Solved

NFS Server: Blocked attempt to mount

Posted on 1997-06-17
15
2,037 Views
Last Modified: 2008-03-03
I've set up an NFS server on linux 2.0.25 , using nfs-server-2.2beta26.


/etc/exports:

        /pub    (rw,all_squash)
        /usr1   192.168.40.*(rw)
        /usr2   linuxhost(rw) hpuxhost(rw) irixhost(rw) pchost(rw)


So far, there are no problems to mount the exported
partitions from AIX, IRIX, HP-UX. I can also mount /pub
from anywhere.

If the NFS client is Linux (2.0.25), or DOS with PCTCP (ftp
software), the mount fails. On the NFS server there is a
entry in /var/log/messages

        Jun 13 12:08:36 nfsserver mountd[165]: NFS client linuxhost tried to access /usr1
        Jun 13 12:08:36 nfsserver mountd[165]: Blocked attempt of 192.168.40.53 to mount /usr1


while

        linuxhost# mount nfsserver:/usr1 /net/usr1

says:

        mount: nfsserver:/usr1 failed, reason given by server: Permission
denied


If I change the  /usr1  entry in /etc/exports to:

        /usr1   192.168.40.*(rw) linuxhost(rw)

the mount request fails again but with following entry in
messages:

        Jun 13 12:10:20 nfsserver nfsd[167]: NFS client linuxhost tried to access /usr1
        Jun 13 12:10:26 nfsserver nfsd[167]: NFS client linuxhost tried to access /usr1

and on linuxhost:

        linuxhost# mount nfsserver:/usr1 /net/usr1
        mount: wrong fs type, bad option, bad superblock on troja:/usr1,
               or too many mounted file systems


To get closer to the problem, I disabled NIS (on both: NFS
server and clients) and used different hostnames in
/etc/exports.

From my point of view, the wildcards in hostnames/ipnumbers
in  /etc/exports cause the problem.


Appreciate any help,
ahoffmann
Tebis AG, Munich
0
Comment
Question by:ahoffmann
  • 7
  • 5
  • 2
  • +1
15 Comments
 
LVL 1

Expert Comment

by:strobert
Comment Utility
Do you have a linuxhost rntey in your /etc/hosts?
what does host linuxhost report?
have you tried:
/usr1 192.168.40.*(rw) 192.168.40.53(rw)
as the entry in /etc/exports?
how about:
/usr1 192.168.40.53(rw)

0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
> what does host linuxhost report?
I do not DNS.

> /usr1 192.168.40.*(rw) 192.168.40.53(rw)
no matter if I use ips or hostnames, the result is the same.
Only the simple configuration without wildcards are working.
0
 
LVL 1

Expert Comment

by:strobert
Comment Utility
host should work even without DNS...(it checks the /etc/hosts file)
how about putting:
/usr1 192.168.40.* (rw)
/usr1 192.168.40.53 (rw)

(two seperate lines)
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
dont't know what implementation of host you have, but mine uses
DNS (see man host)

> /usr1 192.168.40.* (rw)
> /usr1 192.168.40.53 (rw)
this is what I definitelly *not* wnat to do
acces should be allowed to any host from the specified net
0
 
LVL 4

Expert Comment

by:unicorntech
Comment Utility
What are the permissions on the directory you are trying to mount?
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
permissions are:
drwxr-xr-x   4 root     root         1024 Jun 11 14:41 usr1
drwxr-xr-x   4 root     root         1024 Jun 11 14:41 usr2

I can mount usr2 but not usr1 (see question)
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
Adjusted points to 200
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Expert Comment

by:pele
Comment Utility
First you can't change mount points just like that. If your linux box has /etc/fstab entries, it expects to see those entries correct in the real world. So if you're trying to mount something from another export on your server, you _have_ to specify the filesystem (nfs). Now onto the other bit...

From what I see there this sounds like a security problem. And what better place to look for security than /etc/hosts.deny/allow?
In your hosts.deny put
portmap: ALL
and forget about it, if you want something secure.
then in your hosts.allow put:
portmap: 1.1.1.1/1.1.1.2/1.1.1.3/1.1.1.4/1.1.1.5....
remember to substitute this for your real IPs and _remember_ to
put your linux box in there aswell!!!
And that's about it really...
Regards,

Pele
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
> If your linux box has /etc/fstab entries, it expects to see those entries correct in the real world
I'm not talking about the clients fstab, my problem is on the server's exports file.

> hosts.deny      portmap: ALL
I forget :-(

> hosts.allow      portmap: ip/ip/ip/..
I forget too, because I want to have wildcards. This is what
the  *  in exports claims to be. I need this 'cause there are some dhcp assigned IPs, and I never want to change this file if someone puts new (trusted) hosts anywhere.

0
 

Accepted Solution

by:
pele earned 300 total points
Comment Utility
ok ok, mistaks are for people ?;)
Still, make sure your hosts.deny contains portmap: ALL
and then hosts.allow do
LOCAL: ALL.
Your wildcards in exports won't help you if you don't do what I've told you.
Your server must know what to services to deny and what services to allow to whom. So, deny to everyone, but allow everything to LOCAL. And youd wildcards aren't a problem, because you can mount  from the hp and all the other machines, SO LEAVE YOUR exports ALONE!!
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
My configuration looks like:

hosts.deny      ALL: ALL
hosts.allow      ALL: 192.168.40.

Pele, this is similar to your solution (if you meant ALL: LOCAL instead of LOCAL: ALL), but keep in mind that LOCAL might be slightly different to 192.168.40. .

I've tried millions of hosts.* combinations, ending up in
hosts.allow      ALL: ALL
but it's always the same: some (special, see question) clients cannot connect.

I'm unaware if you are pointing to the right direction, 'cause chnages to hosts_access anyhow doesn't affect my problem. While changing exports (see the linuxhost example in my question) results in different behaviors.

BTW, pele, what do you mean by: SO LEAVE YOUR exports ALONE ??
no wildcards, access to everyone?


Pele, I've rejected your answer to make it more atractive for other experts. If you have reasonable hints feel free to contact me at hoffmann@tebis.de . We'll find a way to grade you then :-)
0
 

Expert Comment

by:pele
Comment Utility
So, my friend, what you're saying is that your hosts.* look
just dandy, but your exports is giving you problems?
Well, you just intrigued me (even though it's impossible), and you know what, I went home,  and _renamed_ all my machines, to match exactly your names, and your IPs. And guess what?
/usr        192.168.*(rw)
/usr/local  192.168.40.*(rw) linuxhost(rw)
works just fine!
(And no I didn't want to repartition my disks to reflect your ones)
With NOTHING in /etc/hosts.allow and /etc/hosts.deny
I didn't have time to edit the other files because I was in a hurry to get back to work. But maybe I'll do that tomorrow morning and try the very same setup you've got.
So, there's nothing wrong with your /etc/exports as I said.
The only thing you might want to check is to add linuxhost to your hosts, maybe the poor server doesn't know about it.
first try mounting from an IP
as in mount 192.168.40.1:/usr1 /import or whatever and see if the resolver might be a problem. Otherwise everything is just fine.
You've got some other problem there...
Your linuxhost _is_ on the same (sub)net right? Because you were mentioning dynamic ip somewhere there....
_Now_ challenge me...
Pele

P.S. _you_ can contact _me_ on pele@artewisdom.com
0
 

Expert Comment

by:pele
Comment Utility
So, my friend, what you're saying is that your hosts.* look
just dandy, but your exports is giving you problems?
Well, you just intrigued me (even though it's impossible), and you know what, I went home,  and _renamed_ all my machines, to match exactly your names, and your IPs. And guess what?
/usr        192.168.*(rw)
/usr/local  192.168.40.*(rw) linuxhost(rw)
works just fine!
(And no I didn't want to repartition my disks to reflect your ones)
With NOTHING in /etc/hosts.allow and /etc/hosts.deny
I didn't have time to edit the other files because I was in a hurry to get back to work. But maybe I'll do that tomorrow morning and try the very same setup you've got.
So, there's nothing wrong with your /etc/exports as I said.
The only thing you might want to check is to add linuxhost to your hosts, maybe the poor server doesn't know about it.
first try mounting from an IP
as in mount 192.168.40.1:/usr1 /import or whatever and see if the resolver might be a problem. Otherwise everything is just fine.
You've got some other problem there...
Your linuxhost _is_ on the same (sub)net right? Because you were mentioning dynamic ip somewhere there....
_Now_ challenge me...
Pele

P.S. _you_ can contact _me_ on pele@artewisdom.com
0
 

Expert Comment

by:pele
Comment Utility
this cgi is lame....
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
ups, this question was "auto-accepted" by E-E ;-(

So if someone spend the points for reading this, I'll say that it still won't work that way (pele's suggestion).
I checked all (/etc/host*, /etc/exports) again and again, I used IPs instead of names, I fiddled around with several /etc/host* ..

As long as there is 192.168.40.* in /etc/exports I get the messages and no mount :-((
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
USPS intelligent mail barcode font 11 124
BIND DNS - Single Zone 2 views 5 59
Vmware tools installation in ubuntu 14.04 11 88
Cron jobs 12 86
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now