Re: NFS (v3 and v4) mount gives access denied on junction path

USER_2000 · ‎2018-12-14

Hi,

I am pretty new to Clustered Data Ontap. On our FAS2620 with NetApp Release 9.4P4 I created a export policy for a share with NTFS security. The strange thing is, that I can mount the share /vol/vol1, but not /vol/vol1/projects.

When I mount /vol/vol1 I can see the projects folder and I have the correct access rights with my user, but I would rather mount /vol/vol1/projects directly. When I try it on my Ubuntu 18.04 Linux client, I get an error message:

mount -o sec=sys,vers=4.0 svm1:/vol/vol1/projects /mnt
mount.nfs: access denied by server while mounting svm1:/vol/vol1/projects

On the other hand, mount of /vol/vol1 succeeds without problems. When specifying NFS v3, I can mount both path, i.e. /vol/vol1 and /vol/vol1/projects.

What am I mssing?

Kind regards,

Andreas

connoisseur · ‎2018-12-14

@USER_2000 wrote:

Hi,

I am pretty new to Clustered Data Ontap. On our FAS2620 with NetApp Release 9.4P4 I created a export policy for a share with NTFS security. The strange thing is, that I can mount the share /vol/vol1, but not /vol/vol1/projects.

When I mount /vol/vol1 I can see the projects folder and I have the correct access rights with my user, but I would rather mount /vol/vol1/projects directly. When I try it on my Ubuntu 18.04 Linux client, I get an error message:

mount.nfs: access denied by server while mounting svm1:/vol/vol01/projects

On the other hand, mount of /vol/vol1 succeeds without problems.

What am I mssing?

Kind regards,

Andreas

You can check perm issions with 'file-directory' CMD

vserver security file-directory show -vserver vs1 -path /vol/vol1/projects

Is the 'projects' folder created as a qtree or folder.
If qtree, check security style on it:
qtree show -vserver vs1

Also, on cDOT you have to add your export policy to the root namespace..but that should already been done as you can mount one layer up

USER_2000 · ‎2018-12-16

Hi,

It is a qtree with NTFS security style. When I mount the share with NFS v3 or the path /vol/vol1 with NFS v4, permissions work as expected. The default export policy on the root has been openend and I created a export policy for /vol/vol1/projects as well. I probably made a mistake there, but I have no idea what could be the problem and where to look.

I tried check-access:

svm::> check-access -vserver svm1 -volume vol1 -client-ip 10.1.1.100 -authentication-method sys -protocol nfs4 -access-type read-write
(vserver export-policy check-access)
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             default    svm1_root
                                                   volume          1 read
/vol                          default    svm1_root
                                                   volume          1 read
/vol/vol1                     default    vol1      volume          1 read-write
3 entries were displayed.
The result is the same vor nfs3.

Kind regards,

Andreas

connoisseur · ‎2018-12-16

As it´s NTFS security style and not Unix you could try to check the -ntfs-unix-security-ops {ignore|fail}] option.

You can read more about it here:
vserver export-policy rule show

But basically check with:

cluster::*> vserver export-policy rule show -vserver vs1 -fields ntfs-unix-security-ops vserver policyname ruleindex ntfs-unix-security-ops

-------------- ---------- --------- ----------------------

vs1 default 1 fail

If it says fail, change to ignore and test

USER_2000 · ‎2018-12-17

I changed the option, but it made no difference. Just some more information:

rngx6786::> export-policy check-access -vserver svm1 -volume svm1_vol01 -client-ip 10.1.1.100 -authentication-method sys -protocol nfs4 -access-type read-write -qtree projects
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             default    svm1_root
                                                   volume          1 read
/vol                          default    svm1_root
                                                   volume          1 read
/vol/vol1                     default    svm1_vol01
                                                   volume          1 read
/vol/vol1/projects            default    svm1_vol01
                                                   volume          1 read-write
4 entries were displayed.

rngx6786::> qtree show
Vserver    Volume        Qtree        Style        Oplocks   Status
---------- ------------- ------------ ------------ --------- --------
svm1       svm1_root ""           ntfs         enable    normal
svm1       svm1_vol01
                         ""           ntfs         enable    readonly
svm1       svm1_vol01
                         projects     ntfs         enable    readonly
svm1       svm1_vol01
                         topics       ntfs         enable    readonly

moep · ‎2018-12-17

I once ran into the same issue. You need to grant the NTFS right "Traverse folder/ execute file" to the "Authenticated User" group on your projects folder.

USER_2000 · ‎2018-12-17

The permissions are set like this, so it must be something different.

Thank you,

Andreas

connoisseur · ‎2018-12-17

You are using nfs4..

Have you set up NFSv4 iddomain specified on the client and vServer??

https://kb.netapp.com/app/answers/answer_view/a_id/1030467/~/how-to-configure-nfsv4-in-cluster-mode-

NFS v4 mount gives access denied on junction path

Get ready to power on