PowerScale OneFS: Unable to mount NFSv4 using FQDN with error "Operation not permitted"

Summary: Client fails to mount aliased export when using NFSv4 with the error "operation not permitted." Mounting by IP or when using the full export path succeeds.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

An NFS client authenticated with Kerberos and possessing a valid GSS ticket tries to mount an export using an alias but encounters a failure.

# mount -t nfs4 fullyqualifieddomain:/aliases01  /mnt/test -vvvv
mount.nfs4: timeout set for Wed Apr 10 12:14:37 2024
mount.nfs4: trying text-based options 'vers=4.2,addr=x.x.x.x,clientaddr=x.x.x.x'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: trying text-based options 'vers=4,minorversion=1,addr=x.x.x.x,clientaddr=x.x.x.x'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: trying text-based options 'vers=4,addr=x.x.x.x,clientaddr=x.x.x.x'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: Operation not permitted

 

In packet captures, you see OneFS replies with no values to the SECINFO call:

Network File System
    [Program Version: 4]
    [V4 Procedure: COMPOUND (1)]
    GSS Data, Ops(2): PUTFH SECINFO
        Length: 36
        GSS Sequence Number: 3
        Status: NFS4_OK (0)
        Tag: <EMPTY>
            length: 0
            contents: <EMPTY>
        Operations (count: 2)
            Opcode: PUTFH (22)
                Status: NFS4_OK (0)
            Opcode: SECINFO (33)
                Status: NFS4_OK (0)
                Flavors Info
                    no values <<<<<<<<<<<<<<<<<<<<<<<<
        [Main Opcode: SECINFO (33)]

 

Cause

Usually, SECINFO provides selectable flavor values for valid FH (file handle) access during mount.

   The new SECINFO operation allows the client to determine, on a
   per filehandle basis, what security triple is to be used for server
   access.

 

However, due to a code defect, the client cannot obtain its real target over preliminary compound with the ROOTFH. As a result, OneFS replies with no flavors, and the session is destroyed.

 

Resolution

Workarounds while a code fix is worked:

  1. Specify RPC authentication flavor at the time of mount, for example: sec=sys
  2. Use the full mount path vs. alias

 

Additional Information

Acronyms used in this KB:
NFS - Network File System

Generic Security Service (GSS) -- A framework for providing security services in a networked environment. It includes authentication, integrity, and confidentiality services.

Remote Procedure Call (RPC) is a communication protocol used in distributed computing.

 

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000224680
Article Type: Solution
Last Modified: 02 May 2024
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.