ONTAP Discussions

NFS v4 mount gives access denied on junction path

USER_2000

Hi,

 

I am pretty new to Clustered Data Ontap. On our FAS2620 with NetApp Release 9.4P4 I created a export policy for a share with NTFS security. The strange thing is, that I can mount the share /vol/vol1, but not /vol/vol1/projects.

 

When I mount /vol/vol1 I can see the projects folder and I have the correct access rights with my user, but I would rather mount /vol/vol1/projects directly. When I try it on my Ubuntu 18.04 Linux client, I get an error message:

 

mount -o sec=sys,vers=4.0 svm1:/vol/vol1/projects /mnt
mount.nfs: access denied by server while mounting svm1:/vol/vol1/projects

 

On the other hand, mount of /vol/vol1 succeeds without problems. When specifying NFS v3, I can mount both path, i.e. /vol/vol1 and /vol/vol1/projects.

What am I mssing?

 

Kind regards,

Andreas

 
7 REPLIES 7

moep

I once ran into the same issue. You need to grant the NTFS right "Traverse folder/ execute file" to the "Authenticated User" group on your projects folder.

USER_2000

The permissions are set like this, so it must be something different.

 

Thank you,

 

Andreas

connoisseur

You are using nfs4..

 

Have you set up NFSv4 iddomain specified on the client and vServer??

 

https://kb.netapp.com/app/answers/answer_view/a_id/1030467/~/how-to-configure-nfsv4-in-cluster-mode-

 

 

connoisseur

@USER_2000 wrote:

Hi,

 

I am pretty new to Clustered Data Ontap. On our FAS2620 with NetApp Release 9.4P4 I created a export policy for a share with NTFS security. The strange thing is, that I can mount the share /vol/vol1, but not /vol/vol1/projects.

 

When I mount /vol/vol1 I can see the projects folder and I have the correct access rights with my user, but I would rather mount /vol/vol1/projects directly. When I try it on my Ubuntu 18.04 Linux client, I get an error message:

 

mount.nfs: access denied by server while mounting svm1:/vol/vol01/projects

 

On the other hand, mount of /vol/vol1 succeeds without problems.

What am I mssing?

 

Kind regards,

Andreas

 

You can check perm issions with 'file-directory' CMD

vserver security file-directory show -vserver vs1 -path /vol/vol1/projects

Is the 'projects' folder created as a qtree or folder.
If qtree, check security style on it:
qtree show -vserver vs1

 

Also, on cDOT you have to add your export policy to the root namespace..but that should already been done as you can mount one layer up

 

USER_2000

Hi,

 

It is a qtree with NTFS security style. When I mount the share with NFS v3 or the path /vol/vol1 with NFS v4, permissions work as expected. The default export policy on the root has been openend and I created a export policy for /vol/vol1/projects as well. I probably made a mistake there, but I have no idea what could be the problem and where to look.

 

I tried check-access:

svm::> check-access -vserver svm1 -volume vol1 -client-ip 10.1.1.100 -authentication-method sys -protocol nfs4 -access-type read-write
  (vserver export-policy check-access)
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             default    svm1_root
                                                   volume          1 read
/vol                          default    svm1_root
                                                   volume          1 read
/vol/vol1                     default    vol1      volume          1 read-write
3 entries were displayed.
The result is the same vor nfs3.

 

Kind regards,

Andreas

connoisseur

As it´s NTFS security style and not Unix you could try to check the -ntfs-unix-security-ops {ignore|fail}] option.

 

You can read more about it here:
vserver export-policy rule show

 

But basically check with:

cluster::*> vserver export-policy rule show -vserver vs1 -fields ntfs-unix-security-ops                                                                             vserver        policyname ruleindex ntfs-unix-security-ops

-------------- ---------- --------- ----------------------

vs1                 default            1                  fail

 

If it says fail, change to ignore and test

 

 

 

USER_2000

I changed the option, but it made no difference. Just some more information:

 

rngx6786::> export-policy check-access -vserver svm1 -volume svm1_vol01 -client-ip 10.1.1.100 -authentication-method sys -protocol nfs4 -access-type read-write -qtree projects
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             default    svm1_root
                                                   volume          1 read
/vol                          default    svm1_root
                                                   volume          1 read
/vol/vol1                     default    svm1_vol01
                                                   volume          1 read
/vol/vol1/projects            default    svm1_vol01
                                                   volume          1 read-write
4 entries were displayed.

rngx6786::> qtree show
Vserver    Volume        Qtree        Style        Oplocks   Status
---------- ------------- ------------ ------------ --------- --------
svm1       svm1_root ""           ntfs         enable    normal
svm1       svm1_vol01
                         ""           ntfs         enable    readonly
svm1       svm1_vol01
                         projects     ntfs         enable    readonly
svm1       svm1_vol01
                         topics       ntfs         enable    readonly

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public