Network and Storage Protocols

permission denied on mount operation for NFS volume with netgroup in LDAP

zinovik_igor
5,441 Views

  Hello.

I'm trying to figure out why my filer do not allow me to mount volume for my netgroups that are stored in LDAP.

Client is opensuse 12.1

ldap2:~ # uname -r

3.1.10-1.9-desktop

NFS4 support is disabled:

ldap2:~ # grep NFS4_SUPPORT /etc/sysconfig/nfs

NFS4_SUPPORT="no"

NFS client services are running:

ldap2:~ # systemctl status nfs.service

nfs.service - LSB: NFS client services

           Loaded: loaded (/etc/init.d/nfs)

           Active: active (exited) since Wed, 12 Sep 2012 10:24:12 +0400; 51min ago

          Process: 16025 ExecStop=/etc/init.d/nfs stop (code=exited, status=0/SUCCESS)

          Process: 16047 ExecStart=/etc/init.d/nfs start (code=exited, status=0/SUCCESS)

           CGroup: name=systemd:/system/nfs.service

Firewall is turned off.  There is no NAT gateway between client and netapp filer.

I store my netgroups in LDAP:

dn: cn=home-hosts,ou=Netgroup,dc=local,dc=prv

objectClass: top

objectClass: nisNetgroup

cn: home-hosts

nisNetgroupTriple: (ldap1.local.prv,,)

nisNetgroupTriple: (ldap2.local.prv,,)

On filer side:

fas2> vol create test sataaggr 1g

fas2> exportfs -io rw=@home-hosts,anon=0 /vol/test

fas2> qtree status test

Volume   Tree     Style Oplocks  Status

-------- -------- ----- -------- ---------

test              unix  enabled  normal

fas2> ping ldap2.local.prv

ldap2.local.prv is alive

fas2> rdfile /etc/nsswitch.conf

hosts: files       nis     dns

passwd: files      nis     ldap

netgroup: files    nis  ldap

group: files       nis     ldap

shadow: files      nis

Filer can successfully find host in netgroups that are stored in LDAP catalog:

fas2> options ldap.base.netgroup ldap.base.netgroup         

ou=Netgroup,dc=local,dc=prv

fas2> priv set advanced

fas2*> getXXbyYY netgrp home-hosts ldap2.local.prv

client ldap2.local.prv is in netgroup home-hosts 

With all this client still cannot mount volume.

ldap2:~ # mount.nfs -o rw,tcp,hard,timeo=600,nfsvers=3 fas2:/vol/test /mnt

mount.nfs: access denied by server while mounting fas2:/vol/test 

ldap2:~ # showmount -e fas2

Export list for fas2:

/vol/test   home-hosts

/vol/backup 172.20.20.29

I enabled nfs.mountd.trace option, but i do not see any messages regarding denied access in /etc/messages on filer.

If i change access to volume

fas2> exportfs -io rw=ldap2.local.prv /vol/test

client is able to mount volume. 

I tried to `exportfs -f`, but it does not help.  I'm just wondering why when i try to check host membership in netgroup

with getXXbyYY on filer i see queries on LDAP server, but i do not see queries when I'm trying to mount volume from client.

1 ACCEPTED SOLUTION

zinovik_igor
5,441 Views

My problem was that names that i specified in netgroup OU lacked PTR records in DNS.

On connection filer has only IP address that it need to map back to DNS name.

When i fixed reverse lookup everything start working fine.

View solution in original post

1 REPLY 1

zinovik_igor
5,442 Views

My problem was that names that i specified in netgroup OU lacked PTR records in DNS.

On connection filer has only IP address that it need to map back to DNS name.

When i fixed reverse lookup everything start working fine.

Public