Mounting fails with "Network access is denied"

[rabejens]

What happened:

Mounting fails with "Network access is denied"

MountVolume.MountDevice failed for volume "pvc-fda4aa7c-e60c-4860-95d9-51a14a8c2ee1" : rpc error: code = Internal desc = volume(10.93.111.12/bdashare_nas12#pvc-fda4aa7c-e60c-4860-95d9-51a14a8c2ee1#) mount "//10.93.111.12/bdashare_nas12/pvc-fda4aa7c-e60c-4860-95d9-51a14a8c2ee1" on "\\var\\lib\\kubelet\\plugins\\kubernetes.io\\csi\\smb.csi.k8s.io\\6b4995dbad428980412a8b05cb209209e968a82a866fd2cf4ae18a415e9f1d78\\globalmount" failed with NewSmbGlobalMapping(\\10.93.111.12\bdashare_nas12\pvc-fda4aa7c-e60c-4860-95d9-51a14a8c2ee1, c:\var\lib\kubelet\plugins\kubernetes.io\csi\smb.csi.k8s.io\6b4995dbad428980412a8b05cb209209e968a82a866fd2cf4ae18a415e9f1d78\globalmount) failed with error: rpc error: code = Unknown desc = NewSmbGlobalMapping failed. output: "New-SmbGlobalMapping : Network access is denied. \r\nAt line:1 char:190\r\n+ ... ser, $PWord;New-SmbGlobalMapping -RemotePath $Env:smbremotepath -Cred ...\r\n+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (MSFT_SmbGlobalMapping:ROOT/Microsoft/...mbGlobalMapping) [New-SmbGlobalMa \r\n   pping], CimException\r\n    + FullyQualifiedErrorId : Windows System Error 65,New-SmbGlobalMapping\r\n \r\n", err: exit status 1

What you expected to happen:

Mount succeeds

How to reproduce it:

• Install smb-driver-csi from Helm chart
• Install csi-proxy as a service and start the service
• create a storageclass like this:

  apiVersion: storage.k8s.io/v1
  kind: StorageClass
  metadata:
  name: my-smb
  provisioner: smb.csi.k8s.io
  parameters:
  source: "//my-server/my-share"
  csi.storage.k8s.io/provisioner-secret-name: "smbcreds"
  csi.storage.k8s.io/provisioner-secret-namespace: "kube-system"
  csi.storage.k8s.io/node-stage-secret-name: "smbcreds"
  csi.storage.k8s.io/node-stage-secret-namespace: "kube-system"
  reclaimPolicy: Delete  # available values: Delete, Retain
  volumeBindingMode: Immediate
  mountOptions:
  - dir_mode=0777
  - file_mode=0777
  - uid=1000
  - gid=1000
  - vers=2.0

• Create a workload that uses a volume from the storageclass

Anything else we need to know?:

It works on Windows and the share mounts OK

Environment:

• CSI Driver version: 1.1.2 and 1.1.3
• Kubernetes version (use kubectl version): 1.25.6
• OS (e.g. from /etc/os-release): Windows Server 2022 Standard

[mauriciopoppe]

While CSI Proxy makes the mount on behalf of the CSI Driver you should make sure that the Windows host can do this first, from the error: New-SmbGlobalMapping : Network access is denied it looks like running this powershell command itself fails in the host.

Have you tried to do the mount manually? There are troubleshooting steps for the error "Network access is denied" here https://learn.microsoft.com/en-us/answers/questions/1052608/denied-access-to-network-drive

[rabejens]

Indeed mounting manually fails, too.

I logged in as NT AUTHORITY\SYSTEM using from an elevated powershell:

C:\pstools\PsExec.exe -i -s powershell.exe

then doing:

$creds = Get-Credential

Entered my credentials (prefixing the user with localhost\).

Then did:

New-SmbGlobalMapping -RemotePath \\myserver\myshare -Credential $creds -RequirePrivacy $true

and I am receiving the same "Network access is denied" error.

There is another similar issue posted in the csi-driver-smb project, and they managed to get it working by turning on SMB encryption. However, I cannot reconfigure the server I am trying to access. Is it somehow possible to connect to this "insecure" server? Note that I have to use vers=2.0 to make it work on Linux.

[rabejens]

Just a quick followup: Indeed the problem was that SMB 3.0 wasn't enabled.

I obtained the admin credentials for the NAS I am using, and turned on SMB 3 and encryption for the share, now it works.