Skip to main content
NetApp Knowledge Base

NFS mount fails when export has hostname as clientmatch and DNS entries are cached

Views:
863
Visibility:
Public
Votes:
10
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • NFS

Issue

  • When NFS client (10.216.41.24) tries to mount a NFS export ( Security style : UNIX) it fails with "Access denied"

[root@centos_client_1 ~]#  mount -v 10.216.41.211:/voltest_cdot -o sec=sys,nfsvers=3 /test
mount.nfs: timeout set for Wed Jan  4 05:01:05 2023
mount.nfs: trying text-based options 'sec=sys,nfsvers=3,addr=10.216.41.211'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.216.41.211 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.216.41.211 prog 100005 vers 3 prot UDP port 635
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 10.216.41.211:/voltest_cdot    

  • Export policy rule has Hostname/FQDN and not IP address 

cdot_vsim97::> export-policy rul show -vserver svm01 -policyname new
             Policy          Rule    Access   Client                RO
Vserver      Name            Index   Protocol Match                 Rule
------------ --------------- ------  -------- --------------------- ---------
svm01        new             1       any      centos_client_1.      any
                                              naslab.local

  • Client resolves to IP 10.216.41.24

WARNING

cdot_vsim97::> set advanced

Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y

cdot_vsim97::*> getxxbyyy gethostbyname -vserver svm01 -hostname centos_client_1.naslab.local -show-source true
Source used for lookup: DNS
Host name: centos_client_1.naslab.local
Canonical name: centos_client_1.naslab.local
IPv4: 10.216.41.24

  • Export-policy check-access gives acces denied 

cdot_vsim97::*> export-policy check-access -vserver svm01 -volume voltest_cdot -client-ip 10.216.41.24 -authentication-method sys -protocol nfs3 -access-type read-write
                                         Policy    Policy       Rule
Path                          Policy     Owner     Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                             test       svm01_root   volume      1  read
/voltest_cdot                 new        voltest_cdot volume      0  denied

  • Name Service(NS) cache show incorrect IP for client centos_client_1.naslab.local

cdot_vsim97::*> vserver services name-service cache hosts forward-lookup show -vserver svm01 -host centos_client_1.naslab.local
                   IP       Address IP                     Create
Vserver   Host     Protocol Family  Address        Source  Time       TTL(sec)
--------- -------- -------- ------- -------------- ------- ---------- --------
svm01       centos_client_1.naslab.local Any Ipv4  dns     1/4/2023   3600
                                    10.216.41.74           15:21:07      
   

  • export-policy access-cache shows negative Access Cache Entry Polarity for client 10.216.41.24

cdot_vsim97::*> export-policy access-cache show -node cdot_vsim97-01 -vserver svm01 -policy new -address 10.216.41.24

                                        Node: cdot_vsim97-01
                                     Vserver: svm01
                                 Policy Name: new
                                  IP Address: 10.216.41.24
                    Access Cache Entry Flags: has-usable-data
                                 Result Code: 0
                 First Unresolved Rule Index: -
                      Unresolved Clientmatch: -
              Number of Matched Policy Rules: 0
         List of Matched Policy Rule Indexes: -
                                Age of Entry: 38s
                 Access Cache Entry Polarity: negative
Time Elapsed since Last Use for Access Check: 37s
      Time Elapsed since Last Update Attempt: 38s
               Result of Last Update Attempt: 0
                List of Client Match Strings: -    

NOTE :  export-policy access-cache will show negative entry only if mount or access was tried from client 10.216.41.24 and gets an "Access Denied"

NOTE: The above outputs are from lab environment

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.