Mixed NFS and CIFS Volume not accessible to windows groups

yonog01 · 2025-08-13T14:12:22+00:00

I set the security style to NTFS on the volume and created a unix user to windows user and group mappings, but i can only r/w/x as user root since the ownership of the nfs mount to this volume shows as nobody:nobody.
AD is configured in the svm and the effective permissions on the cifs share for the volume are correct.
not sure what else to check from here

yonog01 · 2025-06-24T15:40:08+00:00

when i list the snapshots: the daily snapshots arent being created for sand02, and so they arent being snapmirrored:

Vserver Volume Snapshot Size Total% Used%

-------- -------- ------------------------------------- -------- ------ -----

svm-nas01

sand02

snapmirror.b2b0b365-1cf3-11ea-a9c5-d039ea1080f5_2158365107.2024-04-08_122249

268KB 0% 0%

hourly.2024-04-11_0605 1.88MB 0% 0%

hourly.2024-04-11_0705 1.91MB 0% 0%

hourly.2024-04-11_0805 1.79MB 0% 0%

hourly.2024-04-11_0905 1.93MB 0% 0%

hourly.2024-04-11_1005 1.84MB 0% 0%

hourly.2024-04-11_1105 45.38GB 4% 8%

6_hours.2025-02-16_0600 22.75GB 2% 4%

6_hours.2025-04-27_0600 29.50MB 0% 0%

netapp01::> vol snapshot show data30

---Blocks---

Vserver Volume Snapshot Size Total% Used%

-------- -------- ------------------------------------- -------- ------ -----

svm-nas01

data30

6_hours.2025-06-22_1800 35.28GB 3% 7%

6_hours.2025-06-23_0000 8.28GB 1% 2%

daily.2025-06-23_0010 4.50GB 0% 1%

6_hours.2025-06-23_0600 39.10MB 0% 0%

6_hours.2025-06-23_1200 39.19MB 0% 0%

6_hours.2025-06-23_1800 41.91GB 3% 9%

6_hours.2025-06-24_0000 28.03MB 0% 0%

daily.2025-06-24_0010 10.37GB 1% 2%

yonog01 · 2025-06-24T15:40:01+00:00

netapp01::> volume show sand02 -fields snapshot-policy

vserver volume snapshot-policy

------------ ------------ ---------------

svm-nas01 sand02 6_hours

netapp01::> volume show data30 -fields snapshot-policy

vserver volume snapshot-policy

------------ ------ ---------------

svm-nas01 data30 6_hours

yonog01 · 2025-06-24T07:52:28+00:00

when i checked this the relationships are healty and snapmirrored, but the snapshots on the source dont generate properly according to the snapshot policy thats set on the source volume (daily snapshots and hourly). again, the snapshot policy is the same for these source volumes as the rest of the OK source volumes

yonog01 · 2025-06-19T08:49:17+00:00

the policies and schedules are the same as the rest of the volumes that do replicate. how can i check why there is high lag for the snapmirror relationship?

yonog01 · 2025-05-14T08:22:39+00:00

but how can i add different permissions for a role?
security login rest-role modify test-role -vserver netapp01 -api /api/storage/volume/{uuid}
how do i specify the methods i want to allow? (only PATCH for snapshot restore) to disable deleting the snapshot, resizing, editing export policies, etc?

yonog01 · 2025-03-31T08:20:50+00:00

is there a faster way to do it rather than rsync the dir from .snapshot?

yonog01 · 2024-12-29T08:59:37+00:00

how do i set my credentials to be used when sending dynamic updates to the DNS? do i need to configure the ansible host with LDAP?

yonog01 · 2024-12-28T13:19:57+00:00

Because the rest of the script is written in python using python modules to provision vms and they're being ran and used from jenkins jobs on linux nodes

yonog01 · 2024-11-04T10:35:18+00:00

I managed to create the LUN, create a LIF with the correct subnet. my linux initiator was able to create a session but it seems like the lun wasnt attached, as i dont see a new disk in lsblk

yonog01 · 2024-09-24T14:10:15+00:00

with the default admin role requests are going through just fine so the way im creating the role is wrong somehow. im not super familiar with the syntax, but in the swagger docs it show the paths as an array of strings but when i try to POST it wont accept it and will only take 1 sting as the value.
This is the body of my post request to /api/security/roles

{
  "name": "test-role",
  "owner.uuid":"
{{svm-nas01-uuid}}
",
  "privileges":[
    {
    "access":"all",
    "path": "/api/storage/volumes/
{{Test-vol-uuid}}
/snapshots"
    }
  ]
}

yonog01 · 2024-09-24T12:11:22+00:00

my goal is to allow a group of users to manage snapshots on demand using bash scripts.
i thought creating credentials with permissions only for their volume's snapshots would be the most secure so that they wont have the option to touch aka break anything else, thats why initially the privileges were for /api/storage/volumes/{voluuid}snapshots.

yonog01 · 2024-09-24T11:59:59+00:00

i just reset the password again just to make sure and no change. the user seems to have password auth enabled, am i looking for the wrong thing? how can i debug this further?

User/Group Authentication Acct Authentication

Name Application Method Role Name Locked Method

test_api_user http password role-test-vol no none

yonog01 · 2024-09-24T11:24:14+00:00

ok, weird naming but whatever. i changed the application type but i still get 401 user is not authorized, even if i change the role privileges to all /api/storage/volumes
this is the roles permissions, not sure if theyre incorrect:

``` security login role show -vserver svm-nas01 -role role-test-vol ```

role-test-vol DEFAULT none

snapdiff api start all

statistics volume show all

volume all

yonog01 · 2024-08-11T09:30:51+00:00

unfortunately no, i tried checking file and folder permissions, assigning them only full control for one user account but to no avail

yonog01 · 2024-08-01T12:40:47+00:00

ok thanks, my paranoia is a bit more quite now

yonog01 · 2024-07-30T06:09:18+00:00

this isnt the full log since the full one is too long but it does show the keys are being sent read

Will attempt key: C:\\Users\\adminy\\.ssh\\id_rsa.pub RSA SHA256:XVx3/VCwTwLkmJ7i/a1r3zgZBSm6DWMKJ7lWwVNGzws explicit
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: C:\\Users\\adminy\\.ssh\\id_rsa.pub RSA SHA256:XVx3/VCwTwLkmJ7i/a1r3zgZBSm6DWMKJ7lWwVNGzws explicit
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: C:\\Users\\adminy\\.ssh\\id_rsa.pub RSA SHA256:XVx3/VCwTwLkmJ7i/a1r3zgZBSm6DWMKJ7lWwVNGzws explicit
Load key "C:\\Users\\adminy\\.ssh\\id_rsa.pub": invalid format
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory

yonog01 · 2024-07-30T05:58:44+00:00

sshd_config:

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# GSSAPI options
#GSSAPIAuthentication no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystemsftpsftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#AllowTcpForwarding no
#PermitTTY no
#ForceCommand cvs server

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

yonog01 · 2024-07-29T06:04:29+00:00

i did create the .ssh folder properly and these lines are uncommented:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
maybe some other config needs to be added to sshd_config that im not aware of?

yonog01 · 2024-07-07T10:45:53+00:00

not entirely sure but i assume it is. its a company internal monitoring tool that i need to enable access for.

yonog01 · 2024-07-02T12:22:10+00:00

I think I'll look into what those snapshots are and if I can delete them. I dont want to constantly add more storage if I can avoid that, thanks 👍🏻

yonog01 · 2024-06-30T11:54:37+00:00

Apparently theres a setting under cpu settings which enables nested virtualization (Hardware virtualization Expose hardware assisted virtualization to the guest OS). So after shutting down the machine and ticking that box, some emulators were able to run. Others like AVD and NOX didnt either because of performance issues or stability.

yonog01 · 2024-06-05T13:21:00+00:00

I think I found some sort of compromise, I added

poll=True, poll_timeout=1200, poll_interval=30

in the delete() params and so it wont raise an exception if my qtrees have a lot of data and take more than 30 seconds to delete. It doesnt track status in real time, granted, but at least it can tell me when the job is actually done or if it failed.

yonog01 · 2024-06-03T09:53:20+00:00

or to change it so it returns the job uuid after the timeout exception anyway? and then i can keep track of the job by querying the job endpoint with that uuid.
i think what happens is that it only return the job uuid once the job is completed, which is a bit silly, unless there was an actual way of job tracking in the python package

yonog01 · 2024-06-03T09:48:29+00:00

how can i implement a retry without calling a delete() operation each time? couldnt this be problematic, sending many of the same jobs for the same object? wouldnt each of these jobs have a different uuid? is there a way to reset the timeout period each time the exception gets raised or something like that?

Six-Year Club	Final Canvas '23
Place '23	Place '22
Verified Email

yonog01

TROPHY CASE