#FIlerAdmin for C.Dot

Back in the 7-mode days we had a concept of a FilerAdmin host. This host would have access to cifs/nfs if defined. Is there a concept of this in C.Dot? I don't want to have to go to every share and add the list of IP's for this. This is specifically, for my backup cluster. I have 48 IPs that need access but would prefer not to manage it on every share.

There is no FilerAdmin host anymore, no. For backup purposes, you can just give the backup user the SeTcbPrivilege to be able to access all files/directories (ignoring ACLs)

That “admin” host was usually the host that was allowed to send over the update. In 7-mode there was no GUI to do an update. You always had to mount the nfs export or map the etc directory and then extract the image.

That’s never been the case with ONTAP

I don’t count FilerView because it was prone to way too many errors many of which resulted in an unusable system after a reboot (it modified the /et/rc file in a way that was detrimental to client usage)

yeah, I do the SeTcb stuff for cifs, but I also don't restrict access via IP's for CIFS. Mostly for NFS, I need mount privs. and I would have to manage dozens of NFS exports rules (one per volume).

Oh, we are still using v3, so we restrict mounts to source IP.

you can use the same export policy for all volumes. And you can also use the export Policy for CIFS if you want to (but you have to enable that in the CIFS server)

And not forget about when something breaks! A few customers enabled. Couldn’t figure out why access was failing. Finally turned in tracing and it explicitly called out that an export policy rule was blocking cifs access.

can't use the same export policy for cifs. LONG LONG story, see other post. It doesn't bad things with our backups.

What makes it worse, is I can't use a subnet/mask for export policy, so I can't do 1.1.1.1/24 🙁 So I have to use netgroups, and it appears c.dot doesn't support being it's YP server anymore. Why is NFS so complicated in c.dot. It's the simplest thing in the world and they made it so hard to use 😄

now, if you could NEST policies or apply two policy to a volume, that could solve the problem.

c.dot doesn't support being it's YP server anymore
What do you mean by that? cDot still supports NIS (YP)

in 7-mode, I could run my own yp mappings, no external servers required. From what I see, cDot only supports yp-client.

/etc/netgroup doesn't exist anymore 😄

you can still have local netgroups (I assume that is what you mean by "mappings"?)... you just have to load them from a remote file (name-service netgroup load), there are no CLI commands to manually edit them

but you can also get them from LDAP instead of NIS

In your case I would use some automation (PowerShell or something) to autoconfigure the export policies... NetGroups have their own problems (yes, even in 7-mode) that make you not want to use them

I will look into that, thanks. yeah, don't typo your netgroup or everything breaks 😉

yeah, and the caching is terrible (no proper way to invalidate the netgroup caches etc.)

In my case, I just want to allow my backup servers to be able to mount NFS snapshots to do the backups/restore.

in that case you could even do that pretty neatly with a pre- and post-script for your backup job. pre-script inserts a rule in the export-policy of the volume to backup, and the post-script removes that again

That's a great idea and something the backup vendor should be doing 😉 I plan to discuss this with them.

I guess if you want to have it done properly, you gotta do that yourself and not wait for the backup vendor to do it.
For example Veeam leaves its temporary export policies everywhere like an untrained dog, which is probably worse than not having the export-policies configured at all 🙂

yeah, I have no problem creating an export policy and leaving it there, but the issue I have is managing it via the netapp. If you could add one policy to another that solves my issues. But alas, that's not supported.

what's the format for the load file? https://docs.netapp.com/us-en/ontap/nfs-config/work-netgroups-task.html

Is it just groupname:hostname1,hostname2

or groupname (hostname1,,) (hostname2,,)

I used the latter as per som other docs, and it seems to have loaded the file (as per a success from the job), but it doesn't seem to show up with a getxxbyyy netgrpcheck, back to google 😄

progress, looks liek the command: vserver services name-service netgroup file show
shows the loaded netgroup. and things look good. I was able to use domain, even though there was a KB saying domain was not supported.

so, I have the netgroup loaded, but it's not working. Do you have an example for the load file? I am just testing a single host now and it's still not working. Not sure if it's a nsswitch issue or the data. I have not been able to find any walk throughs or docs on setting up simple exports for using netgroups. So, I am probably missing something stupid.

Ok, I feel stupid! It's been way way too long since using netgroups.... The entry in the exports has to be preceeded by an @ <duh!!> good reference document... now that I have 1 host working, time to actually use a full netgroup: https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/NFS_mount_points_not_accessible_when_using_netgroups_from_LDAP

Yeah! This works pefectly: Completed on demand backup of Fileset '/nfstest:

Did you modify the nsswitch ?

no, it's set to file

I have 48 nodes in the netgroup. I will probably look at nesting, but I read something about issues with nesting. I will do more testing, but I now have a workable solution. I only need to add @backupservers to the nfs share and I can manage list with the file load command.