how to get nfsv4 mount working without using insecure mount option suse linux 11

I'm trying to mount a filesystem with nfs4 on a dmz host, we allowed port 2049 through network firewall,

so mount is only working when given insecure option in /etc/exports in server.
We want it working with out that option, when tried we get

mount -t nfs4 -o defaults,timeo=14,intr,port=2049 server:/exportimport  /exportimport
mount.nfs4: Operation not permitted error on client

 and on server we see below message
 nfsd: request from insecure port x.x.x.x, port=49754!

Now is there a way to force client request secure ports during the mount..? and can that port be 2049 ..? can somebody explain please. thank you
Both machines nfs source and server are suse linux 11 sp2.
LVL 1
Anil_dasmalaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andreasSystem AdminCommented:
Secure port means, that the NFS-Client will use a port <=1024 to mount the NFS share on the server. This will ensure that no user without root privileges can forge NFS communications and access NFS ressources in a way not permitted.

You need to allow the client to access the server on the NFS port from (source port on the client) any port <=1024 to use NFS secure mount.

A good reading about NFS security can be found here:

http://nfs.sourceforge.net/nfs-howto/ar01s06.html

A reason why a strange insecure port for the mount to be used could be some kind of NAT on the way from the client to the server. e.G. behind a NAT-router or running inside a Virtual machine which NAT network bindings.
0
Anil_dasmalaAuthor Commented:
Andreas, thank you for the comment, Yes  these are both virtual machines under vmware.
And can you please eloborate on how we can set that client to use priviliged ports / secure ports in linux..?

I know in aix there is an option called nfs_use_reserved_ports which can be used with nfso command and set. is there anything similar in linux..?
0
andreasSystem AdminCommented:
If they are virtual. you NEED to use bridged networking with own IPs in the same LAN as the server. If you use internal IPs and NAT over the HOST os the secure mount iption will not work.

Im not aware of a way to influence the port mappings on the vmware NAT maybe others know a way if there is any. (ife never heared about it before).

So i would suggest:

setting the boxes networking to bridged mode and assign them free IPs of the same subnet as the host-OS.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Anil_dasmalaAuthor Commented:
Unfortunately my requirement is to nfs mount inside  a vm which is in DMZ.
No chance for us to keep same ips in same subnet.

Between an aix machine and linux, i'm able to do it, but between two linux machines it demands for insecure.
May be I'm missing to configure something on linux client side.
0
andreasSystem AdminCommented:
you might put the vms in an own dmz net that is not doing NAT, the main problem seems the nat the vms seems configured right now.

what ip is assigned to the vm to the host and to the nfs server? if you cant/wont post this info here you need to explain how the vms are connected to the network.

with vm ware witth nat network im not aware of away to avoid insecure mounts.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Anil_dasmalaAuthor Commented:
Thank you for information, Andrew,  vm in dmz(nfs client) ip is 172.16.*.* and server nfs ip is a pubic ip.
Looks like there is no way to avoid or atleast not a simple way to avoid insecure nfs mounts. If you have some other suggestion and comments welcome.
0
andreasSystem AdminCommented:
my suggestion is to use bridging with ips in an other subnet as the servers, this also could be private addresses, but then set your network up in a way that this private IPs are INTERNAL routable to the IP of the server without using NAT.

This new subnet also could be configured with similar access restricions as your DMZ. All Port blocks that NAT will provide could also be achived by normal packet filtering.
0
andreasSystem AdminCommented:
Furthermore you might ask again here some vmware folks of how to configure the vmware according to the nat and networking.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.