#NFS v4.0 -> NFS v4.1: permission denied for valid user

Hi all, we have enabled NFS v4.1 today, we had v4.0 served for years without problems. 4.1. to get multi-tcp sessions per mount. New mounts (automounter on linux, no changes on client side) were showing vers=4.2, weird but worked. Soon, users complained that they lost access to their own data. I checked one of the volumes, style mixed, effective style unix on vol root level. Vol root owner == user, group == one of the 2ndary groups of user. cd /vol/xyz as user: permission denied. 'vserver security file-directory show' allows user full access, user mapping (diag secd...) all fine, no errors in any logs. idmapd configured OK, worked with v4.0 for years. I'm sure I have overlooked something simple, but searching around (also the internet) gave no hints. So rolled back to v.4.0, re-mounted, all back to normal. Any hints? Thanks! Edit: Forgot to mention: Ontap 9.8P18, RedHat 8 derived Linux.

Nope. If you are having problems I'd open a case.

TMAC’s rule #1 has always been

1. Never used mixed volume security-style

It always causes problems with larger environments and “too many hands in the pot”. I call it

Last one to set security wins

Meaning if a windows user comes in, they can possibly make the file inaccessible to nfs clients and vice-versa

vol security is unrelated here...will open a case.

so do you use NFSv4 ID domains or numeric IDs? you might have to enable numeric IDs in the NFS server config if that's the case.
or check that the NFSv4 id-domain still matches if not using numeric IDs

See above, v4.0 works since years, ID domain is set up fine, but numeric IDs was also enabled. Only the bump by one minor version broke it.

The only idea I have is that it's unix-win group sync related, but the vol I checked was mixed, root folder unix style, but blocked to the owner. I was not able to do more experiments, as this s many 100s and many PBs prod env. From the Netapp side (see my debugging above, all looked good, nothing in EMS, etc. Will need to set up a test SVN, as opening a case (in my experience) eats more time then fully debugging yourself.

NFSv4 session trunking is not supported with 9.8 anyway ... you would need 9.12 for that.
Also, if you are using NFSv4.2 mounts now (as you said in your post), check if xattr support is enabled you might have to disable that (no idea on how that interacts with windows ACLs on mixed-style volumes, so that's one of the things I would try and debug first)