Well, access denied is definitely a different behavior than I was seeing. However, I was renaming files. When I rename a directory, I see the access issue:

Z:>ren "New Text Document.txt" test2.txt

Z:>ren "New folder" testdir Access is denied.

Even when I change the access to 777, it still fails.

# chmod 777 New\ folder [root@centos6 flexvol]# ls -la total 24 drwxrwxrwx. 5 root root 4096 Apr 11 09:41 . dr-xr-xr-x. 36 root root 4096 Apr 7 10:30 .. drwxrwxrwx. 2 root root 4096 Apr 11 09:39 New folder drwxr-xr-x. 2 root root 4096 Apr 11 09:41 New folder (2) drwxr-xr-x. 2 root root 4096 Apr 11 09:41 New folder (3) drwxrwxrwx. 10 root root 4096 Apr 11 09:05 .snapshot -rwxr-xr-x. 1 root root 0 Apr 10 15:45 test2.txt -rwxr-xr-x. 1 root root 0 Apr 10 15:46 test3.txt

Z:>ren "New folder" testdir Access is denied.

So I dug around in our internal bug pages and found that if you don’t have showmount enabled, this can fail. So I enabled showmount on the NFS server and cleared the cache and remounted. Voila!

ontap9-tme-8040::*> export-policy cache flush -vserver DEMO -cache all

Warning: You are about to flush the "all (but showmount)" cache for Vserver "DEMO" on node "ontap9-tme-8040-02", which will result in increased traffic to the name servers. Do you want to proceed with flushing the cache? {y|n}: y

ontap9-tme-8040::*> export-policy cache flush -vserver DEMO -cache showmount

Warning: You are about to flush the "showmount" cache for Vserver "DEMO" on node "ontap9-tme-8040-02", which will result in increased traffic to the name servers. Do you want to proceed with flushing the cache? {y|n}: y

C:\Users\Administrator>mount \demo\flexvol Z: Z: is now successfully connected to \demo\flexvol

The command completed successfully.

C:\Users\Administrator>Z:

Z:>ren "New folder (2)" testdir2

Z:>dir Volume in drive Z has no label. Volume Serial Number is 80F0-372F

Directory of Z:\

04/11/2017 11:39 AM <DIR> . 04/11/2017 11:39 AM <DIR> .. 04/11/2017 09:41 AM <DIR> testdir2 04/10/2017 03:45 PM 0 test2.txt 04/10/2017 03:46 PM 0 test3.txt 04/11/2017 09:41 AM <DIR> New folder (3) 04/11/2017 09:39 AM <DIR> testdir 04/11/2017 11:05 AM <DIR> .snapshot 2 File(s) 24,576 bytes 6 Dir(s) 1,044,531,904,512 bytes free

[cid:image003.png@01D2B2B9.E9D4FFB0]

For completeness sake, I disabled showmount, cleared cache and remounted and saw it fail again:

ontap9-tme-8040::*> nfs server modify -vserver DEMO -showmount disabled

ontap9-tme-8040::*> export-policy cache flush -vserver DEMO -cache showmount

Warning: You are about to flush the "showmount" cache for Vserver "DEMO" on node "ontap9-tme-8040-02", which will result in increased traffic to the name servers. Do you want to proceed with flushing the cache? {y|n}: y

C:\Users\Administrator>umount X:

Disconnecting X: \10.193.67.237\flexvol The command completed successfully.

C:\Users\Administrator>mount \10.193.67.237\flexvol X: X: is now successfully connected to \10.193.67.237\flexvol

The command completed successfully.

C:\Users\Administrator>X:

X:>dir Volume in drive X has no label. Volume Serial Number is 80F0-372F

Directory of X:\

04/11/2017 11:47 AM <DIR> . 04/11/2017 11:47 AM <DIR> .. 04/11/2017 09:39 AM <DIR> testdir2 04/10/2017 03:45 PM 0 test2.txt 04/10/2017 03:46 PM 0 test3.txt 04/11/2017 09:41 AM <DIR> New folder (3) 04/11/2017 09:41 AM <DIR> testdir 04/11/2017 11:05 AM <DIR> .snapshot 2 File(s) 24,576 bytes 6 Dir(s) 1,044,531,773,440 bytes free

X:>ren testdir testdirnew Access is denied.

Looks like I’ll be adding that to the TR. ☺

From: Alexander Griesser [mailto:AGriesser@anexia-it.com] Sent: Tuesday, April 11, 2017 3:16 AM To: Parisi, Justin Justin.Parisi@netapp.com; NGC-tmacmd-gmail.com tmacmd@gmail.com Cc: toasters@teaparty.net Subject: AW: Windows NFS Client + cDOT

Be glad that this hotfix did not install on your system – I’ve installed it on one test machine with 2k12 R2 and now it’s giving me BSODs after establishing either a remote session or logging in on the console in nfsrdr.sys, so this hotfix does not work at all I guess.

Regarding the command line renaming: I’ve tried that initially and have sent the results earlier, you must have missed that. I’m unable to rename the files on the command line either, getting „Access denied“, here’s the quote again:

On the command line, a different error (Access denied) is given:

Z:>move test test1 Access is denied. 0 dir(s) moved.

Z:>ren test test1 Access is denied.

Any idea what I’m missing here now?

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Parisi, Justin [mailto:Justin.Parisi@netapp.com] Gesendet: Montag, 10. April 2017 22:29 An: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com>; NGC-tmacmd-gmail.com <tmacmd@gmail.commailto:tmacmd@gmail.com> Cc: toasters@teaparty.netmailto:toasters@teaparty.net Betreff: RE: Windows NFS Client + cDOT

Ok, started playing around with this today. This is my mount:

Z:>mount

Local Remote Properties ------------------------------------------------------------------------------- Z: \demo\flexvolfile://demo/flexvol UID=0, GID=0 rsize=65536, wsize=65536 mount=hard, timeout=0.8 retry=1, locking=yes fileaccess=755, lang=ANSI casesensitive=no sec=sys

When I try to rename via the GUI, I get this:

[cid:image001.png@01D2B2A3.B085FC70]

Via CLI, I get this:

Z:>ren "New Text Document (2).txt" test.txt

Z:>dir Volume in drive Z has no label. Volume Serial Number is 80F0-372F

Directory of Z:\

04/10/2017 03:49 PM <DIR> . 04/10/2017 03:49 PM <DIR> .. 04/10/2017 03:45 PM 0 New Text Document.txt 04/10/2017 03:46 PM 0 test.txt 04/10/2017 03:45 PM <DIR> .snapshot 2 File(s) 12,288 bytes 3 Dir(s) 1,044,535,574,528 bytes free

A search for “invalid device” gets me this:

https://support.microsoft.com/en-us/help/3025097/-invalid-device-error-when-...

I tried to apply it to my server, but it claims it’s not valid for Windows 2012R2, even though it’s specifically for Win 2012R2. ¯_(ツ)_/¯

Packet traces and sktraces on the cluster suggest the issue isn’t on the cluster side; the rename request never happens from the client:

[cid:image002.png@01D2B2A3.B085FC70]

Does it fail for you the same way? Does rename work from CLI? On my end, at least, this seems to be a client issue.

From: Alexander Griesser [mailto:AGriesser@anexia-it.com] Sent: Monday, April 10, 2017 4:26 AM To: NGC-tmacmd-gmail.com <tmacmd@gmail.commailto:tmacmd@gmail.com> Cc: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com>; toasters@teaparty.netmailto:toasters@teaparty.net Subject: AW: Windows NFS Client + cDOT

Hey everyone,

we’ve just set up a Windows 2k12 system and the renaming of files and folders doesn’t work there too, so it’s not a Windows 2016 problem. Any further ideas on how to debug this issue?

Best,

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Alexander Griesser Gesendet: Freitag, 7. April 2017 20:30 An: 'tmac' <tmacmd@gmail.commailto:tmacmd@gmail.com> Cc: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com>; toasters@teaparty.netmailto:toasters@teaparty.net Betreff: AW: Windows NFS Client + cDOT

Yes, I’ve set anon in the export policy for the volume it self to 0 and I’ve set the registry keys on windows for AnonymousUID and AnonymousGID to 0 – without the registry keys, it will be „-2“ on the mount options in windows, whatever that negative value is used for… If the permissions were wrong, I could not create files at all in the first place, I guess, right? But I can create them and they show as UID 0 on the filer (also tested on a linux system where I mounted this volume) – and I can delete the files as well. The only thing which is not working, is renaming and I’m not sure why it’s refusing to do so. Maybe this is a Win 2k16 thinggie? I can try to spin up a Win2k12 system to see if this problem also persists there, that would at least rule out a misconfiguration on the filer I guess.

I did not create separate policies for the SVM root, the SVM root only gets applied the default policy here and the default policy iss et to „ro all“, „rw never“ – as you can see below.

Best,

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: tmac [mailto:tmacmd@gmail.com] Gesendet: Freitag, 7. April 2017 20:24 An: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com> Cc: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com>; toasters@teaparty.netmailto:toasters@teaparty.net Betreff: Re: Windows NFS Client + cDOT

Not sure if this is it or not, but you have said that you set the anon ID's to 0. In this policy, it is set to 65535

Do you create separate policies for the SVM root and the data volumes? If you do, Root could/should be allow RO to all, rw to none. Then set the restrictions on the data volume policy.

--tmac

Tim McCarthy, Principal Consultant

Proud Member of the #NetAppATeamhttps://twitter.com/NetAppATeam

I Blog at TMACsRackhttps://tmacsrack.wordpress.com/

On Fri, Apr 7, 2017 at 2:19 PM, Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com> wrote: Well, there are like 70 export policies on this SVM for 70 different volumes, I guess the policy for this volume as well as the default policy for the SVM will suffice here? If so, the export policy for this volume has already been sent earlier and here’s the default policy for this SVM:

::> export-policy rule show -vserver XXXXXXX -policyname default -instance

Vserver: XXXXXXX Policy Name: default Rule Index: 1 Access Protocol: nfs List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 0/0 RO Access Rule: any RW Access Rule: never User ID To Which Anonymous Users Are Mapped: 65535 Superuser Security Types: none Honor SetUID Bits in SETATTR: true Allow Creation of Devices: true

Best,

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: tmac [mailto:tmacmd@gmail.commailto:tmacmd@gmail.com] Gesendet: Freitag, 7. April 2017 20:15 An: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com> Cc: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com>; toasters@teaparty.netmailto:toasters@teaparty.net Betreff: Re: Windows NFS Client + cDOT

yes, yes..

export policy rule show -instance (please)

--tmac

Tim McCarthy, Principal Consultant

Proud Member of the #NetAppATeamhttps://twitter.com/NetAppATeam

I Blog at TMACsRackhttps://tmacsrack.wordpress.com/