topic Re: NFS Share Access Denied in ONTAP Discussions

NFS Share Access Denied

LeeLSTM — Wed, 18 Sep 2024 12:27:11 GMT

Hi all,

I have created a new volume via ontap and want to mount it using NFS on a Ubuntu Linux VM (hosted on VMWare)

Within the volume i have enabled the NFS option and created an export policy where i have specified the VM IP and given read/write permissions to all

However, I keep getting access denied when running the mount command. I can ping the NetApp from the VM so not sure what else to try?

Cheers

Lee

Re: NFS Share Access Denied

TMACMD — Wed, 18 Sep 2024 13:39:20 GMT

start with verifying the IP of the nfs client is in that list.

Then make sure the export-policy is applied to both the root volume and the data volume

Re: NFS Share Access Denied

LeeLSTM — Wed, 18 Sep 2024 14:00:23 GMT

Cheers TMA, the IP of the client is correct and i can ping both ways..

Can you elaborate on "Then make sure the export-policy is applied to both the root volume and the data volume"

Thanks

Re: NFS Share Access Denied

TMACMD — Wed, 18 Sep 2024 15:13:44 GMT

I am asking to verify IPs because it is NOT uncommon to have multiple IPs and the route the hsot chooses may not be the one you want, Pinging is not the tell all in every case. You need to verify IPs.

Every volume must have an export-policy attached to it to allow NFS access. By default, there is a policy in every SVM called default. Looks like you created a new policy called "mount" with two entries.

The default policy attached to the root volume of the SVM needs to have an entry to allow access also.

Typically, I will do this:

export-policy rule create -vserver xxx -policy default -client 0.0.0.0/0 -ro=sys -rw=none -super=none -proto nfs

That allows any client to attach to the root, but only with read permissions.

Check the volume export-policies.

Re: NFS Share Access Denied

ChLokesh — Wed, 18 Sep 2024 19:48:41 GMT

Hello there,

I see the read-only rule has been set to Never.

- Never means "For an incoming request from a client matching the client match criteria, do not allow any access to the volume regardless of the security type of that incoming request."

- So, I would suggest to you first change this value to Any and check the access.

vserver export-policy rule create: https://docs.netapp.com/us-en/ontap-cli-9111/vserver-export-policy-rule-create.html#description

- If it still fails, run below command which will show you where the access is failing.

vserver export-policy check-access -vserver <VSERVER_NAME> -client-ip <CLIENT_IP> -volume <VOLUME_NAME> -authentication-method sys -protocol <nfs3/nfs4> -access-type read-write

Note: (you need to key in the vserver name, client IP, volume name and nfs version in the command. This will tell you if there is any access issues.)

vserver export-policy check-access: https://docs.netapp.com/us-en/ontap-cli-9131/vserver-export-policy-check-access.html#description

- Possible KB match: https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/NFS_client_access_denied_when_mounting_because_RO_Access_Rule_is_set_to_never

- Mounting Process: The NFS client must first access the root volume of the data vserver before it can reach the data volume.

If the issue persists, share the export-policy check-access output here.

Hope this will help you with t-shooting the issue.

Cheers!

Re: NFS Share Access Denied

chenguanghui — Thu, 19 Sep 2024 03:30:27 GMT

hi:

The read-only rule option is set the value to any and then checks permissions because never specifies that no client can get read-only access.

if you want to apply the export policy to all possible IP4 addresses,set the clientmatch to 0.0.0.0/0

Refer to the following article for options for creating an export policy

https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/How_do_export_policies_work_in_clustered_Data_ONTAP