Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi,
I am pretty new to Clustered Data Ontap. On our FAS2620 with NetApp Release 9.4P4 I created a export policy for a share with NTFS security. The strange thing is, that I can mount the share /vol/vol1, but not /vol/vol1/projects.
When I mount /vol/vol1 I can see the projects folder and I have the correct access rights with my user, but I would rather mount /vol/vol1/projects directly. When I try it on my Ubuntu 18.04 Linux client, I get an error message:
mount -o sec=sys,vers=4.0 svm1:/vol/vol1/projects /mnt
mount.nfs: access denied by server while mounting svm1:/vol/vol1/projects
On the other hand, mount of /vol/vol1 succeeds without problems. When specifying NFS v3, I can mount both path, i.e. /vol/vol1 and /vol/vol1/projects.
What am I mssing?
Kind regards,
Andreas
7 REPLIES 7
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
@USER_2000 wrote:
Hi,
I am pretty new to Clustered Data Ontap. On our FAS2620 with NetApp Release 9.4P4 I created a export policy for a share with NTFS security. The strange thing is, that I can mount the share /vol/vol1, but not /vol/vol1/projects.
When I mount /vol/vol1 I can see the projects folder and I have the correct access rights with my user, but I would rather mount /vol/vol1/projects directly. When I try it on my Ubuntu 18.04 Linux client, I get an error message:
mount.nfs: access denied by server while mounting svm1:/vol/vol01/projects
On the other hand, mount of /vol/vol1 succeeds without problems.
What am I mssing?
Kind regards,
Andreas
You can check perm issions with 'file-directory' CMD
vserver security file-directory show -vserver vs1 -path /vol/vol1/projects
Is the 'projects' folder created as a qtree or folder.
If qtree, check security style on it:
qtree show -vserver vs1
Also, on cDOT you have to add your export policy to the root namespace..but that should already been done as you can mount one layer up
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi,
It is a qtree with NTFS security style. When I mount the share with NFS v3 or the path /vol/vol1 with NFS v4, permissions work as expected. The default export policy on the root has been openend and I created a export policy for /vol/vol1/projects as well. I probably made a mistake there, but I have no idea what could be the problem and where to look.
I tried check-access:
svm::> check-access -vserver svm1 -volume vol1 -client-ip 10.1.1.100 -authentication-method sys -protocol nfs4 -access-type read-write
(vserver export-policy check-access)
Policy Policy Rule
Path Policy Owner Owner Type Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/ default svm1_root
volume 1 read
/vol default svm1_root
volume 1 read
/vol/vol1 default vol1 volume 1 read-write
3 entries were displayed.
The result is the same vor nfs3.
Kind regards,
Andreas
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
As it´s NTFS security style and not Unix you could try to check the -ntfs-unix-security-ops {ignore|fail}] option.
You can read more about it here:
vserver export-policy rule show
But basically check with:
cluster::*> vserver export-policy rule show -vserver vs1 -fields ntfs-unix-security-ops vserver policyname ruleindex ntfs-unix-security-ops
-------------- ---------- --------- ----------------------
vs1 default 1 fail
If it says fail, change to ignore and test
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
I once ran into the same issue. You need to grant the NTFS right "Traverse folder/ execute file" to the "Authenticated User" group on your projects folder.
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
I changed the option, but it made no difference. Just some more information:
rngx6786::> export-policy check-access -vserver svm1 -volume svm1_vol01 -client-ip 10.1.1.100 -authentication-method sys -protocol nfs4 -access-type read-write -qtree projects
Policy Policy Rule
Path Policy Owner Owner Type Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/ default svm1_root
volume 1 read
/vol default svm1_root
volume 1 read
/vol/vol1 default svm1_vol01
volume 1 read
/vol/vol1/projects default svm1_vol01
volume 1 read-write
4 entries were displayed.
rngx6786::> qtree show
Vserver Volume Qtree Style Oplocks Status
---------- ------------- ------------ ------------ --------- --------
svm1 svm1_root "" ntfs enable normal
svm1 svm1_vol01
"" ntfs enable readonly
svm1 svm1_vol01
projects ntfs enable readonly
svm1 svm1_vol01
topics ntfs enable readonly
Highlighted
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
The permissions are set like this, so it must be something different.
Thank you,
Andreas
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
You are using nfs4..
Have you set up NFSv4 iddomain specified on the client and vServer??
https://kb.netapp.com/app/answers/answer_view/a_id/1030467/~/how-to-configure-nfsv4-in-cluster-mode-