Subscribe

NFSv4 Access Denied

Hi,

I have NFSv4 enabled (w/ ACL support) on my Filer running 8.0.1.  I have exported a UNIX style qTree:

/vol/vol4/test       -sec=sys,rw=172.26.101.9:172.26.101.56,root=172.26.101.56

My two test clients (172.26.101.9 and 172.26.101.56) are running RHEL5 and RHEL6.  When I attempt to mount the export using NFS4, I get an access denied message:

mount.nfs4: access denied by server while mounting fc-cifs02:/vol/vol4/test

I enabled nfs.mountd.trace, but nothing appears in /etc/messages regarding the failure.  I can't seem to get any additional info from the RHEL client either.

When I revert to NFSv3, the mount works as expected.  How can I further debug why the Filer is denying access to NFSv4?

Any help would be appreciated.


Thanks!

Re: NFSv4 Access Denied

Hi,

NFSv4 Enhancements and Best Practices Guide: Data ONTAP Implementation

NFSv3, client-server communication happens using a numeric user ID and group ID (UID/GID)

NFSv4 does not support UID or GID; it supports string-based communication for users and groups between the server and the client. Therefore entry of users and groups must be in the local /etc/passwd file, whether in Network Information Service (NIS) or LDAP. This is a mandatory requirement when moving into an NFSv4 environment.
If you are logging in as root or any other user, then there should be an identical entry in /etc/passwd and /etc/group on the NetApp system as well as on the client. However, you should not do this if the NetApp system and the clients are connected to the same NIS server.


UDP mount to TCP mount conversion. Because UDP is no longer supported, any existing mounts over UDP must be changed to TCP while moving to NFSv4.

If the user originates from a subdomain, then all the domains and the subdomains should be listed in the /etc/resolv.conf

>options nfs.v4.id.domain

>options nfs.v4.enable


Br.
Ismo.

Re: NFSv4 Access Denied

I am trying to mount the filesystem as root.  /etc/passwd on the Filer contains "root," with the same UID of 0.

The nfs.v4.id.domain is set to be the same domain that is defined in /etc/idmapd.conf on the RHEL host.

netapp02> exportfs

/vol/vol0/home  -sec=sys,rw,nosuid

/vol/vol0       -sec=sys,rw,anon=0,nosuid

/vol/vol1       -sec=sys,rw,nosuid

/vol/vol2       -sec=sys,rw,nosuid

/vol/vol3       -sec=sys,rw,nosuid

/vol/vol4       -sec=sys,rw,nosuid

/vol/vol4/test_exports       -sec=sys,rw=172.26.101.9:172.26.101.56,root=172.26.101.56

I did notice that I can mount /vol/vol4 from the RHEL client (ie, mount.nfs4 netapp02:/vol/vol4 /mnt), but then I get "Permission Denied" when I try to chdir to the mountpoint.


Thanks.

Re: NFSv4 Access Denied

NFSv4, client 'mount' requests proceed with LOOKUP sequences to parse names from the root.

Does it help if you give same export premissions to /vol/vol4 as vol/vol4/test_exports?


Br.
Ismo.

Re: NFSv4 Access Denied

That did not work either.  If the real path on the Filer is /vol/vol4/test, is this what I should be mounting on the Linux client? (ie., mount.nfs4 filername:/vol/vol4/test /mnt)?  I am confused by the pseudo-filesystems.

Thanks.

Re: NFSv4 Access Denied

Is NFSv4 enabled on filer?

Re: NFSv4 Access Denied

Yes, the problem was that the Filer was automatically exporting the entire volume which I had not noticed.