General Discussion

Can mount a NFS share but haven't permissions to open directory

Filipe
16,451 Views

Hi,
I'm new here, so please accept my apologies if I do something wrong.
I have a security style NTFS volume mounted and shared to a client.
The client has a new host to manage that volume too. But he demands to manage through NFS protocol with Linux O.S.
I change the security style do Mixed on the volume and on the actual mixed mounted share, I kept the Share Access Control to the users in production on the NTFS services.
I changed the export policies to allow NFS protocols on the new host, adding IP Host on Client Rules, plus NFS Access Protocol and Rules of Read/Write as Any, just to start the configuration of this host.
After the export policy, we can mount the volume and see it, but we can't open directory.
It says Permission denied.

root@HOST:/mnt# mount -t nfs -o vers=3 10.10.10.10:/Client1 /mnt/share/ -vvv
mount.nfs: timeout set for Wed Jan 13 20:22:57 2021
mount.nfs: trying text-based options 'vers=3,addr=10.10.10.12'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.10.10.10 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.10.10.10 prog 100005 vers 3 prot UDP port 635
root@HOST:/mnt#
root@HOST:/mnt# ll /mnt/share/
ls: cannot open directory '/mnt/share/': Permission denied
root@HOST:/mnt#



This is the Output of Security file-directory that I hve from the vserver:

netapp::> vserver security file-directory show -vserver svm_nas_iscsi -path /GoldenEnergy
 
Vserver: svm
File Path: /Client1
File Inode Number: 64
Security Style: mixed
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8004
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-Everyone-0x1f01ff
ALLOW-Everyone-0x10000000-OI|CI|IO


Can you help me on why we doesn't have permission to open directory after mounting the volume share ?
Thank you in advance for your support,
Best regards,
Filipe



1 ACCEPTED SOLUTION

Ontapforrum
16,436 Views

When the security style is mixed or unified, the effective permissions depend on the client type that last modified the permissions because users set the security style on an individual basis. For Mixed – (UNIX or NTFS permissions),  depends on who last changed permissions.

 

If the last client was an SMB client, the permissions are Windows NTFS ACLs. Hence, when NFS clients are accessing the same resource, the storage node will need to collect windows credentials for the Unix user to determine if access can be granted. If the Windows credentials do not grant permissions on the file, access will be denied. Most likely your case.

 

There is plenty of stuff around this (mixed style security) on internet (google/netapp supprot site).

 

Some references:
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Understanding_name-mapping_in_a_multiprotocol_environment
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/NFS_permission_denied_on_NTFS_security_style_volume_due_to_missing_fil...

View solution in original post

3 REPLIES 3

Ontapforrum
16,437 Views

When the security style is mixed or unified, the effective permissions depend on the client type that last modified the permissions because users set the security style on an individual basis. For Mixed – (UNIX or NTFS permissions),  depends on who last changed permissions.

 

If the last client was an SMB client, the permissions are Windows NTFS ACLs. Hence, when NFS clients are accessing the same resource, the storage node will need to collect windows credentials for the Unix user to determine if access can be granted. If the Windows credentials do not grant permissions on the file, access will be denied. Most likely your case.

 

There is plenty of stuff around this (mixed style security) on internet (google/netapp supprot site).

 

Some references:
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Understanding_name-mapping_in_a_multiprotocol_environment
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/NFS_permission_denied_on_NTFS_security_style_volume_due_to_missing_fil...

Filipe
16,393 Views

Hi,

Thank you for your prompt response.

Thank you for the documents and links you sent it.

Has we have a mixed security style and a Path Share for NTFS.
We made a workaround. We create a Qtree mount path with  unix security style.
Now we can open the directory on that new mount path </path/qtree path>.
<path> - security style mixed

<qtree path> - security style unix

 

Thank you very much for your help !
Best regards,
Filipe

keerti
15,580 Views

Hi , How the storage node will  collect windows credentials for the Unix user to determine if access can be granted ?

 

Many Thanks

Public