From: Joschi Brauchle <joschi.brauchle@tum.de>
To: Jeff Layton <jlayton@poochiereds.net>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"Fehenberger, Tobias" <tobias.fehenberger@tum.de>,
"Stinner, Markus" <markus.stinner@tum.de>
Subject: Re: Need help debugging NFSv3+KRB5+PAT (Port Address Translation) problem
Date: Fri, 26 Sep 2014 18:24:33 +0200 [thread overview]
Message-ID: <54259341.30709@tum.de> (raw)
In-Reply-To: <20140926115646.684c8e3c@tlielax.poochiereds.net>
[-- Attachment #1: Type: text/plain, Size: 1933 bytes --]
On 09/26/2014 05:56 PM, Jeff Layton wrote:
> On Fri, 26 Sep 2014 17:31:55 +0200
> Joschi Brauchle <joschi.brauchle@tum.de> wrote:
>
>> Hello everyone,
>>
>> I need some help debugging a NFSv3 + KRB5 + PAT (Port Address
>> Translation) problem.
>>
>> We have two hosts behind a firewall and an NFSv3 server outside
>> requiring KRB5 authentication.
>>
>> 1) Client_NAT is using NAT (network address translation),
>> 2) Client_PAT is using PAT (port address translation)
>> to reach the NFSv3 server through the firewall.
>>
>> Both clients are configured identically in terms of Kerberos and so on.
>>
>> Mounting an NFSv3 share now fails on Client_PAT with the message:
>> RPC: server SERVERNAME requires stronger authentication.
>> On Client_NAT, mounting succeeds.
>>
>> We strongly suspect the port address translation to be the reason for
>> the failure, but would need help confirming this and advice on how to
>> fix it.
>>
>> Please find here the RPC debug logs from
>> Client_NAT: http://pastebin.com/9RANqVgY
>> Client_PAT: http://pastebin.com/TiscNVqW
>> Here is a DIFF between the two: http://pastebin.com/wCg7WyYd
>>
>> I'm grateful for any help on this problem!
>>
>> Best regards,
>> Joschi Brauchle
>
> I'm not terribly familiar with the PAT vs. NAT distinction, but many
> NFS servers require you to use privileged ports to connect to them. Is
> your PAT client having its privileged port converted to a
> non-privileged one?
>
> If so (and if the server is Linux-based) then you can try to get around
> that by exporting with the "insecure" export option.
We do not have control over the NFS server, but from the firewall logs I
can see that the PAT client trying to access the server with an
originally privileged port (<1024) gets translated to a non-privileged
one. Shortly after that, the mount fails.
So I guess this is the problem! Thanks for the hint.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4917 bytes --]
prev parent reply other threads:[~2014-09-26 16:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-26 15:31 Need help debugging NFSv3+KRB5+PAT (Port Address Translation) problem Joschi Brauchle
2014-09-26 15:56 ` Jeff Layton
2014-09-26 16:24 ` Joschi Brauchle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54259341.30709@tum.de \
--to=joschi.brauchle@tum.de \
--cc=jlayton@poochiereds.net \
--cc=linux-nfs@vger.kernel.org \
--cc=markus.stinner@tum.de \
--cc=tobias.fehenberger@tum.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.