ONTAP Discussions

Export-policy for CIFS/SMB not working according to the export-policy rules

imshenthil
8,941 Views

Hello,

 

We were testing the Ontap feature to restrict a CIFS share based on ComputerNames/IPAddresses using export policies.

The idea was to deny access to a set of computers and grant access to the remaining systems.

 

For eg.,

 

Export-policy: Test1

Rule1: Deny access to System A

Rules2: Allow access to 0.0.0.0/0 (remaining systems)

 

Requirement: Only System A should be denied access but rest should be able to access the share. But with the above rules in place, System A was also able to access the share.

If I get it right, rules are processed in order based on rule index and if a client matches 1st rule, rest will be ignored.

 

Is this the default behaviour?

Is there anyway I could adjust export-policy rules to meet my requirement?

 

Please suggest.

 

Thanks in advance!

 

1 ACCEPTED SOLUTION

mrahul
8,917 Views

Hi,

 

   Can you please change the client specification for the export policy rule 2 to '<domain_name>.com'

 

Please go through

 

https://library.netapp.com/ecmdocs/ECMP1141091/html/GUID-417C1E61-EEE5-4762-9799-DAF16557097A.html

 

 

View solution in original post

5 REPLIES 5

mrahul
8,918 Views

Hi,

 

   Can you please change the client specification for the export policy rule 2 to '<domain_name>.com'

 

Please go through

 

https://library.netapp.com/ecmdocs/ECMP1141091/html/GUID-417C1E61-EEE5-4762-9799-DAF16557097A.html

 

 

imshenthil
8,804 Views

Thanks for your response!

 

This actually works if I deny the access to a host in a domain and allow access to other hosts in another domain.

For eg., with following rules in place, it works between 2 separate domains.

 

Rule1: Deny - host1.abc.example.com

Rule2: Allow - .xyz.example.com

 

However, if I want to deny access for a specific host in a domain and allow access to remaining hosts in same domain, it doesn't work.

Export rules used for testing is below.

 

Rule1: Deny - host1.abc.example.com

Rule2: Allow - .abc.example.com

 

Is there any way to restrict specific host in a domain and allow access to remaining hosts in same domain?

Thanks for your help!

imshenthil
8,592 Views

Never mind. This behaviour was due to the DNS resolution issue on the clients that were able to access.

After DNS issue is fixed, it works as it should.

Damien_Queen
8,885 Views

What version of ONTAP do you have is it 7-Mode?

If it is ONTAP 9 or ONTAP 8 cDOT, give us output of export policies for your data volume AND svm root volume:

 

Let's investigate first. Here are the steps you need to perform with my examples:

 

Step1. First check access to you volume

cluster1::> vserver export-policy check-access -vserver svm01 -volume nfs_vol1 -client-ip 192.168.0.1 -authentication-method none -protocol nfs3 -access-type read-write
Policy Policy Rule
Path Policy Owner Owner Type Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/ default svm01_root
volume 1 read
/nfs_vol1_NFS_volume nfs_vol1 nfs_vol1 volume 1 read-write
2 entries were displayed.

Note: There is SVM root volume in the data path from the client to your data volume. So we are going to take a look on svm01_root volume too, it is important!

 

Step 2. Show your volumes, their junction path and assigned policy, in this case, we are interested in volumes from Step1 (svm01_root & nfs_vol1 😞

cluster1::> volume show -fields vserver,volume,aggregate,state,type,size,available,used,junction-path,policy
vserver volume aggregate size state policy junction-path available used type
----------- ------ ----------------- ------- ------ ------ ------------- --------- ------ ----
svm01 nfs_vol1
cluster1_02_SSD_1 10GB online nfs_vol1
/nfs_vol1_NFS_volume
9.50GB 312KB RW
svm01 svm01_root
cluster1_01_SSD_1 20MB online default
/ 18.73MB 280KB RW

2 entries were displayed.

Step 3. Show export policies you have (just in case)

cluster1::> vserver export-policy show
Vserver Policy Name
--------------- -------------------
svm01 default
svm01 nfs_vol1
2 entries were displayed.

Step 4. Show rules you have for each policy & index, we are interested in those export policies from Step 2 (nfs_vol1, default)

cluster1::> vserver export-policy rule show
Policy Rule Access Client RO
Vserver Name Index Protocol Match Rule
------------ --------------- ------ -------- --------------------- ---------
svm01 default 1 any 0.0.0.0/0 none
svm01 nfs_vol1 1 any 0.0.0.0/0 none
2 entries were displayed.


Step 5. Show details for *each rule* for export policies from Step 2 (nfs_vol1, default)

cluster1::> vserver export-policy rule show -policyname nfs_vol1 -ruleindex 1 -vserver svm01

Vserver: svm01
Policy Name: default
Rule Index: 1
Access Protocol: any
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0.0.0.0/0
RO Access Rule: none
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: none
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true
cluster1::> vserver export-policy rule show -policyname default -ruleindex 1 -vserver svm01

Vserver: svm01
Policy Name: default
Rule Index: 1
Access Protocol: any
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0.0.0.0/0
RO Access Rule: none
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: none
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true 

 

SeanHatfield
8,864 Views

Export policy enforment for SMB access has been disabled by default since about ONTAP 8.2.

 

To enable it:

set -privilege advanced
vserver cifs options modify -vserver <vserver_name> -is-exportpolicy-enabled true
set -privilege admin

 

Then close you client's SMB sessions and try again.

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public