[LUNA] NFS on unprivileged ports ....

William A. Mahaffey III wam at hiwaay.net
Tue Aug 26 14:43:52 CDT 2014 

& we have a winner .... actual changes:


in /etc/rc.conf:

weak_mountd_authentication="yes"

followed by:

# service mountd forcerestart

& I am off to the races !!!! *Booooyah* !!!!

On 08/26/14 14:16, Branden Harper wrote:
> According to /etc/defaults/rc.conf , you can set the mountd_flags option.
>
> defaults:
> mountd_enable="NO"              # Run mountd (or NO).
> mountd_flags="-r"               # Flags to mountd (if NFS server enabled).
>
>
> On Tue, Aug 26, 2014 at 2:16 PM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>>
>> '-n' is indeed an option, I could (easily) edit the rc.d/mountd file, but
>> then I would have to remember to redo that every upgrade .... There doesn't
>> seem to be any way to pass that option in .... I could try to 'correct' the
>> other box, but it is a VM running on an FC14 box, I think that has something
>> to do w/ it ....
>>
>>
>> The linux boxen seem to allow it automatically, have for years now (at least
>> on my LAN, all w/ *old* distros, FC14 era ....)
>>
>>
>>
>> On 08/26/14 10:05, Bob Nance wrote:
>>> Go look at your “mountd” options and see if there is one that allows
>>> connections from an unprivileged port (a port higher that 1024, as all ports
>>> under 1024 can only be opened by a “root” level account/process). It’s
>>> likely that it is NOT an option. I think at least one BSD build of mountd
>>> offered a “-n” option, but I don’t think it’s there in any of the Linux
>>> distros.
>>>
>>> The real fix would be to get the offending connection to use the right
>>> port. Can you make it a system-based mount instead of a user-environment
>>> mount? That might fix it by allowing the NFS mount program to use a port
>>> lower than 1024.
>>>
>>> -Bob
>>>
>>>
>>>
>>> ---
>>>     Bob Nance
>>>     Novation Systems
>>>     bob.nance at novationsys.com
>>>     256-534-4620
>>>
>>> On Aug 26, 2014, at 9:30 AM, William A. Mahaffey III <wam at HiWAAY.net>
>>> wrote:
>>>
>>>> .... I have nfsd running on my FBSD 9.3 desktop, exporting /home (~3.6
>>>> TiB). I can mount/see/use it from all other machines on my LAN (all Linux
>>>> boxen) *except* for a CentOS 5.n VM running on one of the other boxen. When
>>>> the VM tries to (auto)mount the exported partition on the FBSD box
>>>> ('jaguar'), I get the following (from earlier this A.M.):
>>>>
>>>>
>>>> [root at centos-5:/etc, Tue Aug 26, 06:28 AM] 1008 # lf /net/jaguar/home/
>>>> /net/q6600/home/   /net/opty165a/work/ /net/opty165a/home/   /net/cube/home/
>>>> ls: /net/jaguar/home/: No such file or directory
>>>> /net/cube/home/:
>>>> Opty165A/  Q6600/  VMs/  archive/  lost+found/  makedepend*  pub/ wam/
>>>>
>>>> /net/opty165a/home/:
>>>> FTP/  RPMs/  SGI/  archive/  lost+found/  rsync/  wam/
>>>>
>>>> /net/opty165a/work/:
>>>> FTP/  ISOs/  RPMs/  VMs/  archive/  lost+found/  vmware/  wam/
>>>>
>>>> /net/q6600/home/:
>>>> FTP/  ISOs/  VMs/  archive/  lost+found/  rsync/  wam/  work/
>>>> [root at centos-5:/etc, Tue Aug 26, 06:29 AM] 1009 # df ; w ; /sbin/swapon
>>>> -s ; free -m ; uname -a ; hwclock  -r;  date
>>>> Filesystem    Type   1K-blocks      Used Available Use% Mounted on
>>>> /dev/mapper/VolGroup00-LogVol00
>>>>                ext3    46691248   7505344  36775820  17% /
>>>> /dev/hda1     ext3      101086     26854     69013  29% /boot
>>>> tmpfs        tmpfs     1029372         0   1029372   0% /dev/shm
>>>> q6600:/home    nfs   1906370560 1025951744 783581184  57% /net/q6600/home
>>>> opty165a:/work nfs   480719104 410868736  45431040  91%
>>>> /net/opty165a/work
>>>> opty165a:/home nfs   473086208 351912192  96754944  79%
>>>> /net/opty165a/home
>>>> cube:/home     nfs   155794432 143113728   4638976  97% /net/cube/home
>>>> 06:29:20 up 121 days, 12:12,  3 users,  load average: 0.04, 0.02, 0.00
>>>> USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
>>>> wam      pts/0    192.168.122.1    Thu07   46:20m  1.96s  1.96s -tcsh
>>>> root     pts/1    192.168.122.1    Sun08   46:11m  0.09s  0.09s -bash
>>>> root     pts/2    192.168.122.1    Sun08    0.00s  0.09s  0.08s -bash
>>>> Filename                                Type            Size Used
>>>> Priority
>>>> /dev/mapper/VolGroup00-LogVol01         partition       4095992 76
>>>> -1
>>>>               total       used       free     shared    buffers cached
>>>> Mem:          2010       1891        118          0 327        943
>>>> -/+ buffers/cache:        620       1389
>>>> Swap:         3999          0       3999
>>>> Linux centos-5.6-vm 2.6.18-371.8.1.el5.centos.plus #1 SMP Thu Apr 24
>>>> 18:32:18 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>> Tue Aug 26 06:29:28 2014  -1.008094 seconds
>>>> Tue Aug 26 06:29:21 CDT 2014
>>>> [root at centos-5:/etc, Tue Aug 26, 06:29 AM] 1010 #
>>>>
>>>>
>>>> i.e., it can see all other exported partitions except the FBSD (jaguar).
>>>> On the FBSD box, I get the following:
>>>>
>>>>
>>>>
>>>> [root at kabini1, /etc, 6:24:31am] 708 %  grep vfs LIST.sysctl-A.txt | grep
>>>> nfs | grep priv
>>>> vfs.nfsd.nfs_privport: 0
>>>> [root at kabini1, /etc, 6:24:50am] 709 %  service  mountd  status
>>>> Cannot 'status' mountd. Set mountd_enable to YES in /etc/rc.conf or use
>>>> 'onestatus' instead of 'status'.
>>>> [root at kabini1, /etc, 6:26:08am] 710 %  service mountd onestatus
>>>> mountd is running as pid 718.
>>>> [root at kabini1, /etc, 6:26:16am] 711 %  ps -aux | grep mountd
>>>> root         718   0.0  0.0  16180  3836 ??  Is   15Aug14 0:00.03
>>>> /usr/sbin/mountd -r
>>>> root       51859   0.0  0.0  16332  2024 10  S+    6:26AM 0:00.00 grep
>>>> mountd
>>>> wam        51820   0.0  0.0  14544  2428 17  I+    6:22AM 0:00.01 /bin/sh
>>>> /usr/bin/man mountd
>>>> [root at kabini1, /etc, 6:26:35am] 712 %  grep -i mountd rc.d/*
>>>> rc.d/mountd:# $FreeBSD: releng/9.3/etc/rc.d/mountd 231792 2012-02-15
>>>> 22:59:15Z dougb $
>>>> rc.d/mountd:# PROVIDE: mountd
>>>> rc.d/mountd:name="mountd"
>>>> rc.d/mountd:rcvar="mountd_enable"
>>>> rc.d/mountd:start_precmd="mountd_precmd"
>>>> rc.d/mountd:mountd_precmd()
>>>> rc.d/mountd:    # mountd flags will differ depending on rc.conf settings
>>>> rc.d/mountd:            if checkyesno weak_mountd_authentication; then
>>>> rc.d/mountd:                    rc_flags="${mountd_flags} -n"
>>>> rc.d/mountd:            if checkyesno mountd_enable; then
>>>> rc.d/mountd:                    checkyesno weak_mountd_authentication &&
>>>> rc_flags="-n"
>>>> rc.d/mountd:    rm -f /var/db/mountdtab
>>>> rc.d/mountd:    ( umask 022 ; > /var/db/mountdtab ) ||
>>>> rc.d/mountd:        err 1 'Cannot create /var/db/mountdtab'
>>>> rc.d/nfsd:# REQUIRE: mountd hostname gssd nfsuserd
>>>> rc.d/nfsd:      force_depend mountd || return 1
>>>> [root at kabini1, /etc, 6:27:19am] 713 %  (tail -10 /var/log/messages ;
>>>> date)
>>>> Aug 24 08:09:44 kabini1 mountd[718]: mount request from 192.168.0.9 from
>>>> unprivileged port
>>>> Aug 24 08:18:12 kabini1 mountd[718]: mount request from 192.168.0.9 from
>>>> unprivileged port
>>>> Aug 24 08:18:51 kabini1 su: wam to root on /dev/pts/19
>>>> Aug 24 08:52:04 kabini1 mountd[718]: mount request from 192.168.0.9 from
>>>> unprivileged port
>>>> Aug 24 09:10:23 kabini1 ntpd[804]: time reset +0.186836 s
>>>> Aug 24 11:37:21 kabini1 dbus[738]: [system] Failed to activate service
>>>> 'org.freedesktop.Avahi': timed out
>>>> Aug 24 11:38:57 kabini1 dbus[738]: [system] Failed to activate service
>>>> 'org.freedesktop.Avahi': timed out
>>>> Aug 24 11:40:21 kabini1 dbus[738]: [system] Failed to activate service
>>>> 'org.freedesktop.Avahi': timed out
>>>> Aug 24 11:48:49 kabini1 last message repeated 7 times
>>>> Aug 26 06:29:25 kabini1 mountd[718]: mount request from 192.168.0.9 from
>>>> unprivileged port
>>>> Tue Aug 26 06:30:14 CDT 2014
>>>> [root at kabini1, /etc, 6:30:14am] 714 %
>>>>
>>>>
>>>> i.e., the mount request from the VM is apparently coming in on an
>>>> unprivileged port & the FBSD box's mountd is dropping/ignoring it. The other
>>>> boxen handle it OK. I have ipfw dropping all such traffic *not* originating
>>>> on my LAN, so I don't mind using the unprivileged port (I don't think there
>>>> are any security issues). How do I get FBSD's nfsd/mountd to allow/handle
>>>> the mount request on unprivileged ports ? TIA ....
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>          William A. Mahaffey III
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>>          "The M1 Garand is without doubt the finest implement of war
>>>>           ever devised by man."
>>>>                             -- Gen. George S. Patton Jr.
>>>>
>>>> _______________________________________________
>>>> LUNA mailing list
>>>> LUNA at lunagroup.us
>>>> http://lunagroup.us/mailman/listinfo/luna
>>> _______________________________________________
>>> LUNA mailing list
>>> LUNA at lunagroup.us
>>> http://lunagroup.us/mailman/listinfo/luna
>>>
>> --
>>
>>          William A. Mahaffey III
>>
>>   ----------------------------------------------------------------------
>>
>>          "The M1 Garand is without doubt the finest implement of war
>>           ever devised by man."
>>                             -- Gen. George S. Patton Jr.
>>
>> _______________________________________________
>> LUNA mailing list
>> LUNA at lunagroup.us
>> http://lunagroup.us/mailman/listinfo/luna
> _______________________________________________
> LUNA mailing list
> LUNA at lunagroup.us
> http://lunagroup.us/mailman/listinfo/luna
>

-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.

More information about the LUNA mailing list