SmartConnect 영역 이름을 통한 NFSv4 별칭 마운트가 mount.nfs에서 실패합니다. 허용되지 않는 작업입니다.

이 코너의 경우 SmartConnect FQDN(Fully Qualified Domain Name)을 통한 NFSv4 별칭 마운트가 실패하고 "mount.nfs: 작업이 허용되지 않습니다." 
NFSv4 클라이언트 마운트 NFS 내보내기 전체 데이터 경로에는 이러한 문제가 없습니다.
NFSv4 Kerberos 클라이언트가 Kerberos 보안 유형(krb5 | krb5i | krb5p)을 사용하여 nfs 내보내기를 마운트하는 경우에는 이러한 문제가 없습니다.
NFSv3 클라이언트에는 이러한 문제가 없습니다.

다음은 랩 재현의 예입니다.

• nfs 클라이언트가 유효한 gss 티켓으로 kerberosed 상태입니다.
• Unix 전용 플레이버 NFS 내보내기를 생성하고 데이터 경로에 대한 NFS 별칭을 생성합니다.
• FQDN:Alias를 통해 NFSv4와 함께 gss 클라이언트 마운트를 사용합니다.

tcr-1# isi nfs settings global view
NFS Service Enabled: Yes
      NFSv3 Enabled: Yes
        NFSv3 RDMA Enabled: No
      NFSv4 Enabled: Yes
              v4.0 Enabled: Yes
              v4.1 Enabled: No
              v4.2 Enabled: No
     Rquota Enabled: No

tcr-1# isi nfs aliases list
Zone   Name       Path
----------------------------------
System /aliases01 /ifs/data/pod-db
----------------------------------
Total: 1

tcr-1# isi nfs exports view 5
                     ID: 5
                   Zone: System
                  Paths: /ifs/data/pod-db
            Description:
                Clients: -
           Root Clients: -
      Read Only Clients: -
     Read Write Clients: -
               All Dirs: No
             Block Size: 8.00k
           Can Set Time: Yes
       Case Insensitive: No
        Case Preserving: Yes
       Chown Restricted: No
    Commit Asynchronous: No
Directory Transfer Size: 128.00k
               Encoding: DEFAULT
               Link Max: 32767
         Map Lookup UID: No
              Map Retry: Yes
               Map Root
                    Enabled: False
                       User: nobody
              Primary Group: -
           Secondary Groups: -
           Map Non Root
                    Enabled: False
                       User: nobody
              Primary Group: -
           Secondary Groups: -
            Map Failure
                    Enabled: False
                       User: nobody
              Primary Group: -
           Secondary Groups: -
               Map Full: Yes
          Max File Size: 8192.00P
          Name Max Size: 255
            No Truncate: No
              Read Only: No
            Readdirplus: Yes
   Readdirplus Prefetch: 10
  Return 32Bit File IDs: No
 Read Transfer Max Size: 1.00M
 Read Transfer Multiple: 512
     Read Transfer Size: 128.00k
          Security Type: unix
   Setattr Asynchronous: No
               Snapshot: -
               Symlinks: Yes
             Time Delta: 1.0 ns
  Write Datasync Action: datasync
   Write Datasync Reply: datasync
  Write Filesync Action: filesync
   Write Filesync Reply: filesync
  Write Unstable Action: unstable
   Write Unstable Reply: unstable
Write Transfer Max Size: 1.00M
Write Transfer Multiple: 512
    Write Transfer Size: 512.00k

[root@centos8test ~] mount -t nfs -o vers=4 tcr-nfs.gz.local:/aliases01  /mnt/test -vvvv
mount.nfs: timeout set for Wed Apr 10 10:19:32 2024
mount.nfs: trying text-based options 'vers=4.2,addr=192.168.1.64,clientaddr=192.168.1.41'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4,minorversion=1,addr=192.168.1.64,clientaddr=192.168.1.41'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4,addr=192.168.1.64,clientaddr=192.168.1.41'
mount.nfs: mount(2): Operation not permitted
mount.nfs: Operation not permitted

[root@centos8test ~]# mount -t nfs -o vers=4 tcr-nfs.gz.local:/ifs/data/pod-db  /mnt/test -vvvv
mount.nfs: timeout set for Wed Apr 10 10:23:46 2024
mount.nfs: trying text-based options 'vers=4.2,addr=192.168.1.66,clientaddr=192.168.1.41'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4,minorversion=1,addr=192.168.1.66,clientaddr=192.168.1.41'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4,addr=192.168.1.66,clientaddr=192.168.1.41'

[root@centos8test ~]# nfsstat -m
/mnt/test from tcr-nfs.gz.local:/ifs/data/pod-db
 Flags: rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.41,local_lock=none,addr=192.168.1.66

$ tshark -r nfsv4-gss.pcap -Y frame.number==196 -O nfs
Frame 196: 194 bytes on wire (1552 bits), 194 bytes captured (1552 bits)
Ethernet II, Src: VMware_9b:17:92 (00:50:56:9b:17:92), Dst: VMware_9b:f4:2b (00:50:56:9b:f4:2b)
Internet Protocol Version 4, Src: 192.168.1.64, Dst: 192.168.1.41
Transmission Control Protocol, Src Port: 2049, Dst Port: 960, Seq: 2493, Ack: 3217, Len: 128
Remote Procedure Call, Type:Reply XID:0xc95e46e7
Network File System
    [Program Version: 4]
    [V4 Procedure: COMPOUND (1)]
    GSS Data, Ops(2): PUTFH SECINFO
        Length: 36
        GSS Sequence Number: 3
        Status: NFS4_OK (0)
        Tag: <EMPTY>
            length: 0
            contents: <EMPTY>
        Operations (count: 2)
            Opcode: PUTFH (22)
                Status: NFS4_OK (0)
            Opcode: SECINFO (33)
                Status: NFS4_OK (0)
                Flavors Info
                    no values
        [Main Opcode: SECINFO (33)]
    GSS Checksum: 0000001c040405ffffffffff000000000014cf198b8963d34b9f04f3a39b04fc
        GSS Token Length: 28
        GSS-API Generic Security Service Application Program Interface
            krb5_blob: 040405ffffffffff000000000014cf198b8963d34b9f04f3a39b04fc
                krb5_tok_id: KRB_TOKEN_CFX_GetMic (0x0404)
                krb5_cfx_flags: 0x05, AcceptorSubkey, SendByAcceptor
                    .... .1.. = AcceptorSubkey: Set
                    .... ..0. = Sealed: Not set
                    .... ...1 = SendByAcceptor: Set
                krb5_filler: ffffffffff
                krb5_cfx_seq: 1363737
                krb5_sgn_cksum: 8b8963d34b9f04f3a39b04fc