NFS in kernel 2.6 and Netapp: privileged ports problem

NFS in kernel 2.6 and Netapp: privileged ports problem

[Filipe Brandenburger]

Hello, all.

I'm having problems when mounting NFS in a Netapp FAS 740 filer on a
Linux RHAS4 Kernel 2.6 client. The message I get is:

[root@talara ~]# mount -a
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak
mount: RPC: Authentication error; why = Client credential too weak

Sometimes it works, most times it fails with the message above. If I use
the same setup above but with RH7.3 Kernel 2.4, it works without a
problem.

I found out this page that says it can be related to the client not
using privileged ports to do the mount:
http://teaparty.mathworks.com:1999/toasters/7212.html
(Or in Google's cache, only way I could open it:)
http://64.233.161.104/search?q=cache:K78rCZz1UnMJ:teaparty.mathworks.com:1999/toasters/7212.html+%22mount:+RPC:+Authentication+error%3B+why+%3D+Client+credential+too+weak%22+%2BNetapp&hl=en&start=1

This other post seems to confirm the issue:
http://www.archivum.info/netfilter/2002-03/msg00591.html

I also found a thread asking on how to force Linux to use privileged
ports, but it seemed the problem of the guy was another one, related to
MTU's, so that no solution to the unprivileged port was given.

So I ask:

- Anyone experienced this too?
- Is there a way on kernel 2.6 to force it to use privileged ports to do
the mount?
- This one is not related to Linux, but anyone knows if it's possible to
disable the privileged port restriction on the Netapp filer? This would
be acceptable to me to solve this problem.

I have tcpdump of a failed mounting session, so that I can provide it to
you upon request, if you think it could lead to some clue about what's
happening.

Thanks in advance!
Branden



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: NFS in kernel 2.6 and Netapp: privileged ports problem

[Steve Dickson]

Filipe Brandenburger wrote:
> I'm having problems when mounting NFS in a Netapp FAS 740 filer on a
> Linux RHAS4 Kernel 2.6 client. The message I get is:
> 
> [root@talara ~]# mount -a
> mount: RPC: Authentication error; why = Client credential too weak
Your running out of privileged ports....

The problem is the glibc pmap_getport() routine uses
privileged ports to get ports from portmapper (when TCP
is specified) which is wrong. So these ports end up in
TIME_WAIT, which makes them (temporary) unusable for mounts.
(Do a netstat -an | grep TIME_WAIT and notice all the ports are < 1024).
Now, when a privileged port is not available, a normal port (i.e. >
1023) will be used which will cause the above message.

Note: the glibc is fixed in FC4 and in upcoming RHEL3 and RHEL4
releases.

> Sometimes it works, most times it fails with the message above. If I use
> the same setup above but with RH7.3 Kernel 2.4, it works without a
> problem.
This is because UDP is the default protocol for mounts where as with
later releases TCP is the default.

> 
> So I ask:
> 
> - Anyone experienced this too?
Yes... see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154678

> - Is there a way on kernel 2.6 to force it to use privileged ports to do
> the mount?
I don't think so...

> - This one is not related to Linux, but anyone knows if it's possible to
> disable the privileged port restriction on the Netapp filer? This would
> be acceptable to me to solve this problem.
You could try adding 'insecure' to your exports options... and
you could also try using UDP mounts by specifying the '-o udp'
mount option.

steved.




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs