NFS mount fails when export has hostname as clientmatch and DNS entries are cached
Applies to
- ONTAP 9
- NFS
Issue
- When NFS client (10.216.41.24) tries to mount a NFS export ( Security style : UNIX) it fails with "Access denied"
[root@centos_client_1 ~]# mount -v 10.216.41.211:/voltest_cdot -o sec=sys,nfsvers=3 /test
mount.nfs: timeout set for Wed Jan 4 05:01:05 2023
mount.nfs: trying text-based options 'sec=sys,nfsvers=3,addr=10.216.41.211'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.216.41.211 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.216.41.211 prog 100005 vers 3 prot UDP port 635
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 10.216.41.211:/voltest_cdot
- Export policy rule has Hostname/FQDN and not IP address
cdot_vsim97::> export-policy rul show -vserver svm01 -policyname new
Policy Rule Access Client RO
Vserver Name Index Protocol Match Rule
------------ --------------- ------ -------- --------------------- ---------
svm01 new 1 any centos_client_1. any
naslab.local
- Client resolves to IP
10.216.41.24
WARNING
|
cdot_vsim97::*> getxxbyyy gethostbyname -vserver svm01 -hostname centos_client_1.naslab.local -show-source true
Source used for lookup: DNS
Host name: centos_client_1.naslab.local
Canonical name: centos_client_1.naslab.local
IPv4: 10.216.41.24
- Export-policy check-access gives acces denied
cdot_vsim97::*> export-policy check-access -vserver svm01 -volume voltest_cdot -client-ip 10.216.41.24 -authentication-method sys -protocol nfs3 -access-type read-write
Policy Policy Rule
Path Policy Owner Owner Type Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/ test svm01_root volume 1 read
/voltest_cdot new voltest_cdot volume 0 denied
- Name Service(NS) cache show incorrect IP for client centos_client_1.naslab.local
cdot_vsim97::*> vserver services name-service cache hosts forward-lookup show -vserver svm01 -host centos_client_1.naslab.local
IP Address IP Create
Vserver Host Protocol Family Address Source Time TTL(sec)
--------- -------- -------- ------- -------------- ------- ---------- --------
svm01 centos_client_1.naslab.local Any Ipv4 dns 1/4/2023 3600
10.216.41.74 15:21:07
- export-policy access-cache shows negative Access Cache Entry Polarity for client 10.216.41.24
cdot_vsim97::*> export-policy access-cache show -node cdot_vsim97-01 -vserver svm01 -policy new -address 10.216.41.24
Node: cdot_vsim97-01
Vserver: svm01
Policy Name: new
IP Address: 10.216.41.24
Access Cache Entry Flags: has-usable-data
Result Code: 0
First Unresolved Rule Index: -
Unresolved Clientmatch: -
Number of Matched Policy Rules: 0
List of Matched Policy Rule Indexes: -
Age of Entry: 38s
Access Cache Entry Polarity: negative
Time Elapsed since Last Use for Access Check: 37s
Time Elapsed since Last Update Attempt: 38s
Result of Last Update Attempt: 0
List of Client Match Strings: -
NOTE : export-policy access-cache will show negative entry only if mount or access was tried from client 10.216.41.24
and gets an "Access Denied"
NOTE: The above outputs are from lab environment