Solved: Re: Export-policy for CIFS/SMB not working according to the export-policy rules

imshenthil · ‎2018-08-17

Hello,

We were testing the Ontap feature to restrict a CIFS share based on ComputerNames/IPAddresses using export policies.

The idea was to deny access to a set of computers and grant access to the remaining systems.

For eg.,

Export-policy: Test1

Rule1: Deny access to System A

Rules2: Allow access to 0.0.0.0/0 (remaining systems)

Requirement: Only System A should be denied access but rest should be able to access the share. But with the above rules in place, System A was also able to access the share.

If I get it right, rules are processed in order based on rule index and if a client matches 1^st rule, rest will be ignored.

Is this the default behaviour?

Is there anyway I could adjust export-policy rules to meet my requirement?

Please suggest.

Thanks in advance!

mrahul · ‎2018-08-17

Hi,

Can you please change the client specification for the export policy rule 2 to '<domain_name>.com'

Please go through

https://library.netapp.com/ecmdocs/ECMP1141091/html/GUID-417C1E61-EEE5-4762-9799-DAF16557097A.html

View solution in original post

mrahul · ‎2018-08-17

Hi,

Can you please change the client specification for the export policy rule 2 to '<domain_name>.com'

Please go through

https://library.netapp.com/ecmdocs/ECMP1141091/html/GUID-417C1E61-EEE5-4762-9799-DAF16557097A.html

imshenthil · ‎2018-08-20

Thanks for your response!

This actually works if I deny the access to a host in a domain and allow access to other hosts in another domain.

For eg., with following rules in place, it works between 2 separate domains.

Rule1: Deny - host1.abc.example.com

Rule2: Allow - .xyz.example.com

However, if I want to deny access for a specific host in a domain and allow access to remaining hosts in same domain, it doesn't work.

Export rules used for testing is below.

Rule1: Deny - host1.abc.example.com

Rule2: Allow - .abc.example.com

Is there any way to restrict specific host in a domain and allow access to remaining hosts in same domain?

Thanks for your help!

imshenthil · ‎2018-10-05

Never mind. This behaviour was due to the DNS resolution issue on the clients that were able to access.

After DNS issue is fixed, it works as it should.

Damien_Queen · ‎2018-08-17

What version of ONTAP do you have is it 7-Mode?

If it is ONTAP 9 or ONTAP 8 cDOT, give us output of export policies for your data volume AND svm root volume:

Let's investigate first. Here are the steps you need to perform with my examples:

Step1. First check access to you volume

cluster1::> vserver export-policy check-access -vserver svm01 -volume nfs_vol1 -client-ip 192.168.0.1 -authentication-method none -protocol nfs3 -access-type read-write
Policy Policy Rule
Path Policy Owner Owner Type Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/ default svm01_root
volume 1 read
/nfs_vol1_NFS_volume nfs_vol1 nfs_vol1 volume 1 read-write
2 entries were displayed.

Note: There is SVM root volume in the data path from the client to your data volume. So we are going to take a look on svm01_root volume too, it is important!

Step 2. Show your volumes, their junction path and assigned policy, in this case, we are interested in volumes from Step1 (svm01_root & nfs_vol1 😞

cluster1::> volume show -fields vserver,volume,aggregate,state,type,size,available,used,junction-path,policy
vserver volume aggregate size state policy junction-path available used type
----------- ------ ----------------- ------- ------ ------ ------------- --------- ------ ----
svm01 nfs_vol1
cluster1_02_SSD_1 10GB online nfs_vol1
/nfs_vol1_NFS_volume
9.50GB 312KB RW
svm01 svm01_root
cluster1_01_SSD_1 20MB online default
/ 18.73MB 280KB RW

2 entries were displayed.

Step 3. Show export policies you have (just in case)

cluster1::> vserver export-policy show
Vserver Policy Name
--------------- -------------------
svm01 default
svm01 nfs_vol1
2 entries were displayed.

Step 4. Show rules you have for each policy & index, we are interested in those export policies from Step 2 (nfs_vol1, default)

cluster1::> vserver export-policy rule show
Policy Rule Access Client RO
Vserver Name Index Protocol Match Rule
------------ --------------- ------ -------- --------------------- ---------
svm01 default 1 any 0.0.0.0/0 none
svm01 nfs_vol1 1 any 0.0.0.0/0 none
2 entries were displayed.

Step 5. Show details for *each rule* for export policies from Step 2 (nfs_vol1, default)

cluster1::> vserver export-policy rule show -policyname nfs_vol1 -ruleindex 1 -vserver svm01

Vserver: svm01
Policy Name: default
Rule Index: 1
Access Protocol: any
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0.0.0.0/0
RO Access Rule: none
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: none
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true

cluster1::> vserver export-policy rule show -policyname default -ruleindex 1 -vserver svm01

Vserver: svm01
Policy Name: default
Rule Index: 1
Access Protocol: any
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0.0.0.0/0
RO Access Rule: none
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: none
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true

SeanHatfield · ‎2018-08-17

Export policy enforment for SMB access has been disabled by default since about ONTAP 8.2.

To enable it:

set -privilege advanced
vserver cifs options modify -vserver <vserver_name> -is-exportpolicy-enabled true
set -privilege admin

Then close you client's SMB sessions and try again.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.