mount nfs - Operation not permitted
Charles Howse
chowse at charter.net
Fri Dec 30 15:09:27 UTC 2005
> On Fri, 30 Dec 2005 07:29:54 -0600, Charles Howse wrote:
>
>>> On Thu, 29 Dec 2005 12:37:37 -0600, Charles Howse wrote:
>>>
>>>>> On Thu, 29 Dec 2005 10:48:13 -0600, Charles Howse wrote:
>>>>>
>>>>>>> On Wed, 28 Dec 2005 21:33:57 -0600, Charles Howse wrote:
>>>>>>>
>>>>>>>>> On Wed, 28 Dec 2005 11:29:39 -0600, Charles Howse wrote:
>>>>>>>>>
>>>>>>>>>> I'm sure this has been asked and answered hundreds of times, but I've
>>>>>>>>>> been
>>>>>>>>>> working on it for 2 days now, and can't resolve the issue.
>>>>>>>>>> I'm trying to mount an nfs filesystem that lives on FC4 from my
>>>>>>>>>> Macintosh
>>>>>>>>>> across the home lan (machines are only 15' apart). ;-)
>>>>>>>>>> I can successfully mount nfs shares that live on the FreeBSD machine
>>>>>>>>>> from
>>>>>>>>>> the Mac, and can successfully ssh to the FC4 box from the Mac.
>>>>>>>>>>
>>>>>>>>>> On FC4:
>>>>>>>>>> [root at shemp ~]# cat /etc/exports
>>>>>>>>>> /disc2 moe(rw,sync) larry(ro,sync)
>>>>>>>>>> /home moe(rw) larry(ro)
>>>>>>>>>> [root at shemp ~]# cat /etc/hosts.allow
>>>>>>>>>> #
>>>>>>>>>> # hosts.allow This file describes the names of the hosts which are
>>>>>>>>>> # allowed to use the local INET services, as decided
>>>>>>>>>> # by the '/usr/sbin/tcpd' server.
>>>>>>>>>> #
>>>>>>>>>> ALL: ALL
>>>>>>>>>> [root at shemp ~]# cat /etc/hosts.deny
>>>>>>>>>> #
>>>>>>>>>> # hosts.deny This file describes the names of the hosts which are
>>>>>>>>>> # *not* allowed to use the local INET services, as
>>>>>>>>>> decided
>>>>>>>>>> # by the '/usr/sbin/tcpd' server.
>>>>>>>>>> #
>>>>>>>>>> # The portmap line is redundant, but it is left to remind you that
>>>>>>>>>> # the new secure portmap uses hosts.deny and hosts.allow. In
>>>>>>>>>> particular
>>>>>>>>>> # you should know that NFS uses portmap!
>>>>>>>>>>
>>>>>>>>>> [root at shemp ~]# cat /proc/fs/nfs/exports
>>>>>>>>>> # Version 1.1
>>>>>>>>>> # Path Client(Flags) # IPs
>>>>>>>>>> /home larry(ro,root_squash,sync,wdelay)
>>>>>>>>>> /disc2 larry(ro,root_squash,sync,wdelay)
>>>>>>>>>> [root at shemp ~]# cat /var/lib/nfs/xtab
>>>>>>>>>> [root at shemp ~]# exportfs -ra
>>>>>>>>>> exportfs: /etc/exports [2]: No 'sync' or 'async' option specified for
>>>>>>>>>> export
>>>>>>>>>> "moe:/home".
>>>>>>>>>> Assuming default behaviour ('sync').
>>>>>>>>>> NOTE: this default has changed from previous versions
>>>>>>>>>>
>>>>>>>>>> On the Mac:
>>>>>>>>>> [charles at larry:~]$ mount -t nfs shemp:/disc2 ~/mnt
>>>>>>>>>> mount_nfs: /Users/charles/mnt: Operation not permitted
>>>>>>>>>> [charles at larry:~]$ mount -t nfs shemp:/home ~/mnt
>>>>>>>>>> mount_nfs: /Users/charles/mnt: Operation not permitted
>>>>>>>>>>
>>>>>>>>>> properties for ~/mnt on the Mac:
>>>>>>>>>> 0 drwxr-xr-x 3 charles charles 102 Nov 20 17:11 mnt/
>>>>>>>>>>
>>>>>>>>>> My uid/gid are the same on both client and server...my username is
>>>>>>>>>> the
>>>>>>>>>> same
>>>>>>>>>> on both machines, password is different.
>>>>>>>>>>
>>>>>>>>>> Anybody have a clue? I've read and read and Google'd and browsed
>>>>>>>>>> till
>>>>>>>>>> I'm
>>>>>>>>>> blue in the face.
>>>>>>>>>> Could this be a problem with (what is it...) "non-privileged ports"?
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Thanks,
>>>>>>>>>> Charles
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I bet it's the firewall in FC4. Turn it off and see if nfs works. Then
>>>>>>>>> you
>>>>>>>>> go from there. Besides the port 2049 (nfs) you need to have several
>>>>>>>>> other
>>>>>>>>> ports open. The problem is those ports are not always the same, which
>>>>>>>>> is
>>>>>>>>> a
>>>>>>>>> problem with the firewall.
>>>>>>>>
>>>>>>>> Thank you all very kindly for the suggestions.
>>>>>>>> The solution to the problem was the lack of the 'insecure' export
>>>>>>>> option
>>>>>>>> in
>>>>>>>> /etc/exports:
>>>>>>>> /home larry(rw,insecure,sync)
>>>>>>>>
>>>>>>>> I discovered it by tailing /var/log/messages:
>>>>>>>> Dec 28 15:44:00 shemp rpc.mountd: authenticated mount request from
>>>>>>>> larry:982
>>>>>>>> for /home (/home)
>>>>>>>> Dec 28 15:44:00 shemp kernel: nfsd: request from insecure port
>>>>>>>> (192.168.254.3:50646)!
>>>>>>>>
>>>>>>>> Everything works now. Thanks again.
>>>>>>>> Look for my new thread on discussing why questions to mailing lists and
>>>>>>>> usenet groups don't get answered.
>>>>>>>
>>>>>>> Strange, I don't have insecure in my /etc/exports on the nfs server:
>>>>>>>
>>>>>>> /opt 192.168.2.0/24(rw,sync)
>>>>>>> /home 192.168.2.0/24(rw,sync)
>>>>>>>
>>>>>>> and it still works. And I'm all the more surprised knowing how the
>>>>>>> default
>>>>>>> iptables rules are set on FC4. But maybe you already had the firewall
>>>>>>> set
>>>>>>> up to allow nfs traffic and the auxiliary nfs services running on fixed
>>>>>>> ports.
>>>>>>
>>>>>> Did I mention that I turned iptables off? Didn't even check the ruleset,
>>>>>> just turned it off.
>>>>>> Also made sure that selinux was disabled.
>>>>>
>>>>> I don't think you did. Turning off the firewall is not a permanent
>>>>> solution. Does it work if you turn it back on?
>>>>>
>>>>>>
>>>>>>> Reading the exports man page I see that the secure option is on by
>>>>>>> default, which requires that nfs connections be made from ports < 1024.
>>>>>>> Checking this with netstat on my nfs server I do see connections
>>>>>>> originating on ports 800 and 799, so maybe that's the default behavior
>>>>>>> of FC4 nfs clients. Or maybe I just got lucky.
>>>>>>>
>>>>>>> Good to know about "insecure" though.
>>>>>>
>>>>>> It may have something to do with the request coming from the Mac...?
>>>>>> Maybe Mac's use insecure ports for nfs connections? Haven't looked into
>>>>>> making the Mac use a secure port for nfs.
>>>>>
>>>>> Out of curiosity, can you do a
>>>>>
>>>>> netstat -tupan
>>>>>
>>>>> on the FC4 nfs server while accessing the exported partition from the mac
>>>>> and see what port it's coming from?
>>>>
>>>> Yes, it works with iptables started, but the only established connection I
>>>> see below, is me ssh'ing to the FC4 box to run those commands.
>>>>
>>>> [root at shemp ~]# service iptables start
>>>> [root at shemp ~]# netstat -tupan
>>>> Active Internet connections (servers and established)
>>>> Proto Recv-Q Send-Q Local Address Foreign Address
>>>> State PID/Program name
>>>> tcp 0 0 0.0.0.0:2049 0.0.0.0:*
>>>> LISTEN -
>>>> tcp 0 0 0.0.0.0:32769 0.0.0.0:*
>>>> LISTEN 1348/rpc.statd
>>>> tcp 0 0 0.0.0.0:32774 0.0.0.0:*
>>>> LISTEN -
>>>> tcp 0 0 0.0.0.0:111 0.0.0.0:*
>>>> LISTEN 1330/portmap
>>>> tcp 0 0 0.0.0.0:628 0.0.0.0:*
>>>> LISTEN 1720/rpc.rquotad
>>>> tcp 0 0 127.0.0.1:631 0.0.0.0:*
>>>> LISTEN 1630/cupsd
>>>> tcp 0 0 127.0.0.1:25 0.0.0.0:*
>>>> LISTEN 1768/sendmail: acce
>>>> tcp 0 0 0.0.0.0:639 0.0.0.0:*
>>>> LISTEN 1732/rpc.mountd
>>>> tcp 0 0 :::110 :::*
>>>> LISTEN 1750/dovecot
>>>> tcp 0 0 :::22 :::*
>>>> LISTEN 1678/sshd
>>>> tcp 0 1440 ::ffff:192.168.254.5:22 ::ffff:192.168.254.3:52541
>>>> ESTABLISHED 8920/sshd: charles
>>>> udp 0 0 0.0.0.0:32768 0.0.0.0:*
>>>> 1348/rpc.statd
>>>> udp 0 0 0.0.0.0:2049 0.0.0.0:*
>>>> -
>>>> udp 0 0 0.0.0.0:32769 0.0.0.0:*
>>>> -
>>>> udp 0 0 0.0.0.0:676 0.0.0.0:*
>>>> 1348/rpc.statd
>>>> udp 0 0 0.0.0.0:111 0.0.0.0:*
>>>> 1330/portmap
>>>> udp 0 0 0.0.0.0:625 0.0.0.0:*
>>>> 1720/rpc.rquotad
>>>> udp 0 0 0.0.0.0:631 0.0.0.0:*
>>>> 1630/cupsd
>>>> udp 0 0 192.168.254.5:123 0.0.0.0:*
>>>> 1691/ntpd
>>>> udp 0 0 127.0.0.1:123 0.0.0.0:*
>>>> 1691/ntpd
>>>> udp 0 0 0.0.0.0:123 0.0.0.0:*
>>>> 1691/ntpd
>>>> udp 0 0 0.0.0.0:636 0.0.0.0:*
>>>> 1732/rpc.mountd
>>>> udp 0 0 :::123 :::*
>>>> 1691/ntpd
>>>> [root at shemp ~]#
>>>
>>> Are you actually accessing the nfs partitions from the mac client, when
>>> you run netstat? Copy a big file.
>>
>> Sorry to be so long getting back.
>> It looks like port 800 on FC and 2049 on the Mac.
>> Here's the output:
>>
>> [root at shemp ~]# netstat -tupan
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address Foreign Address
>> State PID/Program name
>> tcp 0 0 0.0.0.0:2049 0.0.0.0:*
>> LISTEN -
>> tcp 0 0 0.0.0.0:32769 0.0.0.0:*
>> LISTEN 1348/rpc.statd
>> tcp 0 0 0.0.0.0:32774 0.0.0.0:*
>> LISTEN -
>> tcp 0 0 0.0.0.0:111 0.0.0.0:*
>> LISTEN 1330/portmap
>> tcp 0 0 0.0.0.0:628 0.0.0.0:*
>> LISTEN 1720/rpc.rquotad
>> tcp 0 0 127.0.0.1:631 0.0.0.0:*
>> LISTEN 1630/cupsd
>> tcp 0 0 127.0.0.1:25 0.0.0.0:*
>> LISTEN 1768/sendmail: acce
>> tcp 0 0 0.0.0.0:639 0.0.0.0:*
>> LISTEN 1732/rpc.mountd
>> tcp 0 0 192.168.254.5:800 192.168.254.4:2049
>> ESTABLISHED -
>> tcp 0 0 :::110 :::*
>> LISTEN 1750/dovecot
>> tcp 0 0 :::22 :::*
>> LISTEN 1678/sshd
>> tcp 0 0 ::ffff:192.168.254.5:110 ::ffff:192.168.254.3:54290
>> TIME_WAIT -
>> tcp 0 1296 ::ffff:192.168.254.5:22 ::ffff:192.168.254.3:54255
>> ESTABLISHED 14540/sshd: charles
>> udp 0 0 0.0.0.0:32768 0.0.0.0:*
>> 1348/rpc.statd
>> udp 0 0 0.0.0.0:2049 0.0.0.0:*
>> -
>> udp 0 0 0.0.0.0:32769 0.0.0.0:*
>> -
>> udp 0 0 0.0.0.0:800 0.0.0.0:*
>> -
>> udp 0 0 0.0.0.0:676 0.0.0.0:*
>> 1348/rpc.statd
>> udp 0 0 0.0.0.0:111 0.0.0.0:*
>> 1330/portmap
>> udp 0 0 0.0.0.0:625 0.0.0.0:*
>> 1720/rpc.rquotad
>> udp 0 0 0.0.0.0:631 0.0.0.0:*
>> 1630/cupsd
>> udp 0 0 192.168.254.5:123 0.0.0.0:*
>> 1691/ntpd
>> udp 0 0 127.0.0.1:123 0.0.0.0:*
>> 1691/ntpd
>> udp 0 0 0.0.0.0:123 0.0.0.0:*
>> 1691/ntpd
>> udp 0 0 0.0.0.0:636 0.0.0.0:*
>> 1732/rpc.mountd
>> udp 0 0 :::123 :::*
>> 1691/ntpd
>> [root at shemp ~]#
>>
>
>
> So, you see, the mac is making requests from 2049, which is unpriviledged.
> I thought 2049 was the port nfs was listening on, not sending requests
> from.
>
> I have the exact opposite situation. On my nfs server (192.168.2.40):
> netstat -tupan
>
> tcp 0 0 192.168.2.40:2049 192.168.2.10:800
> ESTABLISHED -
> tcp 0 0 192.168.2.40:2049 192.168.2.10:799
> ESTABLISHED -
>
> so the client makes requests from low-numbered ports to the nfs port on
> the server.
>
> Perhaps more knowledgeable people than us could figure this out. For
> academic purposes only. Unless I totally misunderstood, and in fact your
> mac is the nfs server, and you're accessing it from FC4. It looks that way
> from your nestat output.
Ummm...no, the FC box is the nfs server. It's running nfsd.
The Mac is not running nfsd, only portmap.
More information about the fedora-list
mailing list