Welcome to the Linux Foundation Forum!
problem with nfs permissions
texaganian
Posts: 3
I think I must be drain bamaged...
I'm just trying to export an NFS share and mount it on a client. Should be really easy but I'm failing!
Here's the set up:
Server:
OS: Centos 5.3
Name: fileprint-0 (aliases fp00, fs00)
Exported directory: /home/ESE
Client:
OS: Centos 5.3
Error:
mount: fs00:ESE failed, reason given by server: Permission denied
DETAILS:
1. The various nfs daemons are running on the server:
[[email protected] ~]# service nfs status
rpc.mountd (pid 18040) is running...
nfsd (pid 18037 18036 18035 18034 18033 18032 18031 18030) is running...
rpc.rquotad (pid 18025) is running...
rpc.mountd (pid 18040) is running...
nfsd (pid 18037 18036 18035 18034 18033 18032 18031 18030) is running...
rpc.rquotad (pid 18025) is running...
2. For the moment the firewall has been completely disabled on the server:
[[email protected] ~]# service iptables status
Firewall is stopped.
Firewall is stopped.
3. The directory has been added to /etc/exports, exportfs -ra has been run, and there are no entries in /etc/hosts.deny:
[[email protected] ~]# cat /etc/exports
/home/ESE *(ro,sync) #Site Engineer tools
/home/ESE *(ro,sync) #Site Engineer tools
4. Owner and group for the directory have been set to nsfbody (the users on the clients will always be running as root):
[[email protected] ~]# ls -dal /home/ESE
drwxr-xr-x 3 nfsnobody nfsnobody 4096 Dec 4 05:01 /home/ESE
drwxr-xr-x 3 nfsnobody nfsnobody 4096 Dec 4 05:01 /home/ESE
5. The clients are able to resolve and ping the server as fs00:
[[email protected] named]# host fs00
fs00.lab-0.agilulf.local is an alias for fileprint-0.lab-0.agilulf.local.
fileprint-0.lab-0.agilulf.local has address 10.42.0.24
[[email protected] named]# ping fs00
PING fileprint-0.lab-0.agilulf.local (10.42.0.24) 56(84) bytes of data.
64 bytes from fileprint-0.lab-0.agilulf.local (10.42.0.24): icmp_seq=1 ttl=64 time=0.715 ms
64 bytes from fileprint-0.lab-0.agilulf.local (10.42.0.24): icmp_seq=2 ttl=64 time=0.402 ms
--- fileprint-0.lab-0.agilulf.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1099ms
rtt min/avg/max/mdev = 0.402/0.558/0.715/0.158 ms
fs00.lab-0.agilulf.local is an alias for fileprint-0.lab-0.agilulf.local.
fileprint-0.lab-0.agilulf.local has address 10.42.0.24
[[email protected] named]# ping fs00
PING fileprint-0.lab-0.agilulf.local (10.42.0.24) 56(84) bytes of data.
64 bytes from fileprint-0.lab-0.agilulf.local (10.42.0.24): icmp_seq=1 ttl=64 time=0.715 ms
64 bytes from fileprint-0.lab-0.agilulf.local (10.42.0.24): icmp_seq=2 ttl=64 time=0.402 ms
--- fileprint-0.lab-0.agilulf.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1099ms
rtt min/avg/max/mdev = 0.402/0.558/0.715/0.158 ms
6. The local mount point on the client exists:
[[email protected] named]# ls -dal /mnt/ESE
drwxr-xr-x 2 root root 4096 Oct 27 16:04 /mnt/ESE
drwxr-xr-x 2 root root 4096 Oct 27 16:04 /mnt/ESE
7. But attempts to mount the directory fail:
[[email protected] named]# mount -t nfs fs00:ESE /mnt/ESE
mount: fs00:ESE failed, reason given by server: Permission denied
mount: fs00:ESE failed, reason given by server: Permission denied
8. I've tried setting no_squash but without any more success.
Anybody see what I am doing wrong?
0
Comments
-
texaganian wrote:3. The directory has been added to /etc/exports, exportfs -ra has been run, and there are no entries in /etc/hosts.deny:
[[email protected] ~]# cat /etc/exports /home/ESE *(ro,sync) #Site Engineer tools
Anybody see what I am doing wrong?
Judging by what I am seeing in the manual the wildcard is to be used with in combination with a domain or other criteria. I recommend removing the widcard so it accepts all host which would modify in /etc/exports to:/home/ESE (ro,sync,all_squash) #Site Engineer tools
However I would recommend adding some type of limiting criteria to both your firewall all exports file to limit outside users from accessing the service such as:
In exports-/home/ESE 10.42.0.0/24(ro,sync,all_squash) #Site Engineer tools
and in your firewall-iptables -A INPUT -P ALL -s 10.42.0.0/24 --dport 2049 -j ACCEPT iptables -A INPUT -P ALL -s 0/0 --dport 2049 -j DROP
Don't forget to restart the service to reload the exports file before testing it.0 -
Thanks for the response. Alas, that doesn't seem to be the issue:
[[email protected] ~]# cp /etc/exports /etc/exports.OLD [[email protected] ~]# vi /etc/exports [[email protected] ~]# service nfs restart Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Starting NFS services: exportfs: No host name given with /home/ESE (ro,sync), suggest *(ro,sync) to avoid warning [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ]
and I still got the same error.0 -
I am installing a virtual machine now so I can configure it as an NFS server to test your configuration. I will report back advising what works for me.0
-
I got it to work, the issue is that you have not identified the anonuid and anongid to be used internally by the server to assess the rights of the attaching user.
What worked for me was:/home/ESE *(ro,sync.anonid=99,anongid=98)
On my system user 99 is nobody and group 98 is nobody. This gave me read only access to the files.0 -
Actually it was simpler than that.
I just foobarred the mount command (left out the leading slash) and my eyes were refusing to see it. Became obvious instantly when I finally remembered to tail /var/log/messages.
Doh!0
Categories
- 9.3K All Categories
- 16 LFX Mentorship
- 69 LFX Mentorship: Linux Kernel
- 387 Linux Foundation Boot Camps
- 238 Cloud Engineer Boot Camp
- 76 Advanced Cloud Engineer Boot Camp
- 30 DevOps Engineer Boot Camp
- 10 Cloud Native Developer Boot Camp
- 1.1K Training Courses
- 15 LFC110 Class Forum
- 17 LFD102 Class Forum
- 110 LFD103 Class Forum
- 7 LFD121 Class Forum
- 59 LFD201 Class Forum
- 1 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum
- 21 LFD254 Class Forum
- 476 LFD259 Class Forum
- 91 LFD272 Class Forum
- 1 LFD272-JP クラス フォーラム
- 17 LFS200 Class Forum
- 730 LFS201 Class Forum
- LFS201-JP クラス フォーラム
- 286 LFS211 Class Forum
- 51 LFS216 Class Forum
- 28 LFS241 Class Forum
- 28 LFS242 Class Forum
- 26 LFS243 Class Forum
- 9 LFS244 Class Forum
- 15 LFS250 Class Forum
- LFS250-JP クラス フォーラム
- 115 LFS253 Class Forum
- 845 LFS258 Class Forum
- 8 LFS258-JP クラス フォーラム
- 56 LFS260 Class Forum
- 91 LFS261 Class Forum
- 19 LFS262 Class Forum
- 76 LFS263 Class Forum
- 15 LFS264 Class Forum
- 10 LFS266 Class Forum
- 10 LFS267 Class Forum
- 14 LFS268 Class Forum
- 7 LFS269 Class Forum
- 185 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- 195 LFW211 Class Forum
- 121 LFW212 Class Forum
- 883 Hardware
- 210 Drivers
- 74 I/O Devices
- 44 Monitors
- 115 Multimedia
- 205 Networking
- 98 Printers & Scanners
- 82 Storage
- 734 Linux Distributions
- 85 Debian
- 64 Fedora
- 12 Linux Mint
- 13 Mageia
- 23 openSUSE
- 128 Red Hat Enterprise
- 33 Slackware
- 13 SUSE Enterprise
- 351 Ubuntu
- 456 Linux System Administration
- 33 Cloud Computing
- 65 Command Line/Scripting
- Github systems admin projects
- 92 Linux Security
- 77 Network Management
- 105 System Management
- 46 Web Management
- 54 Mobile Computing
- 19 Android
- 22 Development
- 1.2K New to Linux
- 1.1K Getting Started with Linux
- 514 Off Topic
- 121 Introductions
- 206 Small Talk
- 19 Study Material
- 761 Programming and Development
- 245 Kernel Development
- 482 Software Development
- 904 Software
- 247 Applications
- 178 Command Line
- 2 Compiling/Installing
- 73 Games
- 315 Installation
- 29 All In Program
- 29 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)