I’m trying to test an existing NFS configuration before moving from Ontap 8.3 to 9.2. We’ve setup a 9.2 simulator (details at the end) with cifs and nfs shared and ntfs permissions. This works fine with Windows 7 & 10 clients, but getting “access denied” errors when mounting to nfs on CentOS 6.9. Do you have any ideas why?
Here’s the Error:
[root@centos6 ~]# echo 32767 > /proc/sys/sunrpc/nfs_debug
[root@centos6 ~]# mount -a
mount.nfs: Connection timed out
mount.nfs: access denied by server while mounting simshare.bu.edu:/cifs_test
The CentOs target can see the share, as can Windows clients:
[root@centos6 ~]# showmount -e simshare
Export list for simshare:
/cifs_test (everyone)
/ (everyone)
Here’s the corresponding “error -13” from /var/log/messages with NFS debugging on
Jun 14 09:03:11 centos6 kernel: NFS: nfs mount opts='soft,sec=krb5,nolock,noacl,rsize=8192,wsize=8192,addr=10.241.33.108,vers
=3,proto=tcp,mountvers=3,mountproto=tcp,mountport=635'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'soft'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'sec=krb5'
Jun 14 09:03:11 centos6 kernel: NFS: parsing sec=krb5 option
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'nolock'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'noacl'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'rsize=8192'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'wsize=8192'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'addr=10.241.33.108'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'vers=3'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'proto=tcp'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'mountvers=3'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'mountproto=tcp'
Jun 14 09:03:11 centos6 kernel: NFS: parsing nfs mount option 'mountport=635'
Jun 14 09:03:11 centos6 kernel: NFS: MNTPATH: '/cifs_test'
Jun 14 09:03:11 centos6 kernel: NFS: sending MNT request for simshare.bu.edu:/cifs_test
Jun 14 09:03:11 centos6 kernel: NFS: MNT server returned result -13
Jun 14 09:03:11 centos6 kernel: NFS: unable to mount server simshare.bu.edu, error -13
Here’s the configuration on my target CentOS 6 system
/etc/fstab (The relevant line)
simshare.bu.edu:/sim_test /sim/sim_test nfs \
vers=3,rw,tcp,soft,sec=krb5,nolock,noacl,rsize=8192,wsize=8192,noatime 0 0
/etc/krb5.conf [with edits]
[libdefaults]
default_realm = AD.BU.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
allow_weak_crypto = true # will remove this once things work
[realms]
AD.BU.EDU = {
kdc = ad.bu.edu.
}
# Mapping of domains to kerberos realms.
#
# These entries will at least map any reference to an active directory hostname
# to the realm, and if we wanted we could also point bu.edu to that as well.
# As per the docs on krb5.conf, an entry starting with a period is for a whole
# domain, while one without specifies an actual host.
[domain_realm]
.ad.bu.edu = AD.BU.EDU
ad.bu.edu = AD.BU.EDU
[appdefaults]
pam = {
minimum_uid = 3000
}
/etc/sssd/sssd.conf
# This configures SSSD to use generic LDAP and krb5 interfaces to connect to
# AD. There is also an AD provider, but it is fairly recent and not as well
# documented.
[sssd]
config_file_version = 2
domains = AD
services = nss, pam
[nss]
### Options for the sss entries in /etc/nsswitch.conf.
override_homedir = /home/%u
# Maybe there's a shell entry in LDAP somewhere, but by default it can't find
# one. This works fine, though.
default_shell = /bin/bash
[pam]
### Options for the sss entries in /etc/pam.d/.
# We don't need to configure anything here.
[domain/AD]
### Select providers for each service
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
### General settings
# If the system's hostname isn't under ad.bu.edu, this will make SSSD still use
# ad.bu.edu for discovering LDAP/kerberos/etc. servers.
dns_discovery_domain = ad.bu.edu
For reference here’s the OnTap 9.2 Simulator setup
simshare-clu::*> vserver nfs show
Virtual General
Server Access v3 v4.0 v4.1 UDP TCP
------------ ------- -------- -------- -------- -------- --------
svm1 true enabled enabled disabled enabled enabled
simshare-clu::*> set -privilege advanced
simshare-clu::*> nfs show -vserver svm1
Vserver: svm1
General NFS Access: true
RPC GSS Context Cache High Water Mark: 0
RPC GSS Context Idle: 0
NFS v3: enabled
NFS v4.0: enabled
UDP Protocol: enabled
TCP Protocol: enabled
Default Windows User: guest
Enable NFSv3 EJUKEBOX error: true
Require All NFSv3 Reads to Return Read Attributes: false
Show Change in FSID as NFSv3 Clients Traverse Filesystems: enabled
Enable the Dropping of a Connection When an NFSv3 Request is Dropped: enabled
Vserver NTFS Unix Security Options: use_export_policy
Vserver Change Ownership Mode: use_export_policy
NFS Response Trace Enabled: false
NFS Response Trigger (in secs): 60
UDP Maximum Transfer Size (bytes): 32768
TCP Maximum Transfer Size (bytes): 65536
NFSv3 TCP Maximum Read Size (bytes): 65536
NFSv3 TCP Maximum Write Size (bytes): 65536
NFSv4.0 ACL Support: disabled
NFSv4.0 Read Delegation Support: disabled
NFSv4.0 Write Delegation Support: disabled
Show Change in FSID as NFSv4 Clients Traverse Filesystems: enabled
NFSv4.0 Referral Support: disabled
NFSv4 ID Mapping Domain: bu.edu
NFSv4 Validate UTF-8 Encoding of Symbolic Link Data: disabled
NFSv4 Lease Timeout Value (in secs): 30
NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL (and NTFS File Permissions in Unified Security Style): enabled
NFSv4.1 Minor Version Support: disabled
Rquota Enable: enabled
NFSv4.1 Implementation ID Domain: netapp.com
NFSv4.1 Implementation ID Name: NetApp Release 9.2
NFSv4.1 Implementation ID Date: Mon Jun 19 18:20:04 2017
NFSv4.1 Parallel NFS Support: enabled
NFSv4.1 Referral Support: disabled
NFSv4.1 ACL Support: disabled
NFS vStorage Support: disabled
NFSv4 Support for Numeric Owner IDs: enabled
Default Windows Group: Everyone
NFSv4.1 Read Delegation Support: disabled
NFSv4.1 Write Delegation Support: disabled
Number of Slots in the NFSv4.x Session slot tables: 180
Size of the Reply that will be Cached in Each NFSv4.x Session Slot (in bytes): 640
Maximum Number of ACEs per ACL: 400
NFS Mount Root Only: disabled
NFS Root Only: disabled
AUTH_SYS Extended Groups Enabled: disabled
AUTH_SYS and RPCSEC_GSS Auxillary Groups Limit: 32
Validation of Qtree IDs for Qtree File Operations: enabled
NFS Mount Daemon Port: 635
Network Lock Manager Port: 4045
Network Status Monitor Port: 4046
NFS Quota Daemon Port: 4049
Permitted Kerberos Encryption Types: des, des3, aes-128, aes-256
Showmount Enabled: enabled
Set the Protocol Used for Name Services Lookups for Exports: udp
Map Unknown UID to Default Windows User: enable
DNS Domain Search Enabled During Netgroup Lookup: enabled
Trust No-Match Result from Any Name Service Switch Source During Netgroup Lookup: disabled
Display maximum NT ACL Permissions to NFS Client: disabled
NFSv3 MS-DOS Client Support: disabled
Ignore the NT ACL Check for NFS User 'root': disabled
Time To Live Value (in msecs) of a Positive Cached Credential: 86400000
Time To Live Value (in msecs) of a Negative Cached Credential: 7200000
Skip Permission Check for NFS Write Calls from Root/Owner: disabled
Use 64 Bits for NFSv3 FSIDs and File IDs: disabled
Ignore Client Specified Mode Bits and Preserve Inherited NFSv4 ACL When Creating New Files or Directories: disabled
Fallback to Unconverted Filename Search: disabled
I/O Count to Be Grouped as a Session: 5000
Duration for I/O to Be Grouped as a Session (Secs): 120
Enable or disable Checksum for Replay-Cache: enabled
simshare-clu::*> vserver cifs options show -vserver svm1
Vserver: svm1
Client Session Timeout: 900
Copy Offload Enabled: true
Default Unix Group: -
Default Unix User: guest
Guest Unix User: -
Are Administrators mapped to 'root': true
Is Advanced Sparse File Support Enabled: true
Direct-Copy Copy Offload Enabled: true
Export Policies Enabled: false
Grant Unix Group Permissions to Others: false
Is Advertise DFS Enabled: false
Is Client Duplicate Session Detection Enabled: true
Is Client Version Reporting Enabled: true
Is DAC Enabled: false
Is Fake Open Support Enabled: true
Is Hide Dot Files Enabled: false
Is Large MTU Enabled: false
Is Local Auth Enabled: true
Is Local Users and Groups Enabled: true
Is NetBIOS over TCP (port 139) Enabled: true
Is NBNS over UDP (port 137) Enabled: false
Is Referral Enabled: false
Is Search Short Names Support Enabled: false
Is Trusted Domain Enumeration And Search Enabled: true
Is UNIX Extensions Enabled: false
Is Use Junction as Reparse Point Enabled: true
Max Multiplex Count: 255
Max Same User Session Per Connection: 2050
Max Same Tree Connect Per Session: 4096
Max Opens Same File Per Tree: 800
Max Watches Set Per Tree: 100
Is Path Component Cache Enabled: true
NT ACLs on UNIX Security Style Volumes Enabled: true
Read Grants Exec: disabled
Read Only Delete: disabled
Reported File System Sector Size: 4096
Restrict Anonymous: no-restriction
Shadowcopy Dir Depth: 5
Shadowcopy Enabled: true
SMB1 Enabled: true
Max Buffer Size for SMB1 Message: 65535
SMB2 Enabled: true
SMB3 Enabled: true
SMB3.1 Enabled: true
Map Null User to Windows User or Group: -
WINS Servers: -
Report Widelink as Reparse Point Versions: SMB1
simshare-clu::*> vserver nfs kerberos interface show
Logical
Vserver Interface Address Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
svm1 lif_1 10.241.###.### enabled nfs/simshare.bu.edu@AD.BU.EDU
simshare-clu::*> vserver services unix-user show
User User Group Full
Vserver Name ID ID Name
-------------- --------------- ------ ------ --------------------------------
svm1 guest 65533 65534
svm1 nfs 500 0
svm1 nobody 65535 65535
svm1 pcuser 65534 65534
svm1 root 0 1
svm1 test 65532 65532
Here’s possibly some important differences between the simulator and actual NetApp running 8.2. The root, pcuser, and guest accounts differ:
nas-clu::> vserver services unix-user show
User User Group Full
Vserver Name ID ID Name
-------------- --------------- ------ ------ --------------------------------
engnas guest 65534 65534
engnas nfs 500 0
engnas nobody 65535 65535 -
engnas root 0 0
engnas test 65532 65532 -