[nfs-discuss] snv_111 credential problems with Linux NFSv3

Mon, 27 Apr 2009 17:54:02 +0530 

>
>
>
> Running pfexec  mount -F nfs -o vers=3,sec=sys butler:/data /mnt/ 
> still gives nfs mount: security mode does not match the server 
> exporting butler:/data and the following snoop
>
> 192.168.0.10 -> butler       DNS C butler. Internet Addr ?
>       butler -> 192.168.0.10 DNS R butler. Internet Addr 192.168.0.1
> 192.168.0.10 -> butler       PORTMAP C GETPORT prog=100005 (MOUNT) 
> vers=3 proto=UDP
>       butler -> 192.168.0.10 PORTMAP R GETPORT port=44106
> 192.168.0.10 -> butler       MOUNT3 C Null
>       butler -> 192.168.0.10 MOUNT3 R Null
> 192.168.0.10 -> butler       MOUNT3 C Mount /data
>       butler -> 192.168.0.10 MOUNT3 R Mount OK FH=D734 Auth=
Hi Andreas,

NFS server is supposed to be returning client with a list of auth 
flavors allowed to access the filesystem. From MOUNT protocol RFC,

<snip>
If mountres3.fhs_status is MNT3_OK, then
mountres3.mountinfo contains the file handle for the
directory and a list of acceptable authentication
flavors.  This file handle may only be used in the NFS
version 3 protocol.
<snip>

Unfortunately, Gentoo NFS server is returning only file handle and no 
auth flavors in the list.

butler -> 192.168.0.10 MOUNT3 R Mount OK FH=D734 Auth=
                                                                            
^^^^^^^^^^^^^^^^^^^^^^^^^^

Solaris NFS clients check for this at:
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/fs.d/nfs/mount/mount.c#2316

I am not too sure about Gentoo Linux. But I believe Gentoo's mountd is 
not returning the list of acceptable authentication flavors to client. 
Have you modified anything on server? What are the default values on 
server for exportfs (/etc/default/nfs equivalent)?  Gentoo's mountd 
should have atleast returned the default auth flavor, this looks like a 
bug to me.

After you explicitly export filesystem with "sec=sys" on server, mountd 
sends  SYS auth flavor along with the filehandle. This is the reason 
why  client mounts succeed. With this explicit setting on server, you 
don't have to use "-o vers=sys" mount option on client.

What is interesting is, how did you start seeing this behavior from 
snv_111 onwards? This piece of code has been there in solaris mount_nfs 
from a long time.

Thanks.
-Vallish

Reply via email to