On 09/26/2014 05:56 PM, Jeff Layton wrote: > On Fri, 26 Sep 2014 17:31:55 +0200 > Joschi Brauchle wrote: > >> Hello everyone, >> >> I need some help debugging a NFSv3 + KRB5 + PAT (Port Address >> Translation) problem. >> >> We have two hosts behind a firewall and an NFSv3 server outside >> requiring KRB5 authentication. >> >> 1) Client_NAT is using NAT (network address translation), >> 2) Client_PAT is using PAT (port address translation) >> to reach the NFSv3 server through the firewall. >> >> Both clients are configured identically in terms of Kerberos and so on. >> >> Mounting an NFSv3 share now fails on Client_PAT with the message: >> RPC: server SERVERNAME requires stronger authentication. >> On Client_NAT, mounting succeeds. >> >> We strongly suspect the port address translation to be the reason for >> the failure, but would need help confirming this and advice on how to >> fix it. >> >> Please find here the RPC debug logs from >> Client_NAT: http://pastebin.com/9RANqVgY >> Client_PAT: http://pastebin.com/TiscNVqW >> Here is a DIFF between the two: http://pastebin.com/wCg7WyYd >> >> I'm grateful for any help on this problem! >> >> Best regards, >> Joschi Brauchle > > I'm not terribly familiar with the PAT vs. NAT distinction, but many > NFS servers require you to use privileged ports to connect to them. Is > your PAT client having its privileged port converted to a > non-privileged one? > > If so (and if the server is Linux-based) then you can try to get around > that by exporting with the "insecure" export option. We do not have control over the NFS server, but from the firewall logs I can see that the PAT client trying to access the server with an originally privileged port (<1024) gets translated to a non-privileged one. Shortly after that, the mount fails. So I guess this is the problem! Thanks for the hint.