跳转到主内容

如果导出的主机名与客户端匹配、并且DNS输入已缓存、则NFS挂载将失败

Views:
7
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas<a>2009-378577</a>
Last Updated:

适用场景

  • ONTAP 9
  • NFS

问题描述

  • 当NFS客户端(10.216.41.24)尝试挂载NFS导出时(安全模式:UNIX)失败并显示"Access denied"

[root@centos_client_1 ~]#  mount -v 10.216.41.211:/voltest_cdot -o sec=sys,nfsvers=3 /test
mount.nfs: timeout set for Wed Jan  4 05:01:05 2023
mount.nfs: trying text-based options 'sec=sys,nfsvers=3,addr=10.216.41.211'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.216.41.211 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.216.41.211 prog 100005 vers 3 prot UDP port 635
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 10.216.41.211:/voltest_cdot   

  • 导出策略规则具有主机名/FQDN、而不是IP地址 

cdot_vsim97::> export-policy rul show -vserver svm01 -policyname new
       Policy      Rule   Access   Client         RO
Vserver    Name       Index   Protocol Match          Rule
------------ --------------- ------  -------- --------------------- ---------
svm01        new        1     any    centos_client_1.   any
                       naslab.local

  • 客户端解析为IP 10.216.41.24

警告

cdot_vsim97::> set advanced

Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y

cdot_vsim97::*> getxxbyyy gethostbyname -vserver svm01 -hostname centos_client_1.naslab.local -show-source true
Source used for lookup: DNS
Host name: centos_client_1.naslab.local
Canonical name: centos_client_1.naslab.local
IPv4: 10.216.41.24

  • export-policy check-access拒绝访问 

cdot_vsim97::*> export-policy check-access -vserver svm01 -volume voltest_cdot -client-ip 10.216.41.24 -authentication-method sys -protocol nfs3 -access-type read-write
                     Policy   Policy     Rule
Path              Policy    Owner    Owner Type  Index Access
----------------------------- ---------- --------- ---------- ------ ----------
/                test     svm01_root   volume    1  read
/voltest_cdot          new     voltest_cdot volume    0  denied

  • 对于客户端CentOS_client_1.naslab.local、名称服务(NS)缓存显示的IP不正确

cdot_vsim97::*> vserver services name-service cache hosts forward-lookup show -vserver svm01 -host centos_client_1.naslab.local
          IP     Address IP            Create
Vserver   Host    Protocol Family  Address     Source  Time     TTL(sec)
--------- -------- -------- ------- -------------- ------- ---------- --------
svm01     centos_client_1.naslab.local Any Ipv4  dns    1/4/2023   3600
                  10.216.41.74       15:21:07     
   

  • 对于客户端10.216.41.24、导出策略访问缓存显示负访问缓存条目极性

cdot_vsim97::*> export-policy access-cache show -node cdot_vsim97-01 -vserver svm01 -policy new -address 10.216.41.24

                     Node: cdot_vsim97-01
                   Vserver: svm01
                 Policy Name: new
                  IP Address: 10.216.41.24
           Access Cache Entry Flags: has-usable-data
                 Result Code: 0
         First Unresolved Rule Index: -
            Unresolved Clientmatch: -
        Number of Matched Policy Rules: 0
     List of Matched Policy Rule Indexes: -
                 Age of Entry: 38s
         Access Cache Entry Polarity: negative
Time Elapsed since Last Use for Access Check: 37s
    Time Elapsed since Last Update Attempt: 38s
        Result of Last Update Attempt: 0
         List of Client Match Strings: -   

注意:  只有在尝试从客户端进行挂载或访问10.216.41.24 并获得"Access denied"时、export-policy access-cache才会显示否定条目

注意: 以上输出来自实验室环境

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.