NFS mount points not accessible when using netgroups from LDAP

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 604

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9 and later
NFS
Netgroups

Issue

NFS mount fails when using netgroup as client match in export policy with below error on client:

mount.nfs: access denied by server while mounting nfs-server-name:/mount-point

Export-policy rule includes netgroup and ns-switch configured to use files,ldap and nis for netgroup.
Export policy check access fails:

::> check-access -vserver vs1 -volume vol1 -client-ip 10.x.2.x -authentication-method sys -protocol nfs3 -access-type read-write

(vserver export-policy check-access)

Policy Policy Rule

Path Policy Owner Owner Type Index Access

----------------------------- ---------- --------- ---------- ------ ----------

/ default vs1_root volume 1 read

/vol1 policy-name vol1 volume 0 denied

2 entries were displayed.

"netgrpcheck" shows client is not member of netgroup added in export policy rule.

::*> getxxbyyy netgrpcheck -node node1 -vserver vs1 -netgroup netgroup1 -clientIP 10.x.2.x -enable-domain-search-flag true -trust-any-source false -show-source true

Client 10.x.2.x is not a member of netgroup netgroup1

Searched using NETGROUP_BYHOST_CACHE

Source used for lookup: NS Cache

Note: If source is NIS, and NETGROUP_BYHOST is used, to double-check that the client is not a member of the netgroup, use on NIS: NIShost# ypcat -k netgroup.byhost -h <client_ip> | grep -i <hostname>

Trace shows mount call fails with error "ERR_ACCESS" (access denied) for client IP 10.x.2.x.

No Date Source Destination Proto Info

57 01:17:01 10.x.2.x 10.x.2.x MOUNT V3 MNT Call (Reply In 59) /vol1

59 01:17:01 10.x.2.x 10.x.2.x MOUNT MNT Reply (Call In 57) Error:ERR_ACCESS