure the domain ID in the CLI of
the cluster. You then set the domain ID on the client.
STEP ACTION
cluster1 > svmNFS > Configuration > Protocols, and select NFS.
2. In the right pane, click Edit.

STEP ACTION
3. In the Edit NFS Settings dialog box, specify the following information:
 Support version 3 checkbox: selected
 Support version 4.0 checkbox: selected
 ACLs checkbox: selected
 Read delegation checkbox: selected
 Write delegation checkbox: selected

STEP ACTION
5. Verify that Version 3 Support and Version 4 Support are Enabled on this SVM.
6. Use PuTTY to launch a Secure Shell (SSH) session to the cluster management interface of your
assigned cluster.
7. Set the interface to advanced privilege:

cluster1::> set -privilege advanced
8. At the prompt, type y:

Do you want to continue? {y|n}: y
9. View the current NFS settings of your SVM:

cluster1::*> vserver nfs show -vserver svmNFS -fields v4-id-
domain,v4.0-referrals
vserver v4.0-referrals v4-id-domain
------- -------------- ------------
svmNFS disabled defaultv4iddomain.com
10. Set the v4 ID domain to example.com and turn on NFSv4 referrals:

cluster1::*> vserver nfs modify -vserver svmNFS -v4-id-domain
example.com -v4.0-referrals enabled

STEP ACTION
11. Verify the changes:

cluster1::*> vserver nfs show -vserver svmNFS -fields v4-id-
domain,v4.0-referrals
vserver v4.0-referrals v4-id-domain
------- -------------- ------------
svmNFS enabled example.com
12. Log in to the Linux client as root.
13. Edit the /etc/idmapd.conf file:

# vi /etc/idmapd.conf
14. Scroll down until you see the following output:

[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain…
15. Type i to enter insert mode.
16. Remove the hashtag symbol (#) that appears before Domain in the output.
17. Delete the existing domain name.
18. Type example.com as your domain name.
19. Verify the changed domain name in the output:

[General]
#Verbosity = 0
Domain = example.com
…
20. Press ESC to exit insert mode.
21. Type :wq to save and exit the virtual interface (VI).
22. Review the list of the file and verify that the changes occurred:
# cat /etc/idmapd.conf
[General]
#Verbosity = 0
Domain = example.com
…

STEP ACTION
23. Restart the rpcidmapd service:

# service rpcidmapd restart
NOTE: This step is required because of the changes that you made to the
/etc/idmapd.conf file.
TASK 3: DESCRIBE AN NFSV4 EXPORT ON A CLIENT

In this task, you use NFSv4 to mount a file system and explore the results. You create a second SSH session
and use tcpdump to analyze the Ethernet traffic and verify the NFSv4 referral feature.
STEP ACTION
1. After the rpcidmapd restart completes, leave this Linux session open.
NOTE: For the remainder of this exercise, this session is called SESSION 1.

# cd /mnt

# mkdir svmNFS-v4
4. Open a second PuTTY session to the Linux machine and log in as the root user.
NOTE: For the remainder of this exercise, this session will be called SESSION 2.
5. On SESSION 2, start a tcpdump command by looking for 2049:

# tcpdump -nv | grep 2049

Why are you looking for 2049? _____
7. With the SESSION 2 window visible, on SESSION 1, use the IP address of the first LIF
(svmNFS_nfs_lif1) on the svmNFS SVM to create an NFSv4 mount of the SVM namespace:
# mount –t nfs4 –o acl 192.168.0.60:/ /mnt/svmNFS-v4

Using SESSION 2, which SVM LIF is used for this operation? _____
9. On SESSION 1, use NFS version 3 (NFSv3) to remount the SVM:

# mount –t nfs –o nfsvers=3 192.168.0.60:/ /mnt/svmNFS-v3


STEP ACTION
11. On SESSION 1, verify the current mounts:

# mount
…
192.168.0.60:/ on /mnt/svmNFS-v3 type nfs (rw,nfsvers=3,addr=192.168.0.60)
192.168.0.60:/ on /mnt/svmNFS-v4 type nfs4
(rw,acl,addr=192.168.0.60,clientaddr=192.168.0.21)
12. On SESSION 1, change the directory to the NFSv4-attached mount point:

# cd svmNFS-v4

Using SESSION 2, which SVM interface is used for this operation? _____
14. On SESSION 1, list the directory:

# ls -l

16. On SESSION 1, change the directory to vol_NFS3:

# cd vol_NFS3
The output on SESSION 2 should resemble this sample:
…
192.168.0.21.699965736 > 192.168.0.60.2049: 156 getattr fh 0,0/22
192.168.0.60.2049 > 192.168.0.21.699965736: reply ok 180 getattr NON 3 ids 0/15 sz 0
192.168.0.21.716742952 > 192.168.0.60.2049: 156 getattr fh 0,0/22
192.168.0.21.732889002 > 192.168.0.62.2049: 40 null
192.168.0.62.2049 > 192.168.0.21.732889002: reply ok 24 null
192.168.0.21.749666218 > 192.168.0.62.2049: 108 getattr fh 0,0/24
192.168.0.21.766443434 > 192.168.0.62.2049: 136 getattr fh 0,0/22
192.168.0.21.783220650 > 192.168.0.62.2049: 140 getattr fh 0,0/22
192.168.0.62.2049 > 192.168.0.21.783220650: reply ok 108 getattr NON 2 ids 0/9 sz 0…

 Using SESSION 2, which SVM LIF is used for this operation? _____
 Why? _____
18. On SESSION 1, navigate to the NFSv3 mount point:

# cd /mnt/svmNFS-v3

Using SESSION 2, which SVM LIF is used for this operation? _

STEP ACTION
20. On SESSION 1, change the directory to vol_NFS3:

# cd vol_NFS3
The output on SESSION 2 should resemble this sample:
…
192.168.0.21.3320203757 > 192.168.0.60.2049: 144 readdirplus fh
Unknown/00010000040400800000000040000000DC605F00010400800000000040000000 4096 bytes @ 0 max
32768 verf 0000000000000000
192.168.0.60.2049 > 192.168.0.21.3320203757: reply ok 300 readdirplus POST: DIR 755 ids
0/0 sz 4096 verf 0000000000000000

 Using SESSION 2, which SVM LIF is used for this operation? _____
 Why? _____
22. On SESSION 1, change the directory to the NFSv4-attached mount point:

# cd /mnt/svmNFS-v4

# ls -l
total 12
-rw-r--r--. 1 root root 0 Nov 6 12:44 foo
-rw-rw-r--. 1 student nobody 0 Nov 6 12:50 foo1
drwxr-xr-x. 2 root root 4096 Nov 6 12:45 vol_NFS1
NOTE: These names are resolved by default because System Manager 2.2 and later create the
root user (id=0) and the daemon group (id=1). Without these users and group, the output would
resemble the following:
total 12
-rw-r--r--. 1 nobody nobody 0 Nov 6 12:44 foo
-rw-rw-r--. 1 nobody nobody 0 Nov 6 12:50 foo1
drwxr-xr-x. 2 nobody nobody 4096 Nov 6 12:45 vol_NFS1

TASK 4: CREATE NFSV4 ACLS
In this task, you create NFSv4 ACLs and verify the results of setting an ACL. This task uses SESSION 1
only. You do not use SESSION 2. Either close SESSION 2 now or use it for your own research as you
complete this task.
STEP ACTION
1. Verify the directory location and the NFSv4 mount location:

# pwd
/mnt/svmNFS-v4
2. Change the directory to vol_NFS3:

# cd vol_NFS3
3. Create a file that is named foo:

# touch foo
4. List the directory:

# ls –l
total 0
5. Explore the default file ACL:
# nfs4_getfacl foo
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rtncy
A::EVERYONE@:rtncy
6. Change the directory up one level:
# cd ..

# su student
$
8. Attempt to use the student user account to change the directory to vol_NFS3:
$ cd vol_NFS3

10. Switch to the root user:

$ su root

STEP ACTION
11. Enter the root user password:

Password: Netapp123
#
12. Navigate to the svmNFS-v4 directory:

# cd /mnt/svmNFS-v4
13. Explore the ACL for the vol_NFS3 directory:

# nfs4_getfacl vol_NFS3
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
14. Give the student (user ID 500) user account the ALLOW ability to read, write, execute, read
attributes, read name attributes, read ACL, and enable clients to use synchronous I/O with the
SVM:
# nfs4_setfacl -a A::500:rwxtncy vol_NFS3
15. Verify the current ACL for the vol_NFS3 directory:

A::student@example.com:rwxtncy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
16. Navigate to the vol_NFS3 directory:
# cd vol_NFS3
17. Deny the student (user ID 500) user account access to the foo file:
# nfs4_setfacl -a D::500:rwxtncy foo

# nfs4_getfacl foo
D::student@example.com:rwxtcy
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rtncy
A::EVERYONE@:rtncy
19. Navigate to the svmNFS-v4 directory:

# cd /mnt/svmNFS-v4

STEP ACTION

# su student
$
21. Attempt to use the student user account to change the directory to vol_NFS3:
$ cd vol_NFS3

23. Create a file that is named foo2:

$ touch foo2
24. Verify the file:

$ ls -l
total 0
-rw-rw-r--. 1 student nobody 0 Jun 19 16:56 foo2
25. Attempt to create a subdirectory:
$ mkdir test

 Was the previous step successful? _____
 Why or why not? _____
27. Attempt to read the foo file:

$ cat foo

29. Switch the user to root:

$ su root
30. Enter the root user password:

Password: Netapp123
#
31. Change the directory up one level:

# cd ..

STEP ACTION

A::student@example.com:rwxtncy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
33. Remove the first access control entry (ACE) to test a change to the ACL for the vol_NFS3
directory:
# nfs4_setfacl --test -x 1 vol_NFS3
## Test mode only - the resulting ACL for "/mnt/svmNFS-
v4/vol_NFS3":
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
34. Remove the first ACE from the vol_NFS3 directory ACL:
# nfs4_setfacl -x 1 vol_NFS3
35. Verify the changed ACL for the vol_NFS3 directory:

A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
END OF EXERCISE

MODULE 4: NFS VERSION 4.1
EXERCISE 4: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 4.1

In this exercise, you configure a storage virtual machine (SVM), previously called a virtual storage server
(Vserver), for NFS version 4.1 (NFSv4.1). You use the SVM export resources from a compatible Linux
client.
OBJECTIVES
 Configure an SVM for NFSv4.1
 Describe an NFSv4.1 export on a client
 Analyze the effects of a volume move operation on parallel NFS (pNFS)
TASK 1: CONFIGURE AN SVM FOR NFSV4.1

In this task, you enable NFSv4.1 features within OnCommand System Manager and then configure the
domain ID in the CLI of the cluster.
STEP ACTION
svmNFS > Configuration > Protocols, and select NFS.
E4-1 Data ONTAP NFS Administration: NFS Version 4.1

STEP ACTION
3. Verify that the Support version 3, Support version 4.0, and Support version 4.1 checkboxes are
selected.
5. Verify that NFS Version 3 Support, Version 4 Support, and Version 4.1 Support are Enabled on
this SVM.
6. Launch a PuTTy session to the CLI of your assigned Data ONTAP cluster.
7. Set the interface to advanced privilege:

cluster1::> set -privilege advanced

STEP ACTION

9. Verify the current settings of your NFS server:

cluster1::*> vserver nfs show -vserver svmNFS
Vserver: svmNFS
General NFS Access: true
RPC GSS Context Cache High Water Mark: 0
RPC GSS Context Idle: 0
NFS v3: enabled
NFS v4.0: enabled
UDP Protocol: enabled
TCP Protocol: enabled
Spin Authentication: disabled
Default Windows User: -
Enable NFSv3 EJUKEBOX error: true
Require All NFSv3 Reads to Return Read Attributes: false
Show Change in FSID as NFSv3 Clients Traverse Filesystems: enabled
Enable the Dropping of a Connection When an NFSv3 Request is Dropped: enabled
Vserver NTFS Unix Security Options: use_export_policy
Vserver Change Ownership Mode: use_export_policy
NFS Response Trace Enabled: false
NFS Response Trigger (in secs): 60
UDP Maximum Transfer Size: 32768
TCP Maximum Transfer Size: 65536
NFSv3 TCP Maximum Read Size: 65536
NFSv3 TCP Maximum Write Size: 65536
NFSv4.0 ACL Support: enabled
NFSv4.0 Read Delegation Support: enabled
NFSv4.0 Write Delegation Support: enabled
NFSv4.0 Referral Support: enabled
NFSv4 ID Mapping Domain: learn.netapp.local
NFSv4 Validate UTF-8 Encoding of Symbolic Link Data: disabled
NFSv4 Lease Timeout Value (in secs): 30
NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL : enabled
NFSv4.1 Minor Version Support: enabled
Rquota Enable: disabled
NFSv4.1 Implementation ID Domain: netapp.com
NFSv4.1 Implementation ID Name: NetApp Release 8.2RC1 Cluster-Mode
NFSv4.1 Implementation ID Date: Tue Mar 26 21:02:39 2013
NFSv4.1 Parallel NFS Support: enabled
NFSv4.1 Referral Support: disabled
NFSv4.1 ACL Support: disabled
NFS vStorage Support: disabled
Default Windows Group: -
NFSv4.1 Read Delegation Support: disabled
NFSv4.1 Write Delegation Support: disabled
Number of Slots in the NFSv4.x Session slot tables: 180
Size of the Reply that will be Cached in Each NFSv4.x Session Slot (in bytes): 640
Maximum Number of ACEs per ACL: 400
NFS Mount Root Only: enabled
NFS Root Only: disabled
10. Review the output and note that NFSv4.1 pNFS support is enabled by default.

STEP ACTION
11. Turn on NFSv4.1 access control lists (ACLs) and set the implementation domain and name:
cluster1::*> vserver nfs mod -vserver svmNFS -v4.1-acl enabled
-v4.1-implementation-domain example.com
-v4.1-implementation-name example
12. Verify the changes:

cluster1::*> vserver nfs show -vserver svmNFS
Vserver: svmNFS
General NFS Access: true
RPC GSS Context Cache High Water Mark: 0
RPC GSS Context Idle: 0
NFS v2: disabled
NFS v3: enabled
NFSv4.0: enabled
UDP Protocol: enabled
TCP Protocol: enabled
Spin Authentication: disabled
Default Windows User: -
Enable NFSv3 EJUKEBOX error: false
Require All NFSv3 Reads to Return Read Attributes: false
Enable the Dropping of a Connection When an NFSv3 Request is Dropped: enabled
Vserver NTFS Unix Security Options: use_export_policy
Vserver Change Ownership Mode: use_export_policy
NFS Response Trace Enabled: false
NFS Response Trigger (in secs): 60
UDP Maximum Transfer Size: 32768
TCP Maximum Transfer Size: 65536
NFSv4.0 Read Delegation Support: enabled
NFSv4.0 Write Delegation Support: enabled
NFSv4.0 Referral Support: enabled
NFSv4 ID Mapping Domain: example.com
NFSv4 Validate UTF-8 Encoding of Symbolic Link Data: disabled
NFSv4 Lease Timeout Value (in secs): 30
NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL : enabled
NFSv4.1 Minor Version Support: enabled
Rquota Enable: disabled
NFSv4.1 Implementation ID Domain: example.com
NFSv4.1 Implementation ID Name: example
NFSv4.1 Implementation ID Date: Wed Dec 31 16:00:00 1969
NFSv4.1 Parallel NFS Support: enabled
NFSv4.1 Referral Support: disabled
NFS vStorage Support: disabled

STEP ACTION
Configuration, and select Network.
14. In the right pane, on the Network Interfaces tab, verify that the current port is the same as the
home port (not failed over) for each network interface.
NOTE: LIF1 should be on node 1 and LIF2 should be on node 2.

STEP ACTION
Storage, and select Namespace to display the current namespace for the SVM.

STEP ACTION
16. In the left pane, select Volumes and verify that vol_NFS1 and vol_NFS2 are on node 1 and that
vol_NFS3 is on node 2.
NOTE: Multiple volumes on multiple nodes are accessible by multiple logical interfaces (LIFs).

TASK 2: DESCRIBE AN NFSV4.1 EXPORT ON A CLIENT
In this task, you use NFSv4.1 to mount a file system and you explore the results. You create a second PuTTY
session and use tcpdump to analyze the Ethernet traffic and to verify the NFSv4.1 pNFS feature.
STEP ACTION
1. Log in to the Linux client as root.

2. Edit the dist.conf file:

# vi /etc/modprobe.d/dist.conf
3. Use the arrow keys to navigate to the bottom of the file.
4. Enter insert mode by typing i:

i
5. Press Enter to create a new line.
6. Enter the following alias configuration:

alias nfs-layouttype4-1 nfs_layout_nfsv41_files
8. Type :wq to save and quit the editor.
9. Review the file to determine whether you correctly edited the dist.conf file:
# tail /etc/modprobe.d/dist.conf
10. Restart rpcidmapd:

# /etc/rc.d/init.d/rpcidmapd restart

# cd /mnt

# mkdir svmNFS-v41
13. Open a second PuTTY session to the Linux machine and log in as root.
14. On SESSION 2, start a tcpdump command by looking for 2049:

# tcpdump -nv | grep 2049
15. With the SESSION 2 window visible, on SESSION 1, use the IP address of svmNFS-lif1on the
svmNFS SVM to create an NFSv4.1 mount of the SVM namespace:
# mount –t nfs4 –o minorversion=1,acl 192.168.0.60:/
/mnt/svmNFS-v41

STEP ACTION

 Using SESSION 2, which SVM interface is used for this operation? _____
 Which node in the cluster is the pNFS metadata server? _____
17. Verify the current mounts:

# mount
…
192.168.0.161:/ on /mnt/svmNFS-v3 type nfs (rw,nfsvers=3,addr=192.168.0.60)
(rw,acl,addr=192.168.0.60,clientaddr=192.168.0.21)
(rw,minorversion=1,acl,addr=192.168.0.60,clientaddr=192.168.0.21)
18. On SESSION 1, change the directory to the NFSv4.1-attached mount point:

# cd svmNFS-v41


# ls -l
total 12
-rw-r--r--. 1 root root 0 Mar 4 12:44 foo
-rw-rw-r--. 1 student nobody 0 Mar 4 12:50 foo1
drwxr-xr-x. 2 root root 4096 Mar 4 12:45 vol_NFS1
22. On SESSION 1, access a volume on the metadata server:

# cd vol_NFS1

# ls -l
total 0

 On which node is this interface? _____

STEP ACTION
25. On SESSION 1, navigate up one level:

# cd ..
26. On SESSION 1, access a volume on a data server:

# cd vol_NFS3

# ls -l
total 0
-rw-rw-r--. 1 nobody nobody 0 Mar 4 13:53 foo2
29. Edit the foo file:

# vi foo
30. Type i to enter insert mode.
31. Enter some data.
33. Type :wq to save and quit the editor.

35. Use SESSION 2 to further explore pNFS and which interface is used for each file operation.
NOTE: pNFS is complex, and which interface is used is sometimes unclear. The file-system
operations (read and write) on a volume that is mounted on node1 and node 2 are in your
assigned cluster on SESSION 1.

TASK 3: ANALYZE THE EFFECTS OF A VOLUME MOVE OPERATION ON PNFS
In this task, you move a volume from node 2 to node 1 and analyze the results on a Linux client.
STEP ACTION
cluster1 > svmNFS > Storage, and select Volumes.
2. In the right pane, select vol_NFS3 on node 2.
3. Click Move.

STEP ACTION
4. In the Move Volume dialog box, in the Destination Aggregate section, select aggr_NFS1.
5. Click Move.
6. In the Move Volume confirmation dialog box, click Move.
7. After the move volume operation is complete, the Move Volume dialog box displays a Job ID.

STEP ACTION
8. Click the Job ID value.
9. Note the state of the move volume job.
10. On SESSION 1, perform some read and write operations to the vol_NFS3 directory while the
move volume operation is running.
For example, run the ls – l, cat, and touch commands.
11. On SESSION 2, verify which interfaces are used during the operations.
12. In the right pane of System Manager, on the Current Jobs tab, click Refresh.
13. On SESSION 1, perform a few read and write operations to the vol_NFS3 directory while the
volume move operation is running.
For example, run the ls – l, cat, and touch commands.

STEP ACTION
14. On SESSION 2, verify which interfaces are used during the operations.

 Which interface is used for write operations? _____
 Which interface is used for read operations? _____
 Which interface is used for getattrib operations? _____
END OF EXERCISE

MODULE 5: PERFORMANCE AND BASIC TROUBLESHOOTING
No exercise is associated with Module 5.
E5-1 Data ONTAP NFS Administration: Performance and Basic Troubleshooting

APPENDIX A: ANSWERS
MODULE 1: NFS OVERVIEW

No answers provided.
TASK 5: DEFINE A NEW EXPORT POLICY AND RULE

STEP ACTION

 To which user ID are anonymous users mapped (anon=)? 65534
 Are any users currently mapped to this ID? yes
(NOTE: In System Manager, select the Storage Virtual Machines category, expand
cluster1 > svmNFS > Configuration > Local users and Groups, select UNIX, and
click the Users tab to discover the answer.)
 If so, who? pcuser
TASK 8: MOUNT THE SVM NAMESPACE

STEP ACTION

Was the previous step successful? yes




Were you able to create a file? no; read-only file system
Why or why not? The export policy’s rule associated with this volume is set to read-only.
A-1 Data ONTAP NFS Administration: Appendix A: Answers

TASK 9: EXPLORE FILE PERMISSIONS
STEP ACTION




Was the previous step successful? no; permission denied


Was the previous step successful? no; read-only file system

TASK 3: DESCRIBE AN NFSV4 EXPORT ON A CLIENT

STEP ACTION

Why are you looking for 2049? because that is the port that nfsd uses

Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif1


Using SESSION 2, which SVM interface is used for this operation? svmNFS_nfs_lif1


 Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif2
 Why? Because the volume is on node 2 and the original LIF was on node 1, a referral
occurred moving the access LIF to svmNFS-lif2.


 Using SESSION 2, which SVM LIF is used for this operation? svmNFS_nfs_lif1
 Why? because NFSv3 does not do referrals
TASK 4: CREATE NFSV4 ACLS

STEP ACTION



 Was the previous step successful? no, permission was denied
 Why or why not? because student user does not have the append (“a”) permission

Was the previous step successful? no, permission was denied

MODULE 4: NFS VERSION 4.1
TASK 2: EXPLORE AN NFSV4.1 EXPORT ON A CLIENT

STEP ACTION

 Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1
 Which node in the cluster is the pNFS metadata server? node 1

Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1

Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1

 Using SESSION 2, which SVM interface is used for this operation? the svmNFS-lif1
 On which node is this interface? node 1
TASK 3: ANALYZE THE EFFECTS OF A VOLUME MOVE OPERATION ON PNFS

STEP ACTION

 Which interface is used for write operations? svmNFS-lif1
 Which interface is used for read operations? svmNFS-lif1
 Which interface is used for getattrib operations? svmNFS-lif1

APPENDIX B: KERBEROS AUTHENTICATION
EXERCISE A
In this exercise, you configure Active Directory Kerberos authentication for an NFS mount.
OBJECTIVES
 Configure clustered Data ONTAP for NFS Active Directory authentication
 Configure Windows for NFS Active Directory authentication
 Configure Linux for NFS Active Directory authentication
TASK 1: CONFIGURE CLUSTERED DATA ONTAP FOR NFS ACTIVE DIRECTORY AUTHENTICATION
In this task, you configure Kerberos in the cluster. You then configure a storage virtual machine (SVM)
logical interface (LIF) to use Kerberos configuration, while specifying a service principal name (SPN) for the
SVM. Finally, you confirm that the SPN is mapping appropriately.
STEP ACTION
1. From a Secure Shell (SSH) session, log in to your cluster as admin.
2. Set a preferred active directory server for svmNFS:

cluster1::> vserver active-directory preferred-dc add -vserver svmNFS
-domain learn.netapp.local -preferred-dc 192.168.0.11
3. Verify the preferred server:

cluster1::> vserver active-directory preferred-dc show
B-1 Data ONTAP NFS Administration: Appendix B: Kerberos Authentication

STEP ACTION
Configuration > System Tools, and select Date and Time.
6. In the Edit Date and Time dialog box, specify the following information:
 Time Zone: US/Pacific (or the time zone of your assigned Active Directory server)
 Timer Servers: 192.168.0.11
NOTE: Use the Add button to add the entry for Time Servers.

STEP ACTION
7. Click OK.
8. Verify that the cluster date and time synchronize to within 5 minutes of your kit’s Windows
machine. This process can take several minutes.

STEP ACTION
cluster1 > svmNFS > Configuration > Services, and select Kerberos Realm.
11. Verify that the Create Kerberos Realm wizard opens.

STEP ACTION
12. Click Next.
13. On the Basic Details page, specify the following information:

 Kerberos Realm: learn.netapp.local
 KDC IP Address: 192.168.0.11
 KDC Port: 88
 KDC Vendor: Microsoft
14. Click Next.

STEP ACTION
15. On the Advanced Details page, specify the following information:

 Password Server IP: 192.168.0.11
 AD Server Name: w2k12
 AD Server IP: 192.168.0.11
16. Click Next.

STEP ACTION
17. Verify the configuration.
18. Click Next.
19. Verify that the operation was successful.
20. Click Finish.

STEP ACTION
21. Verify that Kerberos is configured properly for the SVM.
cluster1 > svmNFS > Configuration > Services, and select DNS.

STEP ACTION
23. Verify that DNS services are properly configured to the Microsoft DNS server.
NOTE: In your educational environment, the DNS server is usually the same server as your
Active Directory server.
Configuration > Services, and select Kerberos Interface.

STEP ACTION
25. In the right pane, select svmNFS_nfs_lif1.
27. In the Edit Kerberos Configuration dialog box, specify the following information:
 Interface Name: svmNFS_nfs_lif1
 Enable Kerberos checkbox: selected
 Kerberos Realm: LEARN.NETAPP.LOCAL
 Service Principal Name:
nfs/kerberos.learn.netapp.local@LEARN.NETAPP.LOCAL
 Admin User Name: administrator
 Admin Password: Netapp123

STEP ACTION
28. Click OK.
29. Verify that svmNFS_nfs_lif1 is configured for Kerberos with a valid SPN.
NOTE: In a production environment, you would configure multiple paths for redundancy.

STEP ACTION
Configuration > Users and Groups, and select Name Mapping.
31. In the right pane, click Add.

STEP ACTION
32. In the Add Name Mapping Entry dialog box, specify the following information:
 Direction: Kerberos to UNIX
 Position: 1
 Pattern: nfs/kerberos.learn.netapp.local@LEARN.NETAPP.LOCAL
 Replacement: pcuser
33. Click Add.

STEP ACTION
34. Verify that the SPN that svmNFS_nfs_lif1 uses is properly mapped to pcuser.
NOTE: You can also create an NFS UNIX user to ensure that the NFS name is properly
authenticated.
35. From a Secure Shell (SSH) session, log in as admin and change to diagnostic mode:
cluster1::> set -privilege diag

37. Verify that the name mapping is working:

cluster1::*> diag secd name-mapping show –node cluster1-01
–vserver svmNFS –direction krb-unix
–name nfs/kerberos.learn.netapp.local@LEARN.NETAPP.LOCAL
nfs/kerberos.learn.netapp.local@LEARN.NETAPP.LOCAL maps to pcuser
38. Verify the Kerberos encryption types that are enabled for NFS:
cluster1::*> nfs show -vserver svmNFS -fields permitted-enc-
types
vserver permitted-enc-types
------- ------------------------
svmNFS des,des3,aes-128,aes-256

TASK 2: CONFIGURE WINDOWS FOR NFS ACTIVE DIRECTORY AUTHENICATION
In this task, you configure a group policy to enable Windows to use AES encryption. Configure the Windows
DNS server to perform reserve lookups. You create DNS entries for the SVM and the Linux host. You create
a new SPN in Active Directory for the Linux host and transfer that keytab to the Linux host. Finally, you
configure the Linux Active Directory identity to use AES encryption.
STEP ACTION
1. On your assigned Windows system, open Server Manager.
2. Verify that the Server Manager dialog box opens.

STEP ACTION
3. From the Tools menu, select Group Policy Management.
4. Verify that the Group Policy Management window opens.
5. In the left pane, navigate to Group Policy Management > Forest: learn.netapp.local >
Domains > learn.netapp.local > Default Domain.

STEP ACTION
6. Click OK to confirm the warning message.
7. Verify that Default Domain is selected in the left pane.
8. In the left pane, right-click Default Domain and select Edit.
9. Verify that the Group Policy Management Editor opens.

STEP ACTION
10. In the left pane, navigate to Default Domain Policy > Computer Configuration > Policies >
Windows Settings > Security Settings > Local Policies > Security Options.
11. In the right pane, double-click the policy Network security: Configure encryption types
allowed for Kerberos.

STEP ACTION
12. On the Security Policy Setting tab, specify the following information:
 Select the Define these policy settings checkbox.
 Select all the encryption type checkboxes.
 Verify that AES128_HMAC_SHA1 and AES256_HMAC_SHA1 are included.
13. Click OK.
14. Close the Group Policy Management Editor dialog box.
15. Close the Group Policy Management dialog box.
16. From the Server Manager Tool menu, select DNS.
17. Verify that DNS Manager opens.

STEP ACTION
18. In the left pane, navigate to W2K12 > Reverse Lookup Zones.
19. Right-click Reverse Lookup Zones and select New Zone to open the New Zone Wizard.
20. Click Next.

STEP ACTION
21. On the Zone Type page, specify the following information:

 Primary zone: selected
 Store the zone in Active Directory checkbox: selected
22. Click Next.
23. Select To all DNS servers running on domain controllers in this domain:
learn.netapp.local.
24. Click Next.

STEP ACTION
25. Select IPv4 Reverse Lookup Zone.
26. Click Next.
27. In the Network ID field, type 192.168.0.
28. Click Next.

STEP ACTION
29. Select Allow only secure dynamic updates (recommended for Active Directory).
30. Click Next.
31. Review the summary.
32. Click Finish.

STEP ACTION
33. Verify that the reverse lookup zone was created.
34. Open a Windows PowerShell command prompt on your Windows server.
35. Create a DNS entry for the Linux host:

PS C:\> dnscmd learn.netapp.local /RecordAdd learn.netapp.local
centos65 /CreatePTR A 192.168.0.21
36. Create a DNS entry for the Kerberos SPN that is associated with the SVM LIF IP address:
PS C:\> dnscmd learn.netapp.local /RecordAdd learn.netapp.local
kerberos /CreatePTR A 192.168.0.60

STEP ACTION
37. Create a computer account for the Linux host:

PS C:\> dsadd computer
"CN=centos65,CN=computers,DC=learn,DC=netapp,DC=local"
dsadd succeeded:CN=centos65,CN=computers,DC=learn,DC=netapp,DC=local
38. Import the Active Directory module:

PS C:\> import-module activedirectory
39. Modify the computer account for the Linux host identity to enable AES encryption:
PS C:\> Set-ADComputer -Identity centos65 -Replace @{’msDS-
SupportedEncryptionTypes’=28}
40. Modify the computer account for the SVM identity to enable AES encryption:
PS C:\> Set-ADComputer -Identity NFS-KERBEROS-LE -Replace
@{’msDS-SupportedEncryptionTypes’=28}
41. Create an SPN for the new Linux computer account:

PS C:\> setspn -s root/centos65.learn.netapp.local centos65
Checking domain DC=learn,DC=netapp,DC=local
Registering ServicePrincipalNames for
CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local
root/centos65.learn.netapp.local
Updated object
42. Verify the SPN:

PS C:\> setspn -L centos65
Registered ServicePrincipalNames for
CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local:
43. Query the SPN:

PS C:\> setspn /Q root/centos65.learn.netapp.local
Checking domain DC=learn,DC=netapp,DC=local
CN=centos65,CN=Computers,DC=learn,DC=netapp,DC=local
Existing SPN found!

STEP ACTION
44. Use ktpass to create the mappings for the SPN and output the mappings to the keytab files:
PS C:\> ktpass -princ
root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL -mapuser
LEARN\centos65$ -crypto ALL +rndpass -ptype KRB5_NT_PRINCIPAL
+Answer -out centos65.keytab
Targeting domain controller: w2k12.nau.com
Using legacy password setting method
Successfully mapped root/centos65.learn.netapp.local to CENTOS65$.
WARNING: Account CENTOS65$ is not a user account (uacflags=0x1021).
WARNING: Resetting CENTOS65$'s password may cause authentication problems if
CEN
TOS64$ is being used as a server.
Reset CENTOS65$'s password [y/n]? auto:
YES
WARNING: pType and account type do not match. This might cause problems.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to centos65.keytab:
Keytab version: 0x502
keysize 78 root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL ptype 1
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2c7689bf257f15dc)
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x3 (DES-CBC-MD5) keylength 8 (0x2c7689bf257f15dc)
(KRB5_NT_
PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16
(0x68a60a541ba235cb9d946cca0b6b237d)
(KRB5_NT_PRINCIPAL) vno 2 etype 0x12 (AES256-SHA1) keylength 32
(0xdc3bd08a9a487a0d1839f
81b670f24da44ce93bb5c4988ea96689f1a8f282e06)
(KRB5_NT_PRINCIPAL) vno 2 etype 0x11 (AES128-SHA1) keylength 16
(0xab2ec0cb98670247d8bab38788d39aa0)
45. Open a command-prompt window.

STEP ACTION
46. Copy the keytab file to the Linux host and provide the root password. You will be prompted for
the root user’s password.
C:\> pscp centos65.keytab
root@192.168.0.21:/root/centos65.keytab
root@192.168.0.21’s password: Netapp123
svmNFS_nfs_lif1.keytab | 0 kB | 0.1 kB/s | ETA: 00:00:00 | 100%
TASK 3: CONFIGURE LINUX FOR NFS ACTIVE DIRECTORY AUTHENTICATION

In this task, you import the Linux credentials that were created in Windows in /etc/krb5.keytab. You
enable secure NFS authentication in the /etc/sysconfig/nfs.conf file. You configure the Kerberos
realm information in the /etc/krb5.conf file and restart the GSSd service. Finally, you log in with a user
account in Active Directory, mount an export by using Kerberos authentication, and verify read and write
permissions.
STEP ACTION
1. On the Linux host, navigate to the root home directory:

# cd /root
2. Verify that the keytab file was transferred successfully:

# ls
anaconda-ks.cfg install.log.syslog upgrade.log.syslog
install.log upgrade.log centos65.keytab
3. Start the ktutil tool:

# ktutil
ktutil:
4. Read the keytab file:

ktutil: rkt centos65.keytab
5. List the keytab file:

ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL
6. Write the keytab file:

ktutil: wkt /etc/krb5.keytab

STEP ACTION
7. Quit the ktutil tool:

ktutil: q
#
8. Start vi to edit the NFS configuration file:

# vi /etc/sysconfig/nfs
9. Using the cursor keys, navigate within the file until you find the following line:
#SECURE_NFS="yes"
10. Place your cursor on the # sign.
11. Type r and then press the space bar to remove the # sign.
12. Save the file and exit vi by typing :wq.
13. Verify that the line now reads SECURE_NFS="yes":.

# cat /etc/sysconfig/nfs

STEP ACTION
14. Edit the krb5.conf file with vi.

Hint: You will edit or insert the lines below in bold typeface.
# vi /etc/krb5.conf
The file should resemble this sample:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LEARN.NETAPP.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
LEARN.NETAPP.LOCAL = {
kdc = w2k12.learn.netapp.local
default_domain = learn.netapp.local
}
[domain_realm]
.netapp.local = LEARN.NETAPP.LOCAL
.learn.netapp.local = LEARN.NETAPP.LOCAL
15. Verify the configuration of the krb5.conf file:

# cat /etc/krb5.conf
16. Relaunch the GSSd service:

# service rpcgssd restart
Stopping RPC gssd: [ OK ]
Starting RPC gssd: [ OK ]
17. Log in with the credentials that are configured in Active Directory:
# kinit administrator

STEP ACTION
18. Provide the correct password:

Password for svmNFS_nfs_lif1@LEARN.NETAPP.LOCAL: Netapp123
19. List the current authenticated user:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LEARN.NETAPP.LOCAL
Valid starting Expires Service principal

11/08/14 10:01:49 11/08/14 20:01:05
krbtgt/LEARN.NETAPP.LOCAL@LEARN.NETAPP.LOCAL
renew until 11/15/14 10:00:49
11/08/14 10:01:49 11/08/14 20:01:05
root/centos65.learn.netap.local@LEARN.NETAPP.LOCAL
renew until 11/15/14 10:00:49
20. Remove the current authenticated user:

# kdestroy

# klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
22. Log in again with the credentials that are configured in Active Directory:
# kinit administrator
23. Provide the correct password:

Password for svmNFS_nfs_lif1@LEARN.NETAPP.LOCAL: Netapp123

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LEARN.NETAPP.LOCAL
Valid starting Expires Service principal

11/08/14 10:01:49 11/08/14 20:02:05
krbtgt/LEARN.NETAPP.LOCAL@LEARN.NETAPP.LOCAL
renew until 11/15/14 10:01:49
11/08/14 10:01:49 11/08/14 20:02:05
root/centos65.learn.netapp.local@LEARN.NETAPP.LOCAL
renew until 11/15/14 10:01:49

STEP ACTION
25. Navigate to the mount directory:

# cd /mnt
26. Make a new mount directory:

# mkdir svmNFS-krb
27. Mount the SVM by using Kerberos authentication:

# mount –t nfs4 -o sec=krb5 192.168.0.60:/ /mnt/svmNFS-krb
28. Navigate into the mount directory:

# cd svmNFS-krb
29. List the contents:

# ls –l
30. Verify write capability:

# touch krb
31. List the contents:

# ls –l
32. Read the empty file:

# cat krb
END OF EXERCISE

Vdocuments - MX Data Ontap Nfs Administration Exercise Guide Netapp University Data Ontap Nfs

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Vdocuments - MX Data Ontap Nfs Administration Exercise Guide Netapp University Data Ontap Nfs

Hochgeladen von

Copyright:

Verfügbare Formate

Data ONTAP NFS Administration

Data ONTAP NFS Administration

NetApp University - Do Not Distribute

U.S. GOVERNMENT RIGHTS

E-2 Data ONTAP NFS Administration: Welcome

NetApp University - Do Not Distribute

E-3 Data ONTAP NFS Administration: Welcome

NetApp University - Do Not Distribute

EXERCISE 1: ADDING A CLUSTER

TASK 1: IDENTIFY THE EXERCISE ENVIRONMENT

Clustered Data ONTAP

3. With the assistance of your instructor, identify your Linux machine.

E1-1 Data ONTAP NFS Administration: NFS Overview

NetApp University - Do Not Distribute

3. Verify that the desktop of the remote machine is displayed.

E1-2 Data ONTAP NFS Administration: NFS Overview

NetApp University - Do Not Distribute

2. Click the Desktop tile.

E1-3 Data ONTAP NFS Administration: NFS Overview

NetApp University - Do Not Distribute

3. Verify that you see the administrator’s desktop.

4. On the administrator’s desktop taskbar, click the Internet Explorer icon.

E1-4 Data ONTAP NFS Administration: NFS Overview

NetApp University - Do Not Distribute

6. Click Continue to this website (not recommended).

8. Verify that System Manager is logged in to cluster1.

E1-5 Data ONTAP NFS Administration: NFS Overview

NetApp University - Do Not Distribute

9. In the left pane of System Manager, select Cluster > cluster1.

E1-6 Data ONTAP NFS Administration: NFS Overview

NetApp University - Do Not Distribute

EXERCISE 2: CONFIGURING A STORAGE VIRTUAL MACHINE FOR NFS VERSION 3

TASK 1: CREATE A DATA AGGREGATE

2. In the right pane, click Create Aggregate.

E2-1 Data ONTAP NFS Administration: NFS Version 3

NetApp University - Do Not Distribute

3. Verify that the Create Aggregate wizard opens.

4. On the aggregate details page, specify the following information:

E2-2 Data ONTAP NFS Administration: NFS Version 3

NetApp University - Do Not Distribute

7. Verify that the list of aggregates is populated.

TASK 2: VERIFY THE NFS LICENSE ON A CLUSTER

E2-3 Data ONTAP NFS Administration: NFS Version 3

NetApp University - Do Not Distribute

2. Verify that the NFS License package is licensed.

3. If NFS is not licensed, request a license code from your instructor.

TASK 3: CREATE AN SVM

E2-4 Data ONTAP NFS Administration: NFS Version 3

NetApp University - Do Not Distribute

E2-5 Data ONTAP NFS Administration: NFS Version 3

NetApp University - Do Not Distribute

4. Click Submit & Continue.

E2-6 Data ONTAP NFS Administration: NFS Version 3

NetApp University - Do Not Distribute

Expand NIS Configuration

NOTE: Do not create a volume for export at this time.

6. Click Submit & Continue.

E2-7 Data ONTAP NFS Administration: NFS Version 3

NetApp University - Do Not Distribute

8. Click Submit & Continue.

E2-8 Data ONTAP NFS Administration: NFS Version 3

NetApp University - Do Not Distribute

9. Review the New Storage Virtual Machine (SVM) Summary page.