After you have enabled NFS on the Storage Virtual Machine (SVM) and configured it, there are a number of tasks you might want to perform to manage file access using NFS.
Enabling or disabling NFSv3
You can enable or disable NFSv3 by modifying the -v3 option. This allows file access for clients using the NFSv3 protocol. By default, NFSv3 is enabled.
Enabling or disabling NFSv4.0
You can enable or disable NFSv4.0 by modifying the -v4.0 option. This allows file access for clients using the NFSv4.0 protocol. By default, NFSv4.0 is disabled.
Enabling or disabling NFSv4.1
You can enable or disable NFSv4.1 by modifying the -v4.1 option. This allows file access for clients using the NFSv4.1 protocol. By default, NFSv4.1 is disabled.
Enabling or disabling pNFS
pNFS improves performance by allowing NFS clients to perform read/write operations on storage devices directly and in parallel, bypassing the NFS server as a potential bottleneck. To enable or disable pNFS (parallel NFS), you can modify the -v4.1-pnfs option. By default pNFS is enabled.
Enabling NFS clients to view exports of SVMs
NFS clients can use the showmount -e command to see a list of exports available on an NFS server. This can help users identify the file system they want to mount on the NFS server. By default, Data ONTAP does not allow NFS clients to view the exports list of NFS servers, but you can enable this functionality individually for each Storage Virtual Machine (SVM).
Controlling NFS access over TCP and UDP
You can enable or disable NFS access to Storage Virtual Machines (SVMs) over TCP and UDP by modifying the -tcp and -udp parameters, respectively. This enables you to control whether NFS clients can access data over TCP or UDP in your environment.
Controlling NFS requests from nonreserved ports
You can reject NFS mount requests from nonreserved ports by enabling the -mount-rootonly option. To reject all NFS requests from nonreserved ports, you can enable the -nfs-rootonly option.
Handling NFS access to NTFS volumes or qtrees for unknown UNIX users
If Data ONTAP cannot identify UNIX users attempting to connect to volumes or qtrees with NTFS security style, it therefore cannot explicitly map the user to a Windows user. You can configure Data ONTAP to either deny access to such users for stricter security or map them to a default Windows user to ensure a minimum level of access for all users.
Securing file access by using Storage-Level Access Guard
In addition to securing access by using native file-level and export and share security, you can configure Storage-Level Access Guard, a third layer of security applied by Data ONTAP at the volume level. Storage-Level Access Guard applies to access from all NAS protocols to the storage object to which it is applied.
Modifying ports used for NFSv3 services
The NFS server on the storage system uses services such as mount daemon and Network Lock Manager to communicate with NFS clients over specific default network ports. In most NFS environments the default ports work correctly and do not require modification, but if you want to use different NFS network ports in your NFSv3 environment, you can do so.
Troubleshooting name service issues
When clients experience access failures due to name service issues, you can use the vserver services name-service getxxbyyy command family to manually perform various name service lookups and examine the details and results of the lookup to help with troubleshooting.
Limits for local UNIX users, groups, and group members
Beginning with Data ONTAP 8.3, Data ONTAP introduces limits for the maximum number of UNIX users and groups in the cluster, and commands to manage these limits. These limits can help avoid performance issues by preventing administrators from creating too many local UNIX users and groups in the cluster.
Fencing or unfencing exports in clustered Data ONTAP
With Data ONTAP operating in 7-Mode, you could fence or unfence clients using the exportfs -b command. Although there is no direct equivalent command in clustered Data ONTAP, you can accomplish the same task by creating export policy rules.
Configuring the NFS credential cache
Data ONTAP uses a credential cache to store information needed for user authentication for NFS export access to provide faster access and improve performance. You can configure how long information is stored in the credential cache to customize it for your environment.
Managing export policy caches
Data ONTAP uses several export policy caches to store information related to export policies for faster access. There are certain tasks you can perform to manage export policy caches for troubleshooting purposes.
Managing file locks
You can display information about the current locks for a Storage Virtual Machine (SVM) as a first step to determining why a client cannot access a volume or file. You can use this information if you need to break file locks.
Modifying the NFSv4.1 server implementation ID
The NFSv4.1 protocol includes a server implementation ID that documents the server domain, name, and date. You can modify the server implementation ID default values. Changing the default values can be useful, for example, when gathering usage statistics or troubleshooting interoperability issues. For more information, see RFC 5661.
Managing NFSv4 ACLs
You can enable, disable, set, modify, and view NFSv4 access control lists (ACLs).
How NFSv4 referrals work
When you enable NFSv4 referrals, Data ONTAP provides "intra-SVM" referrals to NFSv4 clients. Intra-SVM referral is when a cluster node receiving the NFSv4 request refers the NFSv4 client to another LIF on the Storage Virtual Machine (SVM).
Enabling or disabling NFSv4 referrals
You can enable NFSv4 referrals on Storage Virtual Machines (SVMs) with FlexVol volumes by enabling the options -v4-fsid-change and -v4.0-referrals or -v4.1-referrals. Enabling NFSV4 referrals can result in faster data access for NFSv4 clients that support this feature.
Displaying NFS statistics
You can display NFS statistics for Storage Virtual Machines (SVMs) on the storage system to monitor performance and diagnose issues.
Enabling or disabling rquota support
Data ONTAP supports the remote quota protocol version 1 (rquota v1). The rquota protocol enables NFS clients to obtain quota information for users and groups from a remote machine. You can enable rquota on Storage Virtual Machines (SVMs) with FlexVol volumes by using the vserver nfs modify command.
Modifying the NFSv3 TCP maximum read and write size
You can modify the -v3-tcp-max-read-size and -v3-tcp-max-write-size options to change the NFSv3 TCP maximum read and write size. Modifying these options can help improve NFSv3 performance over TCP in some storage environments.
Configuring the number of group IDs allowed for NFS users
By default, Data ONTAP supports up to 32 group IDs when handling NFS user credentials using Kerberos (RPCSEC_GSS) authentication. When using AUTH_SYS authentication, the default maximum number of group IDs is 16, as defined in RFC 5531. You can increase the maximum up to 1,024 if you have users who are members of more than the default number of groups.
Controlling root user access to NTFS security-style data
You can configure Data ONTAP to allow NFS clients access to NTFS security-style data and NTFS clients to access NFS security-style data. When using NTFS security style on an NFS data store, you must decide how to treat access by the root user and configure the Storage Virtual Machine (SVM) accordingly.