Unable to write into a NFS share from Unix clients

Recently we got a case where customer was able to mount NFS share but was unable to read and write into it. The NFS share was hosted on Windows 2003 R2 and we were trying to access /read-wite to the shares from a HP-UX client.

While troubleshooting we did check the NFS share permission and the NTFS permission.

Running the command below gave us the NFS properties:
> nfsshare <share name>
Running this command would return the NTFS permission:
> cacls <complete path of the share>

We created a new share with access open to everyone and anonymous. But still were facing the same issue.

Then we collected the netmon trace and analyzed it. We found the error message was on the getattr call as err_access.

Also event ID 1021 was generated which is generally related to “expired passwords"

From the windows box, we ran the command below and found that the password for administrator expired

net user 'administrator'

We did reset the Administrator password and did a log off/log on. This resolved the issue.

Detailed explanation as to why we were facing the issue:

UNM creates a token for the users when access needs to be granted on files/folders on NTFS file system. In our case, this token could not be obtained because Administrator user's password was expired. This situation is tricky in the sense that the client would still pass the correct UIDs/GIDs which can be reflected on the files/folder created but since we do not have a valid user token, the NFS server was treating this as anonymous access. We were able to create files and folders because the parent folder allows anonymous access. Our UMASK value of 002 imposes 664 permissions on such files/folders. At this point, since our access was anonymous and the permissions were not sufficient, we were receiving the permission denied error.