NFS export rule for Kickstart

I'm trying to migrate our CentOS Kickstart environment from a Solaris server to a NetApp FAS 2040 running ONTAP 7.3.2, but am not having much luck.  Specifically, I'm getting stuck on finding the /etc/exports rule that is needed to allow anonymous read-only access from any client and to allow read/write access from a specific group of clients (a netgroup) for the /vol/public volume (which contains the Kickstart configuration file).  I've tried a couple of different combinations so far:

/vol/public    -sec=none,ro,nosuid

The outcome of this is that a Kickstart works, but the files cannot be edited (as expected).

/vol/public    -sec=sys,rw=@nfs-all-rw,nosuid

The outcome of this is that systems in nfs-all-rw can edit the files, but a Kickstart does not work.  Note that even for systems in nfs-all-rw, a Kickstart results in permission denied (not expected).  Systems not in nfs-all-rw also fail to Kickstart (as expected).

/vol/public    -sec=sys,rw=@nfs-all-rw,nosuid,sec=none,ro,nosuid

This was an attempt to combine the two rules.  As I understood from man na_exports, if multiple security flavors are  specified then that security flavor is used for all following options  until the next security flavor is specified.  The Kickstart environment gives pretty lousy debugging information (it just says permission denied), but a packet capture of the session shows that the NFS export gets mounted on the client, but then the NetApp filer denies access to the file ( is a member of nfs-all-rw, is the NetApp filer):

  0.000000 -> TCP 36963 > sunrpc [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1606691 TSER=0 WS=7
  0.000049 -> TCP sunrpc > 36963 [SYN, ACK] Seq=0 Ack=1 Win=8760 Len=0 MSS=1460 WS=0 TSV=1948604 TSER=1606691
  0.000097 -> TCP 36963 > sunrpc [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=1606691 TSER=1948604
  0.000147 -> Portmap V2 DUMP Call
  0.000247 -> Portmap V2 DUMP Reply (Call In 4)
  0.000296 -> TCP 36963 > sunrpc [ACK] Seq=45 Ack=553 Win=7040 Len=0 TSV=1606692 TSER=1948604
  0.000302 -> TCP 36963 > sunrpc [FIN, ACK] Seq=45 Ack=553 Win=7040 Len=0 TSV=1606692 TSER=1948604
  0.000307 -> TCP sunrpc > 36963 [ACK] Seq=553 Ack=46 Win=8760 Len=0 TSV=1948604 TSER=1606692
  0.000344 -> MOUNT V3 MNT Call /vol/public/kickstart/config
  0.000347 -> TCP sunrpc > 36963 [FIN, ACK] Seq=553 Ack=46 Win=8760 Len=0 TSV=1948604 TSER=1606692
  0.000396 -> TCP 36963 > sunrpc [ACK] Seq=46 Ack=554 Win=7040 Len=0 TSV=1606692 TSER=1948604
  0.000546 -> MOUNT V3 MNT Reply (Call In 9)
  0.000646 -> Portmap V2 GETPORT Call NFS(100003) V:3 UDP
  0.000651 -> Portmap V2 GETPORT Reply (Call In 13) Port:2049
  0.000845 -> NFS V3 NULL Call
  0.000851 -> NFS V3 NULL Reply (Call In 15)
  0.000945 -> NFSACL V3 NULL Call
  0.000951 -> NFSACL V3 NULL Reply (Call In 17)
  0.001045 -> NFS V3 FSINFO Call, FH:0x397d4ea8
  0.001095 -> NFS V3 FSINFO Reply (Call In 19)
  0.001145 -> NFS V3 FSINFO Call, FH:0x397d4ea8
  0.001245 -> NFS V3 FSINFO Reply (Call In 21)
  0.001295 -> NFS V3 ACCESS Call, FH:0x397d4ea8
  0.001345 -> NFS V3 ACCESS Reply (Call In 23) Error:NFS3ERR_ACCES

This boggles me, since permissions on the file are 664 and permissions on all directories leading up to the file are 775.  Any idea what could be wrong?

For what it's worth, the Solaris NFS server that we're trying to migrate away from uses sec=sys,ro as NFS export options.  Obviously that doesn't allow us to modify the files over NFS, so we just edit the files on the Solaris system itself; unfortunately we don't have that capability with the files stored on a NetApp filer.

Re: NFS export rule for Kickstart

rw=@nfs-all-rw,nosuid exports to specified group only; all other clients are denied access.

Have you tried ro,rw=@nfs-all-rw,nosuid - effectively giving default read-only to everyone else?

Re: NFS export rule for Kickstart

Sometimes you just need a second pair of eyes.  That does in fact work, although sec=sys,ro is a little bit less secure than sec=anon,ro.  I don't think it will matter in this case since we're not dealing with sensitive data.  Thanks!  (And sorry for the long delay in responding).