ONTAP Discussions

NFS Share Access Denied

LeeLSTM
1,281 Views

Hi all,

 

I have created a new volume via ontap and want to mount it using NFS on a Ubuntu Linux VM (hosted on VMWare)

 

Within the volume i have enabled the NFS option and created an export policy where i have specified the VM IP and given read/write permissions to all

 

LeeLSTM_0-1726662305341.png

 

However, I keep getting access denied when running the mount command. I can ping the NetApp from the VM so not sure what else to try? 

 

Cheers

Lee

 

1 ACCEPTED SOLUTION

ChLokesh
1,154 Views

Hello there,

 

I see the read-only rule has been set to Never.

 

- Never means "For an incoming request from a client matching the client match criteria, do not allow any access to the volume regardless of the security type of that incoming request."

 

- So, I would suggest to you first change this value to Any and check the access.

vserver export-policy rule create: https://docs.netapp.com/us-en/ontap-cli-9111/vserver-export-policy-rule-create.html#description

 

- If it still fails, run below command which will show you where the access is failing.

vserver export-policy check-access -vserver <VSERVER_NAME> -client-ip <CLIENT_IP> -volume <VOLUME_NAME> -authentication-method sys -protocol <nfs3/nfs4> -access-type read-write

Note: (you need to key in the vserver name, client IP, volume name and nfs version in the command. This will tell you if there is any access issues.)

vserver export-policy check-access: https://docs.netapp.com/us-en/ontap-cli-9131/vserver-export-policy-check-access.html#description

 

- Possible KB match: https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/NFS_client_access_denied_when_mounting_because_RO_Access_Rule_is_set_to_never

 

- Mounting Process: The NFS client must first access the root volume of the data vserver before it can reach the data volume. 

 

If the issue persists, share the export-policy check-access output here.

 

Hope this will help you with t-shooting the issue.

Cheers!

 

View solution in original post

5 REPLIES 5

TMACMD
1,258 Views

start with verifying the IP of the nfs client is in that list.

Then make sure the export-policy is applied to both the root volume and the data volume

LeeLSTM
1,247 Views

Cheers TMA, the IP of the client is correct and i can ping both ways..

 

Can you elaborate on "Then make sure the export-policy is applied to both the root volume and the data volume"

 

Thanks

TMACMD
1,211 Views

I am asking to verify IPs because it is NOT uncommon to have multiple IPs and the route the hsot chooses may not be the one you want, Pinging is not the tell all in every case. You need to verify IPs.

 

Every volume must have an export-policy attached to it to allow NFS access. By default, there is a policy in every SVM called default. Looks like you created a new policy called "mount" with two entries.

The default policy attached to the root volume of the SVM needs to have an entry to allow access also.

 

Typically, I will do this:

export-policy rule create -vserver xxx -policy default -client 0.0.0.0/0 -ro=sys -rw=none -super=none -proto nfs

 

That allows any client to attach to the root, but only with read permissions.

 

Check the volume export-policies.

ChLokesh
1,155 Views

Hello there,

 

I see the read-only rule has been set to Never.

 

- Never means "For an incoming request from a client matching the client match criteria, do not allow any access to the volume regardless of the security type of that incoming request."

 

- So, I would suggest to you first change this value to Any and check the access.

vserver export-policy rule create: https://docs.netapp.com/us-en/ontap-cli-9111/vserver-export-policy-rule-create.html#description

 

- If it still fails, run below command which will show you where the access is failing.

vserver export-policy check-access -vserver <VSERVER_NAME> -client-ip <CLIENT_IP> -volume <VOLUME_NAME> -authentication-method sys -protocol <nfs3/nfs4> -access-type read-write

Note: (you need to key in the vserver name, client IP, volume name and nfs version in the command. This will tell you if there is any access issues.)

vserver export-policy check-access: https://docs.netapp.com/us-en/ontap-cli-9131/vserver-export-policy-check-access.html#description

 

- Possible KB match: https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/NFS_client_access_denied_when_mounting_because_RO_Access_Rule_is_set_to_never

 

- Mounting Process: The NFS client must first access the root volume of the data vserver before it can reach the data volume. 

 

If the issue persists, share the export-policy check-access output here.

 

Hope this will help you with t-shooting the issue.

Cheers!

 

chenguanghui
1,104 Views

hi:

     The read-only  rule option is set the value to any  and then checks permissions because never specifies that no client can get read-only access.

   if you want to apply the export policy to all possible IP4 addresses,set the clientmatch to 0.0.0.0/0

Refer to the following article  for options for creating an export policy   

https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/How_do_export_policies_work_in_clustered_Data_ONTAP

Public