?
Solved

how to get nfsv4 mount working without using insecure mount option suse linux 11

Posted on 2014-11-26
8
Medium Priority
?
643 Views
Last Modified: 2014-11-27
I'm trying to mount a filesystem with nfs4 on a dmz host, we allowed port 2049 through network firewall,

so mount is only working when given insecure option in /etc/exports in server.
We want it working with out that option, when tried we get

mount -t nfs4 -o defaults,timeo=14,intr,port=2049 server:/exportimport  /exportimport
mount.nfs4: Operation not permitted error on client

 and on server we see below message
 nfsd: request from insecure port x.x.x.x, port=49754!

Now is there a way to force client request secure ports during the mount..? and can that port be 2049 ..? can somebody explain please. thank you
Both machines nfs source and server are suse linux 11 sp2.
0
Comment
Question by:Anil_dasmala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 12

Expert Comment

by:andreas
ID: 40468585
Secure port means, that the NFS-Client will use a port <=1024 to mount the NFS share on the server. This will ensure that no user without root privileges can forge NFS communications and access NFS ressources in a way not permitted.

You need to allow the client to access the server on the NFS port from (source port on the client) any port <=1024 to use NFS secure mount.

A good reading about NFS security can be found here:

http://nfs.sourceforge.net/nfs-howto/ar01s06.html

A reason why a strange insecure port for the mount to be used could be some kind of NAT on the way from the client to the server. e.G. behind a NAT-router or running inside a Virtual machine which NAT network bindings.
0
 
LVL 1

Author Comment

by:Anil_dasmala
ID: 40468609
Andreas, thank you for the comment, Yes  these are both virtual machines under vmware.
And can you please eloborate on how we can set that client to use priviliged ports / secure ports in linux..?

I know in aix there is an option called nfs_use_reserved_ports which can be used with nfso command and set. is there anything similar in linux..?
0
 
LVL 12

Expert Comment

by:andreas
ID: 40468619
If they are virtual. you NEED to use bridged networking with own IPs in the same LAN as the server. If you use internal IPs and NAT over the HOST os the secure mount iption will not work.

Im not aware of a way to influence the port mappings on the vmware NAT maybe others know a way if there is any. (ife never heared about it before).

So i would suggest:

setting the boxes networking to bridged mode and assign them free IPs of the same subnet as the host-OS.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 1

Author Comment

by:Anil_dasmala
ID: 40468706
Unfortunately my requirement is to nfs mount inside  a vm which is in DMZ.
No chance for us to keep same ips in same subnet.

Between an aix machine and linux, i'm able to do it, but between two linux machines it demands for insecure.
May be I'm missing to configure something on linux client side.
0
 
LVL 12

Accepted Solution

by:
andreas earned 2000 total points
ID: 40469252
you might put the vms in an own dmz net that is not doing NAT, the main problem seems the nat the vms seems configured right now.

what ip is assigned to the vm to the host and to the nfs server? if you cant/wont post this info here you need to explain how the vms are connected to the network.

with vm ware witth nat network im not aware of away to avoid insecure mounts.
0
 
LVL 1

Author Closing Comment

by:Anil_dasmala
ID: 40469295
Thank you for information, Andrew,  vm in dmz(nfs client) ip is 172.16.*.* and server nfs ip is a pubic ip.
Looks like there is no way to avoid or atleast not a simple way to avoid insecure nfs mounts. If you have some other suggestion and comments welcome.
0
 
LVL 12

Expert Comment

by:andreas
ID: 40469517
my suggestion is to use bridging with ips in an other subnet as the servers, this also could be private addresses, but then set your network up in a way that this private IPs are INTERNAL routable to the IP of the server without using NAT.

This new subnet also could be configured with similar access restricions as your DMZ. All Port blocks that NAT will provide could also be achived by normal packet filtering.
0
 
LVL 12

Expert Comment

by:andreas
ID: 40469541
Furthermore you might ask again here some vmware folks of how to configure the vmware according to the nat and networking.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month13 days, 21 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question