Welcome to the Linux Foundation Forum!
problem with nfs permissions
texaganian
Posts: 3
I think I must be drain bamaged...
I'm just trying to export an NFS share and mount it on a client. Should be really easy but I'm failing!
Here's the set up:
Server:
OS: Centos 5.3
Name: fileprint-0 (aliases fp00, fs00)
Exported directory: /home/ESE
Client:
OS: Centos 5.3
Error:
mount: fs00:ESE failed, reason given by server: Permission denied
DETAILS:
1. The various nfs daemons are running on the server:
[[email protected] ~]# service nfs status
rpc.mountd (pid 18040) is running...
nfsd (pid 18037 18036 18035 18034 18033 18032 18031 18030) is running...
rpc.rquotad (pid 18025) is running...
rpc.mountd (pid 18040) is running...
nfsd (pid 18037 18036 18035 18034 18033 18032 18031 18030) is running...
rpc.rquotad (pid 18025) is running...
2. For the moment the firewall has been completely disabled on the server:
[[email protected] ~]# service iptables status
Firewall is stopped.
Firewall is stopped.
3. The directory has been added to /etc/exports, exportfs -ra has been run, and there are no entries in /etc/hosts.deny:
[[email protected] ~]# cat /etc/exports
/home/ESE *(ro,sync) #Site Engineer tools
/home/ESE *(ro,sync) #Site Engineer tools
4. Owner and group for the directory have been set to nsfbody (the users on the clients will always be running as root):
[[email protected] ~]# ls -dal /home/ESE
drwxr-xr-x 3 nfsnobody nfsnobody 4096 Dec 4 05:01 /home/ESE
drwxr-xr-x 3 nfsnobody nfsnobody 4096 Dec 4 05:01 /home/ESE
5. The clients are able to resolve and ping the server as fs00:
[[email protected] named]# host fs00
fs00.lab-0.agilulf.local is an alias for fileprint-0.lab-0.agilulf.local.
fileprint-0.lab-0.agilulf.local has address 10.42.0.24
[[email protected] named]# ping fs00
PING fileprint-0.lab-0.agilulf.local (10.42.0.24) 56(84) bytes of data.
64 bytes from fileprint-0.lab-0.agilulf.local (10.42.0.24): icmp_seq=1 ttl=64 time=0.715 ms
64 bytes from fileprint-0.lab-0.agilulf.local (10.42.0.24): icmp_seq=2 ttl=64 time=0.402 ms
--- fileprint-0.lab-0.agilulf.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1099ms
rtt min/avg/max/mdev = 0.402/0.558/0.715/0.158 ms
fs00.lab-0.agilulf.local is an alias for fileprint-0.lab-0.agilulf.local.
fileprint-0.lab-0.agilulf.local has address 10.42.0.24
[[email protected] named]# ping fs00
PING fileprint-0.lab-0.agilulf.local (10.42.0.24) 56(84) bytes of data.
64 bytes from fileprint-0.lab-0.agilulf.local (10.42.0.24): icmp_seq=1 ttl=64 time=0.715 ms
64 bytes from fileprint-0.lab-0.agilulf.local (10.42.0.24): icmp_seq=2 ttl=64 time=0.402 ms
--- fileprint-0.lab-0.agilulf.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1099ms
rtt min/avg/max/mdev = 0.402/0.558/0.715/0.158 ms
6. The local mount point on the client exists:
[[email protected] named]# ls -dal /mnt/ESE
drwxr-xr-x 2 root root 4096 Oct 27 16:04 /mnt/ESE
drwxr-xr-x 2 root root 4096 Oct 27 16:04 /mnt/ESE
7. But attempts to mount the directory fail:
[[email protected] named]# mount -t nfs fs00:ESE /mnt/ESE
mount: fs00:ESE failed, reason given by server: Permission denied
mount: fs00:ESE failed, reason given by server: Permission denied
8. I've tried setting no_squash but without any more success.
Anybody see what I am doing wrong?
0
Comments
-
texaganian wrote:3. The directory has been added to /etc/exports, exportfs -ra has been run, and there are no entries in /etc/hosts.deny:
[[email protected] ~]# cat /etc/exports /home/ESE *(ro,sync) #Site Engineer tools
Anybody see what I am doing wrong?
Judging by what I am seeing in the manual the wildcard is to be used with in combination with a domain or other criteria. I recommend removing the widcard so it accepts all host which would modify in /etc/exports to:/home/ESE (ro,sync,all_squash) #Site Engineer tools
However I would recommend adding some type of limiting criteria to both your firewall all exports file to limit outside users from accessing the service such as:
In exports-/home/ESE 10.42.0.0/24(ro,sync,all_squash) #Site Engineer tools
and in your firewall-iptables -A INPUT -P ALL -s 10.42.0.0/24 --dport 2049 -j ACCEPT iptables -A INPUT -P ALL -s 0/0 --dport 2049 -j DROP
Don't forget to restart the service to reload the exports file before testing it.0 -
Thanks for the response. Alas, that doesn't seem to be the issue:
[[email protected] ~]# cp /etc/exports /etc/exports.OLD [[email protected] ~]# vi /etc/exports [[email protected] ~]# service nfs restart Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Starting NFS services: exportfs: No host name given with /home/ESE (ro,sync), suggest *(ro,sync) to avoid warning [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ]
and I still got the same error.0 -
I am installing a virtual machine now so I can configure it as an NFS server to test your configuration. I will report back advising what works for me.0
-
I got it to work, the issue is that you have not identified the anonuid and anongid to be used internally by the server to assess the rights of the attaching user.
What worked for me was:/home/ESE *(ro,sync.anonid=99,anongid=98)
On my system user 99 is nobody and group 98 is nobody. This gave me read only access to the files.0 -
Actually it was simpler than that.
I just foobarred the mount command (left out the leading slash) and my eyes were refusing to see it. Became obvious instantly when I finally remembered to tail /var/log/messages.
Doh!0
Categories
- 10.1K All Categories
- 35 LFX Mentorship
- 88 LFX Mentorship: Linux Kernel
- 501 Linux Foundation Boot Camps
- 278 Cloud Engineer Boot Camp
- 103 Advanced Cloud Engineer Boot Camp
- 47 DevOps Engineer Boot Camp
- 40 Cloud Native Developer Boot Camp
- 2 Express Training Courses
- 2 Express Courses - Discussion Forum
- 1.7K Training Courses
- 17 LFC110 Class Forum
- 4 LFC131 Class Forum
- 19 LFD102 Class Forum
- 148 LFD103 Class Forum
- 12 LFD121 Class Forum
- 61 LFD201 Class Forum
- LFD210 Class Forum
- 1 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum
- 23 LFD254 Class Forum
- 566 LFD259 Class Forum
- 100 LFD272 Class Forum
- 1 LFD272-JP クラス フォーラム
- 1 LFS145 Class Forum
- 22 LFS200 Class Forum
- 739 LFS201 Class Forum
- 1 LFS201-JP クラス フォーラム
- 1 LFS203 Class Forum
- 43 LFS207 Class Forum
- 298 LFS211 Class Forum
- 53 LFS216 Class Forum
- 46 LFS241 Class Forum
- 40 LFS242 Class Forum
- 37 LFS243 Class Forum
- 10 LFS244 Class Forum
- 27 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- 131 LFS253 Class Forum
- 993 LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 87 LFS260 Class Forum
- 126 LFS261 Class Forum
- 31 LFS262 Class Forum
- 79 LFS263 Class Forum
- 15 LFS264 Class Forum
- 10 LFS266 Class Forum
- 17 LFS267 Class Forum
- 17 LFS268 Class Forum
- 21 LFS269 Class Forum
- 200 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- 212 LFW211 Class Forum
- 153 LFW212 Class Forum
- 899 Hardware
- 217 Drivers
- 74 I/O Devices
- 44 Monitors
- 115 Multimedia
- 208 Networking
- 101 Printers & Scanners
- 85 Storage
- 749 Linux Distributions
- 88 Debian
- 64 Fedora
- 14 Linux Mint
- 13 Mageia
- 24 openSUSE
- 133 Red Hat Enterprise
- 33 Slackware
- 13 SUSE Enterprise
- 355 Ubuntu
- 472 Linux System Administration
- 38 Cloud Computing
- 69 Command Line/Scripting
- Github systems admin projects
- 94 Linux Security
- 77 Network Management
- 107 System Management
- 49 Web Management
- 63 Mobile Computing
- 22 Android
- 27 Development
- 1.2K New to Linux
- 1.1K Getting Started with Linux
- 527 Off Topic
- 127 Introductions
- 213 Small Talk
- 19 Study Material
- 794 Programming and Development
- 262 Kernel Development
- 498 Software Development
- 922 Software
- 257 Applications
- 182 Command Line
- 2 Compiling/Installing
- 76 Games
- 316 Installation
- 52 All In Program
- 52 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)