Solved

how to get nfsv4 mount working without using insecure mount option suse linux 11

Posted on 2014-11-26
8
595 Views
Last Modified: 2014-11-27
I'm trying to mount a filesystem with nfs4 on a dmz host, we allowed port 2049 through network firewall,

so mount is only working when given insecure option in /etc/exports in server.
We want it working with out that option, when tried we get

mount -t nfs4 -o defaults,timeo=14,intr,port=2049 server:/exportimport  /exportimport
mount.nfs4: Operation not permitted error on client

 and on server we see below message
 nfsd: request from insecure port x.x.x.x, port=49754!

Now is there a way to force client request secure ports during the mount..? and can that port be 2049 ..? can somebody explain please. thank you
Both machines nfs source and server are suse linux 11 sp2.
0
Comment
Question by:Anil_dasmala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 12

Expert Comment

by:andreas
ID: 40468585
Secure port means, that the NFS-Client will use a port <=1024 to mount the NFS share on the server. This will ensure that no user without root privileges can forge NFS communications and access NFS ressources in a way not permitted.

You need to allow the client to access the server on the NFS port from (source port on the client) any port <=1024 to use NFS secure mount.

A good reading about NFS security can be found here:

http://nfs.sourceforge.net/nfs-howto/ar01s06.html

A reason why a strange insecure port for the mount to be used could be some kind of NAT on the way from the client to the server. e.G. behind a NAT-router or running inside a Virtual machine which NAT network bindings.
0
 
LVL 1

Author Comment

by:Anil_dasmala
ID: 40468609
Andreas, thank you for the comment, Yes  these are both virtual machines under vmware.
And can you please eloborate on how we can set that client to use priviliged ports / secure ports in linux..?

I know in aix there is an option called nfs_use_reserved_ports which can be used with nfso command and set. is there anything similar in linux..?
0
 
LVL 12

Expert Comment

by:andreas
ID: 40468619
If they are virtual. you NEED to use bridged networking with own IPs in the same LAN as the server. If you use internal IPs and NAT over the HOST os the secure mount iption will not work.

Im not aware of a way to influence the port mappings on the vmware NAT maybe others know a way if there is any. (ife never heared about it before).

So i would suggest:

setting the boxes networking to bridged mode and assign them free IPs of the same subnet as the host-OS.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 1

Author Comment

by:Anil_dasmala
ID: 40468706
Unfortunately my requirement is to nfs mount inside  a vm which is in DMZ.
No chance for us to keep same ips in same subnet.

Between an aix machine and linux, i'm able to do it, but between two linux machines it demands for insecure.
May be I'm missing to configure something on linux client side.
0
 
LVL 12

Accepted Solution

by:
andreas earned 500 total points
ID: 40469252
you might put the vms in an own dmz net that is not doing NAT, the main problem seems the nat the vms seems configured right now.

what ip is assigned to the vm to the host and to the nfs server? if you cant/wont post this info here you need to explain how the vms are connected to the network.

with vm ware witth nat network im not aware of away to avoid insecure mounts.
0
 
LVL 1

Author Closing Comment

by:Anil_dasmala
ID: 40469295
Thank you for information, Andrew,  vm in dmz(nfs client) ip is 172.16.*.* and server nfs ip is a pubic ip.
Looks like there is no way to avoid or atleast not a simple way to avoid insecure nfs mounts. If you have some other suggestion and comments welcome.
0
 
LVL 12

Expert Comment

by:andreas
ID: 40469517
my suggestion is to use bridging with ips in an other subnet as the servers, this also could be private addresses, but then set your network up in a way that this private IPs are INTERNAL routable to the IP of the server without using NAT.

This new subnet also could be configured with similar access restricions as your DMZ. All Port blocks that NAT will provide could also be achived by normal packet filtering.
0
 
LVL 12

Expert Comment

by:andreas
ID: 40469541
Furthermore you might ask again here some vmware folks of how to configure the vmware according to the nat and networking.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question