nfs authentication problems

[kamper]

I'm trying to access an nfs export on my openbsd server from os x and I'm getting rejected. I'm a little foggy on how nfs authentication works other than that it's by user id and I'm not sure if that has anything to do with why I'm being rejected.

So I've got portmap, mountd and nfsd running on the server and I can successfully query with showmount from either machine. When I do this on the client:
mount -o ro -t nfs server:/remote/path /local/path
The mount rpc call goes through fine, but the first nfs call (GETATTR apparently) fails with an AUTH_ERROR. I'm getting this info from ethereal.

So here's the line from /etc/exports:
/remote/path -ro -mapall=myusername

The user owning the file on the server is uid=1000 and on the client it's uid=501. I figured this might have something to do with it, hence the -mapall but no dice. Do they actually have to be the same to make it work?

 

[n0cmonkey]

Maybe add the IP address of the client machine (or the network if you swing like that).

Anything in the logs?

 

[kamper]

I changed the exports line to:
/remote/path -ro -mapall=myusername 192.168.1.101
and 101 is the ip of my laptop.

No go on that and nothing relevant that I can find in anything in /var/log. /var/log/authlog has only ssh and su info.

mountd is running from the console and reports that the mount succeeded.

portmap is also running from the consol and spits out a bunch of "server: about to do a switch" lines each time I try and I assume that's for the portmap calls that look up mount and nfs each time.

It feels to me like mountd is honouring the -mapall flag but nfsd is not, I dunno. I've got to read up on the internals of those two as I'm not fully sure of why two seperate entities are needed. Anyways, I'll try the network version of exports now. Thanks.

Edit: still no go with /remote/path -ro -mapall=myusername -network=192.168.1 -mask=255.255.255.0

 

[n0cmonkey]

Does it actually mount? I can't tell whether it mounts and you are having issues accessing the files or if it doesn't mount at all.

I haven't tried nfs with an OS X client, maybe something's wonky there...

 

[kamper]

Maybe you can explain to me where nfsd gets it's permission info from. I gather that it doesn't read /etc/exports, so how does it know who is allowed to access what?

 

[kamper]

Originally posted by: n0cmonkey
Does it actually mount? I can't tell whether it mounts and you are having issues accessing the files or if it doesn't mount at all.

Yeah, it mounts. I get a positive message on the mountd console, an entry in /var/db/mountdtab and everything looks good (as far as I can tell) in ethereal.

I haven't tried nfs with an OS X client, maybe something's wonky there...

Unfortunately I don't have anything else here to test with, unless I could try using the openbsd machine as client and server.

 

[n0cmonkey]

Originally posted by: kamper
Maybe you can explain to me where nfsd gets it's permission info from. I gather that it doesn't read /etc/exports, so how does it know who is allowed to access what?

I'm not sure, but this might be the answer:

When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call.

 

[n0cmonkey]

Originally posted by: kamper

Originally posted by: n0cmonkey
Does it actually mount? I can't tell whether it mounts and you are having issues accessing the files or if it doesn't mount at all.

Yeah, it mounts. I get a positive message on the mountd console, an entry in /var/db/mountdtab and everything looks good (as far as I can tell) in ethereal.

Ok, that limits the possibilities a bit. Does your user have permissions to access the files?

I haven't tried nfs with an OS X client, maybe something's wonky there...

Unfortunately I don't have anything else here to test with, unless I could try using the openbsd machine as client and server.

You can, I do it on my zaurus. There's a sysctl you'll have to set to enable the client

 

[kamper]

Another little diagnostic, the error coming back in the nfs GETATTR response says "rejected for security reasons", or at least that's ethereal's interpretation of the auth state code, 5. Maybe something's more locked down on the server than it needs to be?

I also notice that the mount call gives me a hash back which I assume is some sort of session identifier because my client sends it back for the nfs call. Does mountd share that hash with nfsd somehow?

 

[kamper]

Originally posted by: n0cmonkey
Ok, that limits the possibilities a bit. Does your user have permissions to access the files?

I believe so. The user specified in the -mapall owns the folder that gets mounted and it's 755.

 

[n0cmonkey]

Originally posted by: kamper
Another little diagnostic, the error coming back in the nfs GETATTR response says "rejected for security reasons", or at least that's ethereal's interpretation of the auth state code, 5. Maybe something's more locked down on the server than it needs to be?

I also notice that the mount call gives me a hash back which I assume is some sort of session identifier because my client sends it back for the nfs call. Does mountd share that hash with nfsd somehow?

I haven't looked at NFS traffic over the wire in a long time. No idea.

 

[kamper]

Originally posted by: n0cmonkey
You can, I do it on my zaurus. There's a sysctl you'll have to set to enable the client

Well I didn't see any in the faq or man pages so I just gave it a whirl:

$ mount localhost:/remote/path /local/path
mount_nfs: bad MNT RPC: RPC: Authentication error; why = Client credential too weak

And the client hangs...
Or alternatively:

# mount localhost:/remote/path /local/path
mount_nfs: can't access /remote/path: Permission denied

And the client doesn't hang. This is pretty much identical to what I get from os x, as root or normal user.

 

[n0cmonkey]

I thought (from /etc/sysctl.conf)

vfs.nfs.iothreads=4 # number of nfsio kernel threads

was necessary for nfs clients.

 

[n0cmonkey]

It's working fine on my Zaurus, OpenBSD2OpenBSD.

/etc/exports: /exports -ro -mapall=ddp 127.0.0.1

Then start portmap, mountd, and nfsd -tun 4. In that order. If I run mount just like that I see the line: /dev/wd0j on /exports type ext2fs (NFS exported, local). After I mount /exports over nfs (mount -t nfs 127.0.0.1:/exports /home/ddp/files) I have: 127.0.0.1:/exports on /home/ddp/files type nfs (v3, udp, timeo-100) when I run mount.

I can access the test files I placed on that drive, but not things my user doesn't have access to.

From here:

I've got NFS running with Mac OS X and FreeBSD 4.x

try out the webpage :
http://www.withay.com/macosx/

Mac OS X as NFS server and client both worked.

And one more thing, my system had

nfs_reserved_port_only="YES"

line at /etc/rc.conf and it prevented me from having NFS connection with OS X. So if you are under safe network (like private network 192.168.x.x) comment it out.

I've never tried SMB, but with automount daemon I think NFS is cool ^^

If security is concern, I've heard you can also use tunneling NFS under SSH

Bolding done by me.

 

[kamper]

Ok, I'd seen stuff about reserved ports, but there are so many things to pay attention over all I'll fiddle around with that shiznit. So much for getting lots of work done this afternoon.

Oh, and pebkac was the source of one problem. I was able to mount locally after removing the -network and -mask flags from exports

 

[n0cmonkey]

I thought it was a simple fix so that it didn't require trusted ports, but now I can't find it.

Too many manpages open.

EDIT: run mountd -n instead of just mountd.

 

[kamper]

Got it to work from os x by using:
mount_nfs -P server:/remote/path localpath
-P means to use a reserved port. I was gonna ask how to allow nonreserved ports on the server, which you've half answered. mountd -n actually doesn't seem to work, and in any case, it doesn't help me when I want to put this into rc.conf.local. I'm not seeing any nfs_reserved_port_only stuff in rc.conf either.

Whoops, from mount_nfs(8) on OpenBSD:

In OpenBSD, a reserved port is always used.

So I guess I'm probably not going to get any help there

 

[kamper]

Thanks a bunch for you help n0c. I think stuff is making enough sense now that I can continue to figure out what I want using the documentation.

 

[n0cmonkey]

Originally posted by: kamper
Got it to work from os x by using:
mount_nfs -P server:/remote/path localpath
-P means to use a reserved port. I was gonna ask how to allow nonreserved ports on the server, which you've half answered. mountd -n actually doesn't seem to work, and in any case, it doesn't help me when I want to put this into rc.conf.local. I'm not seeing any nfs_reserved_port_only stuff in rc.conf either.

If you look in /etc/rc you'll see mountd doesn't look in rc.conf(.local) for configurations:

# $nfs_server is imported from /etc/rc.conf;
# if $nfs_server == YES, the machine is setup for being an nfs server
if [ X"${nfs_server}" = X"YES" -a -s /etc/exports -a
`sed -e '/^#/d' < /etc/exports | wc -l` -ne 0 ]; then
rm -f /var/db/mountdtab
echo -n > /var/db/mountdtab
echo -n ' mountd'; mountd
echo -n ' nfsd'; nfsd ${nfsd_flags}
if [ X"${lockd}" = X"YES" ]; then
echo -n ' rpc.lockd'; rpc.lockd
fi
fi

So you could change the line that says "echo -n ' mountd'; mountd" to "echo -n ' mountd'; mountd -n". That should do it.

Whoops, from mount_nfs(8) on OpenBSD:

In OpenBSD, a reserved port is always used.

So I guess I'm probably not going to get any help there

mount_nfs(8) is the client, it shouldn't have any bearings on the server.

Thanks a bunch for you help n0c. I think stuff is making enough sense now that I can continue to figure out what I want using the documentation.

NFS can be a PITA. I've been a bit more interested in AFS, but haven't gotten around to setting it up yet.

 

[kamper]

Originally posted by: n0cmonkey
mount_nfs(8) is the client, it shouldn't have any bearings on the server.

Yeah, but I figure if their client always uses reserved ports, there's a good chance they'll only have the server that way and tell you to deal with it if you're using other clients. I'll try out what you posted though.

Thanks a bunch for you help n0c. I think stuff is making enough sense now that I can continue to figure out what I want using the documentation.

NFS can be a PITA. I've been a bit more interested in AFS, but haven't gotten around to setting it up yet.

So I'm gathering, but the important thing is more that I'm learning, it doesn't need to be practical for now

 

[kamper]

mountd(8):

Do not require that clients make mount requests from reserved
ports. (Normally, only mount requests from reserved ports are
accepted.) This option should only be specified if there are
clients, such as PCs, that need it. The use of -n is STRONGLY
discouraged, as it opens up a wide range of security problems.

This is for mountd, not nfsd. I've been having no problems with mountd as my client has been using a reserved port all along. I don't see anything similar in nfsd(8) so I'm still going to have to go with -P on the client.