From: Joschi Brauchle <joschi.brauchle@tum.de>
To: Jeff Layton <jlayton@poochiereds.net>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"Fehenberger, Tobias" <tobias.fehenberger@tum.de>,
"Stinner, Markus" <markus.stinner@tum.de>
Subject: Re: Need help debugging NFSv3+KRB5+PAT (Port Address Translation) problem
Date: Fri, 26 Sep 2014 18:24:33 +0200 [thread overview]
Message-ID: <54259341.30709@tum.de> (raw)
In-Reply-To: <20140926115646.684c8e3c@tlielax.poochiereds.net>
[-- Attachment #1: Type: text/plain, Size: 1933 bytes --]
On 09/26/2014 05:56 PM, Jeff Layton wrote:
> On Fri, 26 Sep 2014 17:31:55 +0200
> Joschi Brauchle <joschi.brauchle@tum.de> wrote:
>
>> Hello everyone,
>>
>> I need some help debugging a NFSv3 + KRB5 + PAT (Port Address
>> Translation) problem.
>>
>> We have two hosts behind a firewall and an NFSv3 server outside
>> requiring KRB5 authentication.
>>
>> 1) Client_NAT is using NAT (network address translation),
>> 2) Client_PAT is using PAT (port address translation)
>> to reach the NFSv3 server through the firewall.
>>
>> Both clients are configured identically in terms of Kerberos and so on.
>>
>> Mounting an NFSv3 share now fails on Client_PAT with the message:
>> RPC: server SERVERNAME requires stronger authentication.
>> On Client_NAT, mounting succeeds.
>>
>> We strongly suspect the port address translation to be the reason for
>> the failure, but would need help confirming this and advice on how to
>> fix it.
>>
>> Please find here the RPC debug logs from
>> Client_NAT: http://pastebin.com/9RANqVgY
>> Client_PAT: http://pastebin.com/TiscNVqW
>> Here is a DIFF between the two: http://pastebin.com/wCg7WyYd
>>
>> I'm grateful for any help on this problem!
>>
>> Best regards,
>> Joschi Brauchle
>
> I'm not terribly familiar with the PAT vs. NAT distinction, but many
> NFS servers require you to use privileged ports to connect to them. Is
> your PAT client having its privileged port converted to a
> non-privileged one?
>
> If so (and if the server is Linux-based) then you can try to get around
> that by exporting with the "insecure" export option.
We do not have control over the NFS server, but from the firewall logs I
can see that the PAT client trying to access the server with an
originally privileged port (<1024) gets translated to a non-privileged
one. Shortly after that, the mount fails.
So I guess this is the problem! Thanks for the hint.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4917 bytes --]
prev parent reply other threads:[~2014-09-26 16:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-26 15:31 Need help debugging NFSv3+KRB5+PAT (Port Address Translation) problem Joschi Brauchle
2014-09-26 15:56 ` Jeff Layton
2014-09-26 16:24 ` Joschi Brauchle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54259341.30709@tum.de \
--to=joschi.brauchle@tum.de \
--cc=jlayton@poochiereds.net \
--cc=linux-nfs@vger.kernel.org \
--cc=markus.stinner@tum.de \
--cc=tobias.fehenberger@tum.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox