mount nfs - Operation not permitted

Amadeus W. M. amadeus84 at
Thu Dec 29 16:13:28 UTC 2005

On Wed, 28 Dec 2005 21:33:57 -0600, Charles Howse wrote:

>> On Wed, 28 Dec 2005 11:29:39 -0600, Charles Howse wrote:
>>> I'm sure this has been asked and answered hundreds of times, but I've been
>>> working on it for 2 days now, and can't resolve the issue.
>>> I'm trying to mount an nfs filesystem that lives on FC4 from my Macintosh
>>> across the home lan (machines are only 15' apart).  ;-)
>>> I can successfully mount nfs shares that live on the FreeBSD machine from
>>> the Mac, and can successfully ssh to the FC4 box from the Mac.
>>> On FC4:
>>> [root at shemp ~]# cat /etc/exports
>>> /disc2 moe(rw,sync) larry(ro,sync)
>>> /home  moe(rw) larry(ro)
>>> [root at shemp ~]# cat /etc/hosts.allow
>>> #
>>> # hosts.allow   This file describes the names of the hosts which are
>>> #               allowed to use the local INET services, as decided
>>> #               by the '/usr/sbin/tcpd' server.
>>> #
>>> ALL: ALL
>>> [root at shemp ~]# cat /etc/hosts.deny
>>> #
>>> # hosts.deny    This file describes the names of the hosts which are
>>> #               *not* allowed to use the local INET services, as decided
>>> #               by the '/usr/sbin/tcpd' server.
>>> #
>>> # The portmap line is redundant, but it is left to remind you that
>>> # the new secure portmap uses hosts.deny and hosts.allow.  In particular
>>> # you should know that NFS uses portmap!
>>> [root at shemp ~]# cat /proc/fs/nfs/exports
>>> # Version 1.1
>>> # Path Client(Flags) # IPs
>>> /home   larry(ro,root_squash,sync,wdelay)
>>> /disc2  larry(ro,root_squash,sync,wdelay)
>>> [root at shemp ~]# cat /var/lib/nfs/xtab
>>> [root at shemp ~]# exportfs -ra
>>> exportfs: /etc/exports [2]: No 'sync' or 'async' option specified for export
>>> "moe:/home".
>>>   Assuming default behaviour ('sync').
>>>   NOTE: this default has changed from previous versions
>>> On the Mac:
>>> [charles at larry:~]$ mount -t nfs shemp:/disc2 ~/mnt
>>> mount_nfs: /Users/charles/mnt: Operation not permitted
>>> [charles at larry:~]$ mount -t nfs shemp:/home ~/mnt
>>> mount_nfs: /Users/charles/mnt: Operation not permitted
>>> properties for ~/mnt on the Mac:
>>> 0 drwxr-xr-x    3 charles  charles    102 Nov 20 17:11 mnt/
>>> My uid/gid are the same on both client and username is the same
>>> on both machines, password is different.
>>> Anybody have a clue?  I've read and read and Google'd and browsed till I'm
>>> blue in the face.
>>> Could this be a problem with (what is it...) "non-privileged ports"?
>>> -- 
>>> Thanks,
>>> Charles 
>> I bet it's the firewall in FC4. Turn it off and see if nfs works. Then you
>> go from there. Besides the port 2049 (nfs) you need to have several other
>> ports open. The problem is those ports are not always the same, which is a
>> problem with the firewall.
> Thank you all very kindly for the suggestions.
> The solution to the problem was the lack of the 'insecure' export option in
> /etc/exports:
> /home larry(rw,insecure,sync)
> I discovered it by tailing /var/log/messages:
> Dec 28 15:44:00 shemp rpc.mountd: authenticated mount request from larry:982
> for /home (/home)
> Dec 28 15:44:00 shemp kernel: nfsd: request from insecure port
> (!
> Everything works now.  Thanks again.
> Look for my new thread on discussing why questions to mailing lists and
> usenet groups don't get answered.

Strange, I don't have insecure in my /etc/exports on the nfs server:

/opt                 ,sync)
/home                ,sync)

and it still works. And I'm all the more surprised knowing how the default
iptables rules are set on FC4. But maybe you already had the firewall set
up to allow nfs traffic and the auxiliary nfs services running on fixed

Reading the exports man page I see that the secure option is on by
default, which requires that nfs connections be made from ports < 1024.
Checking this with netstat on my nfs server I do see connections
originating on ports 800 and 799, so maybe that's the default behavior
of FC4 nfs clients. Or maybe I just got lucky.

Good to know about "insecure" though.

More information about the fedora-list mailing list